Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RSno9EH0K9.exe

Overview

General Information

Sample name:RSno9EH0K9.exe
Analysis ID:1505683
MD5:8e456f932787fcd0cadbb598174575b2
SHA1:22b069c76b86bdb6be8cdafc78019b55c583062e
SHA256:c55859f35ad07e3e4b13f45fa5fa4c788f7059daac930ea435600a936104c1b5
Tags:exe
Infos:

Detection

Tofsee
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Tofsee
AI detected suspicious sample
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Drops executables to the windows directory (C:\Windows) and starts them
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious New Service Creation
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Abnormal high CPU Usage
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: Windows Defender Exclusions Added - Registry
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

  • System is w10x64
  • RSno9EH0K9.exe (PID: 7552 cmdline: "C:\Users\user\Desktop\RSno9EH0K9.exe" MD5: 8E456F932787FCD0CADBB598174575B2)
    • cmd.exe (PID: 7632 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gxtfamnt\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7688 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\nutgoowa.exe" C:\Windows\SysWOW64\gxtfamnt\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7736 cmdline: "C:\Windows\System32\sc.exe" create gxtfamnt binPath= "C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exe /d\"C:\Users\user\Desktop\RSno9EH0K9.exe\"" type= own start= auto DisplayName= "wifi support" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 7744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7784 cmdline: "C:\Windows\System32\sc.exe" description gxtfamnt "wifi internet conection" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 7792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7860 cmdline: "C:\Windows\System32\sc.exe" start gxtfamnt MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 7868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 7932 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 7940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • nutgoowa.exe (PID: 7912 cmdline: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exe /d"C:\Users\user\Desktop\RSno9EH0K9.exe" MD5: 834E2E11D20A334B04B409E9ECD91E76)
    • svchost.exe (PID: 7292 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
TofseeAccording to PCrisk, Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various account credentials, updating itself, and more.Cyber criminals mainly use this program as an email-oriented tool (they target users' email accounts), however, having Tofsee installed can also lead to many other problems.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee
{"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
SourceRuleDescriptionAuthorStrings
00000000.00000002.4129020290.000000000055B000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x1000:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
    00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
    • 0x2544:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
    • 0xee95:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
    00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmpMALWARE_Win_TofseeDetects TofseeditekSHen
    • 0x1123e:$s1: n%systemroot%\system32\cmd.exe
    • 0x10310:$s2: loader_id
    • 0x10340:$s3: start_srv
    • 0x10370:$s4: lid_file_upd
    • 0x10364:$s5: localcfg
    • 0x10a94:$s6: Incorrect respons
    • 0x10b74:$s7: mx connect error
    • 0x10af0:$s8: Error sending command (sent = %d/%d)
    • 0x10c28:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
    00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
      Click to see the 24 entries
      SourceRuleDescriptionAuthorStrings
      0.3.RSno9EH0K9.exe.2090000.0.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
      • 0xd44:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
      • 0xd695:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
      0.3.RSno9EH0K9.exe.2090000.0.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
      • 0xe110:$s2: loader_id
      • 0xe140:$s3: start_srv
      • 0xe170:$s4: lid_file_upd
      • 0xe164:$s5: localcfg
      • 0xe894:$s6: Incorrect respons
      0.2.RSno9EH0K9.exe.400000.0.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
        0.2.RSno9EH0K9.exe.400000.0.raw.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
        • 0x2544:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
        • 0xee95:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
        0.2.RSno9EH0K9.exe.400000.0.raw.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
        • 0x1123e:$s1: n%systemroot%\system32\cmd.exe
        • 0x10310:$s2: loader_id
        • 0x10340:$s3: start_srv
        • 0x10370:$s4: lid_file_upd
        • 0x10364:$s5: localcfg
        • 0x10a94:$s6: Incorrect respons
        • 0x10b74:$s7: mx connect error
        • 0x10af0:$s8: Error sending command (sent = %d/%d)
        • 0x10c28:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
        Click to see the 39 entries

        System Summary

        barindex
        Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exe /d"C:\Users\user\Desktop\RSno9EH0K9.exe", ParentImage: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exe, ParentProcessId: 7912, ParentProcessName: nutgoowa.exe, ProcessCommandLine: svchost.exe, ProcessId: 7292, ProcessName: svchost.exe
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\sc.exe" create gxtfamnt binPath= "C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exe /d\"C:\Users\user\Desktop\RSno9EH0K9.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create gxtfamnt binPath= "C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exe /d\"C:\Users\user\Desktop\RSno9EH0K9.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\RSno9EH0K9.exe", ParentImage: C:\Users\user\Desktop\RSno9EH0K9.exe, ParentProcessId: 7552, ParentProcessName: RSno9EH0K9.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create gxtfamnt binPath= "C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exe /d\"C:\Users\user\Desktop\RSno9EH0K9.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 7736, ProcessName: sc.exe
        Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 52.101.8.49, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\SysWOW64\svchost.exe, Initiated: true, ProcessId: 7292, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49737
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exe /d"C:\Users\user\Desktop\RSno9EH0K9.exe", ParentImage: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exe, ParentProcessId: 7912, ParentProcessName: nutgoowa.exe, ProcessCommandLine: svchost.exe, ProcessId: 7292, ProcessName: svchost.exe
        Source: Registry Key setAuthor: Christian Burkard (Nextron Systems): Data: Details: 0, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 7292, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\gxtfamnt
        Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\sc.exe" create gxtfamnt binPath= "C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exe /d\"C:\Users\user\Desktop\RSno9EH0K9.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create gxtfamnt binPath= "C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exe /d\"C:\Users\user\Desktop\RSno9EH0K9.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\RSno9EH0K9.exe", ParentImage: C:\Users\user\Desktop\RSno9EH0K9.exe, ParentProcessId: 7552, ParentProcessName: RSno9EH0K9.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create gxtfamnt binPath= "C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exe /d\"C:\Users\user\Desktop\RSno9EH0K9.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 7736, ProcessName: sc.exe
        No Suricata rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: RSno9EH0K9.exeAvira: detected
        Source: jotunheim.name:443Avira URL Cloud: Label: malware
        Source: vanaheim.cn:443Avira URL Cloud: Label: phishing
        Source: C:\Users\user\AppData\Local\Temp\nutgoowa.exeAvira: detection malicious, Label: HEUR/AGEN.1312567
        Source: 11.3.nutgoowa.exe.d50000.0.raw.unpackMalware Configuration Extractor: Tofsee {"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
        Source: RSno9EH0K9.exeReversingLabs: Detection: 28%
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability
        Source: C:\Users\user\AppData\Local\Temp\nutgoowa.exeJoe Sandbox ML: detected
        Source: RSno9EH0K9.exeJoe Sandbox ML: detected

        Compliance

        barindex
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeUnpacked PE file: 0.2.RSno9EH0K9.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exeUnpacked PE file: 11.2.nutgoowa.exe.400000.0.unpack
        Source: RSno9EH0K9.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

        Change of critical system settings

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\gxtfamntJump to behavior

        Networking

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.228.109 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.8.49 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 217.69.139.150 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 77.232.41.29 443Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.11.0 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 64.233.166.26 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.228.111 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 80.66.75.11 443Jump to behavior
        Source: Malware configuration extractorURLs: vanaheim.cn:443
        Source: Malware configuration extractorURLs: jotunheim.name:443
        Source: Joe Sandbox ViewIP Address: 52.101.11.0 52.101.11.0
        Source: Joe Sandbox ViewIP Address: 67.195.228.109 67.195.228.109
        Source: Joe Sandbox ViewIP Address: 52.101.8.49 52.101.8.49
        Source: Joe Sandbox ViewIP Address: 217.69.139.150 217.69.139.150
        Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
        Source: Joe Sandbox ViewASN Name: YAHOO-GQ1US YAHOO-GQ1US
        Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
        Source: Joe Sandbox ViewASN Name: MAILRU-ASMailRuRU MAILRU-ASMailRuRU
        Source: global trafficTCP traffic: 192.168.2.4:49737 -> 52.101.8.49:25
        Source: global trafficTCP traffic: 192.168.2.4:49740 -> 67.195.228.111:25
        Source: global trafficTCP traffic: 192.168.2.4:49741 -> 64.233.166.26:25
        Source: global trafficTCP traffic: 192.168.2.4:49743 -> 217.69.139.150:25
        Source: global trafficTCP traffic: 192.168.2.4:49747 -> 52.101.11.0:25
        Source: global trafficTCP traffic: 192.168.2.4:49749 -> 67.195.228.109:25
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeCode function: 0_2_00402A62 GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,socket,htons,select,recv,htons,htons,htons,GetProcessHeap,HeapAlloc,htons,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree,0_2_00402A62
        Source: global trafficDNS traffic detected: DNS query: microsoft-com.mail.protection.outlook.com
        Source: global trafficDNS traffic detected: DNS query: vanaheim.cn
        Source: global trafficDNS traffic detected: DNS query: yahoo.com
        Source: global trafficDNS traffic detected: DNS query: mta7.am0.yahoodns.net
        Source: global trafficDNS traffic detected: DNS query: google.com
        Source: global trafficDNS traffic detected: DNS query: smtp.google.com
        Source: global trafficDNS traffic detected: DNS query: mail.ru
        Source: global trafficDNS traffic detected: DNS query: mxs.mail.ru
        Source: global trafficDNS traffic detected: DNS query: jotunheim.name
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
        Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
        Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745

        Spam, unwanted Advertisements and Ransom Demands

        barindex
        Source: Yara matchFile source: 0.2.RSno9EH0K9.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.RSno9EH0K9.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nutgoowa.exe.d50000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.RSno9EH0K9.exe.2090000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.RSno9EH0K9.exe.2070e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.nutgoowa.exe.db0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.nutgoowa.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.nutgoowa.exe.500e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.svchost.exe.500000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.nutgoowa.exe.db0000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.nutgoowa.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.svchost.exe.500000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.2249441711.0000000000DB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.1722807602.0000000002090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.1947096591.0000000000D50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RSno9EH0K9.exe PID: 7552, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: nutgoowa.exe PID: 7912, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7292, type: MEMORYSTR

        System Summary

        barindex
        Source: 0.3.RSno9EH0K9.exe.2090000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.RSno9EH0K9.exe.2090000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.RSno9EH0K9.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.RSno9EH0K9.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.RSno9EH0K9.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.RSno9EH0K9.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 11.3.nutgoowa.exe.d50000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 11.3.nutgoowa.exe.d50000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.3.RSno9EH0K9.exe.2090000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.RSno9EH0K9.exe.2090000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.RSno9EH0K9.exe.2070e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.RSno9EH0K9.exe.2070e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.RSno9EH0K9.exe.2070e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.RSno9EH0K9.exe.2070e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 11.2.nutgoowa.exe.500e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 11.2.nutgoowa.exe.500e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 11.2.nutgoowa.exe.db0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 11.2.nutgoowa.exe.db0000.2.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 11.2.nutgoowa.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 11.2.nutgoowa.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 11.2.nutgoowa.exe.500e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 11.2.nutgoowa.exe.500e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 17.2.svchost.exe.500000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 17.2.svchost.exe.500000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 11.3.nutgoowa.exe.d50000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 11.2.nutgoowa.exe.db0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 11.2.nutgoowa.exe.db0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 11.3.nutgoowa.exe.d50000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 11.2.nutgoowa.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 11.2.nutgoowa.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 17.2.svchost.exe.500000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 17.2.svchost.exe.500000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000002.4129020290.000000000055B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000B.00000002.2249215134.0000000000533000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000B.00000002.2249441711.0000000000DB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000B.00000002.2249441711.0000000000DB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000003.1722807602.0000000002090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000003.1722807602.0000000002090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000B.00000003.1947096591.0000000000D50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000B.00000003.1947096591.0000000000D50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeProcess Stats: CPU usage > 49%
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeCode function: 0_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,0_2_00408E26
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeCode function: 0_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,0_2_00401280
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\gxtfamnt\Jump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeCode function: 0_2_0040C9130_2_0040C913
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeCode function: 0_2_0041A3E00_2_0041A3E0
        Source: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exeCode function: 11_2_0040C91311_2_0040C913
        Source: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exeCode function: 11_2_0041A3E011_2_0041A3E0
        Source: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exeCode function: 11_2_0053375011_2_00533750
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0050C91317_2_0050C913
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeCode function: String function: 020727AB appears 35 times
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeCode function: String function: 0040EE2A appears 40 times
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeCode function: String function: 00402544 appears 53 times
        Source: RSno9EH0K9.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: 0.3.RSno9EH0K9.exe.2090000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.RSno9EH0K9.exe.2090000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.RSno9EH0K9.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.RSno9EH0K9.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.RSno9EH0K9.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.RSno9EH0K9.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 11.3.nutgoowa.exe.d50000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 11.3.nutgoowa.exe.d50000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.3.RSno9EH0K9.exe.2090000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.RSno9EH0K9.exe.2090000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.RSno9EH0K9.exe.2070e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.RSno9EH0K9.exe.2070e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.RSno9EH0K9.exe.2070e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.RSno9EH0K9.exe.2070e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 11.2.nutgoowa.exe.500e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 11.2.nutgoowa.exe.500e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 11.2.nutgoowa.exe.db0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 11.2.nutgoowa.exe.db0000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 11.2.nutgoowa.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 11.2.nutgoowa.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 11.2.nutgoowa.exe.500e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 11.2.nutgoowa.exe.500e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 17.2.svchost.exe.500000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 17.2.svchost.exe.500000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 11.3.nutgoowa.exe.d50000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 11.2.nutgoowa.exe.db0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 11.2.nutgoowa.exe.db0000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 11.3.nutgoowa.exe.d50000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 11.2.nutgoowa.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 11.2.nutgoowa.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 17.2.svchost.exe.500000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 17.2.svchost.exe.500000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000002.4129020290.000000000055B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000B.00000002.2249215134.0000000000533000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000B.00000002.2249441711.0000000000DB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000B.00000002.2249441711.0000000000DB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000003.1722807602.0000000002090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000003.1722807602.0000000002090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000B.00000003.1947096591.0000000000D50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000B.00000003.1947096591.0000000000D50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: RSno9EH0K9.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: classification engineClassification label: mal100.troj.evad.winEXE@22/3@12/8
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeCode function: 0_2_00406A60 lstrcatA,CreateFileA,GetDiskFreeSpaceA,GetLastError,CloseHandle,CloseHandle,FindCloseChangeNotification,GetLastError,CloseHandle,DeleteFileA,GetLastError,0_2_00406A60
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeCode function: 0_2_0055C02E CreateToolhelp32Snapshot,Module32First,0_2_0055C02E
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exeCode function: 11_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,11_2_00409A6B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_00509A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,17_2_00509A6B
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7744:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7792:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7868:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7696:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7940:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7640:120:WilError_03
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeFile created: C:\Users\user\AppData\Local\Temp\nutgoowa.exeJump to behavior
        Source: RSno9EH0K9.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: RSno9EH0K9.exeReversingLabs: Detection: 28%
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeFile read: C:\Users\user\Desktop\RSno9EH0K9.exeJump to behavior
        Source: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_11-15085
        Source: unknownProcess created: C:\Users\user\Desktop\RSno9EH0K9.exe "C:\Users\user\Desktop\RSno9EH0K9.exe"
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gxtfamnt\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\nutgoowa.exe" C:\Windows\SysWOW64\gxtfamnt\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create gxtfamnt binPath= "C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exe /d\"C:\Users\user\Desktop\RSno9EH0K9.exe\"" type= own start= auto DisplayName= "wifi support"
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description gxtfamnt "wifi internet conection"
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start gxtfamnt
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exe C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exe /d"C:\Users\user\Desktop\RSno9EH0K9.exe"
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gxtfamnt\Jump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\nutgoowa.exe" C:\Windows\SysWOW64\gxtfamnt\Jump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create gxtfamnt binPath= "C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exe /d\"C:\Users\user\Desktop\RSno9EH0K9.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description gxtfamnt "wifi internet conection"Jump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start gxtfamntJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
        Source: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeSection loaded: msvcr100.dllJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeSection loaded: slc.dllJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exeSection loaded: msvcr100.dllJump to behavior
        Source: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: napinsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wshbth.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winrnr.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

        Data Obfuscation

        barindex
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeUnpacked PE file: 0.2.RSno9EH0K9.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Source: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exeUnpacked PE file: 11.2.nutgoowa.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeUnpacked PE file: 0.2.RSno9EH0K9.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exeUnpacked PE file: 11.2.nutgoowa.exe.400000.0.unpack
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeCode function: 0_2_0055F316 push 0000002Bh; iretd 0_2_0055F31C
        Source: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exeCode function: 11_2_00537796 push 0000002Bh; iretd 11_2_0053779C
        Source: RSno9EH0K9.exeStatic PE information: section name: .text entropy: 7.427995980269359

        Persistence and Installation Behavior

        barindex
        Source: unknownExecutable created and started: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exe
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeFile created: C:\Users\user\AppData\Local\Temp\nutgoowa.exeJump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exe (copy)Jump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exe (copy)Jump to dropped file
        Source: C:\Windows\SysWOW64\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gxtfamntJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create gxtfamnt binPath= "C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exe /d\"C:\Users\user\Desktop\RSno9EH0K9.exe\"" type= own start= auto DisplayName= "wifi support"
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00401000
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeCode function: inet_addr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetBestInterface,GetProcessHeap,HeapAlloc,GetAdaptersInfo,HeapReAlloc,GetAdaptersInfo,HeapFree,FreeLibrary,FreeLibrary,17_2_0050199C
        Source: C:\Windows\SysWOW64\svchost.exeWindow / User API: threadDelayed 742Jump to behavior
        Source: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_11-15510
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-16068
        Source: C:\Windows\SysWOW64\svchost.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_17-6485
        Source: C:\Windows\SysWOW64\svchost.exeEvaded block: after key decisiongraph_17-6156
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-15410
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_17-7343
        Source: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_11-15461
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_17-7459
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_17-6186
        Source: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_11-15101
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-14993
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeAPI coverage: 6.8 %
        Source: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exeAPI coverage: 5.3 %
        Source: C:\Windows\SysWOW64\svchost.exe TID: 332Thread sleep count: 742 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exe TID: 332Thread sleep time: -742000s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exe TID: 332Thread sleep count: 138 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exe TID: 332Thread sleep time: -138000s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeCode function: 0_2_0041A3E0 GetSystemTimes followed by cmp: cmp dword ptr [004220dch], 0ah and CTI: jne 0041A62Fh0_2_0041A3E0
        Source: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exeCode function: 11_2_0041A3E0 GetSystemTimes followed by cmp: cmp dword ptr [004220dch], 0ah and CTI: jne 0041A62Fh11_2_0041A3E0
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeCode function: 0_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,HeapCreate,GetTickCount,0_2_00401D96
        Source: svchost.exe, 00000011.00000002.4128911717.0000000002A00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllx
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeAPI call chain: ExitProcess graph end nodegraph_0-15422
        Source: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exeAPI call chain: ExitProcess graph end nodegraph_11-15471
        Source: C:\Windows\SysWOW64\svchost.exeAPI call chain: ExitProcess graph end nodegraph_17-6187

        Anti Debugging

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_17-7681
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeCode function: 0_2_0055B90B push dword ptr fs:[00000030h]0_2_0055B90B
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeCode function: 0_2_0207092B mov eax, dword ptr fs:[00000030h]0_2_0207092B
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeCode function: 0_2_02070D90 mov eax, dword ptr fs:[00000030h]0_2_02070D90
        Source: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exeCode function: 11_2_0050092B mov eax, dword ptr fs:[00000030h]11_2_0050092B
        Source: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exeCode function: 11_2_00500D90 mov eax, dword ptr fs:[00000030h]11_2_00500D90
        Source: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exeCode function: 11_2_00533D8B push dword ptr fs:[00000030h]11_2_00533D8B
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeCode function: 0_2_0040EBCC GetProcessHeap,RtlAllocateHeap,0_2_0040EBCC
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exeCode function: 11_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,11_2_00409A6B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_00509A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,17_2_00509A6B

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.228.109 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.8.49 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 217.69.139.150 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 77.232.41.29 443Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.11.0 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 64.233.166.26 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.228.111 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 80.66.75.11 443Jump to behavior
        Source: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 500000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 500000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 500000Jump to behavior
        Source: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3E6008Jump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gxtfamnt\Jump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\nutgoowa.exe" C:\Windows\SysWOW64\gxtfamnt\Jump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create gxtfamnt binPath= "C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exe /d\"C:\Users\user\Desktop\RSno9EH0K9.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description gxtfamnt "wifi internet conection"Jump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start gxtfamntJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
        Source: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeCode function: 0_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00406EDD
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeCode function: 0_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,0_2_0040405E
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeCode function: 0_2_0040EC54 GetSystemTimeAsFileTime,GetVolumeInformationA,GetTickCount,0_2_0040EC54
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeCode function: 0_2_0040B211 FileTimeToSystemTime,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,SystemTimeToFileTime,FileTimeToSystemTime,GetTimeZoneInformation,wsprintfA,0_2_0040B211
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeCode function: 0_2_00409326 GetVersionExA,GetModuleHandleA,GetModuleFileNameA,wsprintfA,wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,0_2_00409326

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: 0.2.RSno9EH0K9.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.RSno9EH0K9.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nutgoowa.exe.d50000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.RSno9EH0K9.exe.2090000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.RSno9EH0K9.exe.2070e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.nutgoowa.exe.db0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.nutgoowa.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.nutgoowa.exe.500e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.svchost.exe.500000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.nutgoowa.exe.db0000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.nutgoowa.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.svchost.exe.500000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.2249441711.0000000000DB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.1722807602.0000000002090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.1947096591.0000000000D50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RSno9EH0K9.exe PID: 7552, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: nutgoowa.exe PID: 7912, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7292, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Source: Yara matchFile source: 0.2.RSno9EH0K9.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.RSno9EH0K9.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nutgoowa.exe.d50000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.RSno9EH0K9.exe.2090000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.RSno9EH0K9.exe.2070e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.nutgoowa.exe.db0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.nutgoowa.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.nutgoowa.exe.500e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.svchost.exe.500000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.nutgoowa.exe.db0000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.nutgoowa.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.svchost.exe.500000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.2249441711.0000000000DB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.1722807602.0000000002090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.1947096591.0000000000D50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RSno9EH0K9.exe PID: 7552, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: nutgoowa.exe PID: 7912, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7292, type: MEMORYSTR
        Source: C:\Users\user\Desktop\RSno9EH0K9.exeCode function: 0_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,0_2_004088B0
        Source: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exeCode function: 11_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,11_2_004088B0
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_005088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,17_2_005088B0
        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire Infrastructure1
        Valid Accounts
        41
        Native API
        1
        DLL Side-Loading
        1
        DLL Side-Loading
        3
        Disable or Modify Tools
        OS Credential Dumping12
        System Time Discovery
        Remote Services1
        Archive Collected Data
        1
        Ingress Tool Transfer
        Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts2
        Command and Scripting Interpreter
        1
        Valid Accounts
        1
        Valid Accounts
        1
        Deobfuscate/Decode Files or Information
        LSASS Memory1
        Account Discovery
        Remote Desktop ProtocolData from Removable Media12
        Encrypted Channel
        Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts3
        Service Execution
        14
        Windows Service
        1
        Access Token Manipulation
        3
        Obfuscated Files or Information
        Security Account Manager1
        File and Directory Discovery
        SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Application Layer Protocol
        Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook14
        Windows Service
        22
        Software Packing
        NTDS15
        System Information Discovery
        Distributed Component Object ModelInput Capture112
        Application Layer Protocol
        Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script412
        Process Injection
        1
        DLL Side-Loading
        LSA Secrets111
        Security Software Discovery
        SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
        Masquerading
        Cached Domain Credentials11
        Virtualization/Sandbox Evasion
        VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        Valid Accounts
        DCSync1
        Process Discovery
        Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
        Virtualization/Sandbox Evasion
        Proc Filesystem1
        Application Window Discovery
        Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
        Access Token Manipulation
        /etc/passwd and /etc/shadow1
        System Owner/User Discovery
        Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron412
        Process Injection
        Network Sniffing1
        System Network Configuration Discovery
        Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1505683 Sample: RSno9EH0K9.exe Startdate: 06/09/2024 Architecture: WINDOWS Score: 100 43 yahoo.com 2->43 45 vanaheim.cn 2->45 47 7 other IPs or domains 2->47 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Antivirus detection for URL or domain 2->59 61 11 other signatures 2->61 8 nutgoowa.exe 2->8         started        11 RSno9EH0K9.exe 2 2->11         started        signatures3 process4 file5 63 Detected unpacking (changes PE section rights) 8->63 65 Detected unpacking (overwrites its own PE header) 8->65 67 Writes to foreign memory regions 8->67 73 2 other signatures 8->73 14 svchost.exe 1 8->14         started        41 C:\Users\user\AppData\Local\...\nutgoowa.exe, PE32 11->41 dropped 69 Uses netsh to modify the Windows network and firewall settings 11->69 71 Modifies the windows firewall 11->71 18 cmd.exe 1 11->18         started        21 netsh.exe 2 11->21         started        23 cmd.exe 2 11->23         started        25 3 other processes 11->25 signatures6 process7 dnsIp8 49 67.195.228.109, 25 YAHOO-GQ1US United States 14->49 51 mta7.am0.yahoodns.net 67.195.228.111, 25 YAHOO-GQ1US United States 14->51 53 6 other IPs or domains 14->53 75 System process connects to network (likely due to code injection or exploit) 14->75 77 Found API chain indicative of debugger detection 14->77 79 Adds extensions / path to Windows Defender exclusion list (Registry) 14->79 39 C:\Windows\SysWOW64\...\nutgoowa.exe (copy), PE32 18->39 dropped 27 conhost.exe 18->27         started        29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        35 conhost.exe 25->35         started        37 conhost.exe 25->37         started        file9 signatures10 process11

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand
        SourceDetectionScannerLabelLink
        RSno9EH0K9.exe29%ReversingLabs
        RSno9EH0K9.exe100%AviraHEUR/AGEN.1312567
        RSno9EH0K9.exe100%Joe Sandbox ML
        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\nutgoowa.exe100%AviraHEUR/AGEN.1312567
        C:\Users\user\AppData\Local\Temp\nutgoowa.exe100%Joe Sandbox ML
        No Antivirus matches
        No Antivirus matches
        SourceDetectionScannerLabelLink
        jotunheim.name:443100%Avira URL Cloudmalware
        vanaheim.cn:443100%Avira URL Cloudphishing
        NameIPActiveMaliciousAntivirus DetectionReputation
        mxs.mail.ru
        217.69.139.150
        truetrue
          unknown
          mta7.am0.yahoodns.net
          67.195.228.111
          truetrue
            unknown
            jotunheim.name
            80.66.75.11
            truetrue
              unknown
              microsoft-com.mail.protection.outlook.com
              52.101.8.49
              truetrue
                unknown
                vanaheim.cn
                77.232.41.29
                truetrue
                  unknown
                  smtp.google.com
                  64.233.166.26
                  truefalse
                    unknown
                    google.com
                    unknown
                    unknowntrue
                      unknown
                      yahoo.com
                      unknown
                      unknowntrue
                        unknown
                        mail.ru
                        unknown
                        unknowntrue
                          unknown
                          NameMaliciousAntivirus DetectionReputation
                          vanaheim.cn:443true
                          • Avira URL Cloud: phishing
                          unknown
                          jotunheim.name:443true
                          • Avira URL Cloud: malware
                          unknown
                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs
                          IPDomainCountryFlagASNASN NameMalicious
                          52.101.11.0
                          unknownUnited States
                          8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                          67.195.228.109
                          unknownUnited States
                          36647YAHOO-GQ1UStrue
                          64.233.166.26
                          smtp.google.comUnited States
                          15169GOOGLEUSfalse
                          52.101.8.49
                          microsoft-com.mail.protection.outlook.comUnited States
                          8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                          217.69.139.150
                          mxs.mail.ruRussian Federation
                          47764MAILRU-ASMailRuRUtrue
                          67.195.228.111
                          mta7.am0.yahoodns.netUnited States
                          36647YAHOO-GQ1UStrue
                          77.232.41.29
                          vanaheim.cnRussian Federation
                          28968EUT-ASEUTIPNetworkRUtrue
                          80.66.75.11
                          jotunheim.nameRussian Federation
                          20803RISS-ASRUtrue
                          Joe Sandbox version:40.0.0 Tourmaline
                          Analysis ID:1505683
                          Start date and time:2024-09-06 16:34:49 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 8m 35s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:19
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:RSno9EH0K9.exe
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@22/3@12/8
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 70
                          • Number of non-executed functions: 263
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Override analysis time to 240s for sample files taking high CPU consumption
                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                          • Excluded IPs from analysis (whitelisted): 20.76.201.171, 20.112.250.133, 20.70.246.20, 20.231.239.246, 20.236.44.162
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, microsoft.com, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtEnumerateKey calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • VT rate limit hit for: RSno9EH0K9.exe
                          TimeTypeDescription
                          10:37:01API Interceptor858x Sleep call for process: svchost.exe modified
                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          52.101.11.0ODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                            knkduwqg.exeGet hashmaliciousTofseeBrowse
                              bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                  vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                    AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                      DWoKcG581L.exeGet hashmaliciousTofseeBrowse
                                        kPl1mZTpru.exeGet hashmaliciousTofseeBrowse
                                          Wc4SadetF5.exeGet hashmaliciousTofseeBrowse
                                            L7iza9mNDI.exeGet hashmaliciousTofseeBrowse
                                              67.195.228.109ODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                                                Uc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                  Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                    file.exeGet hashmaliciousPhorpiexBrowse
                                                      file.exeGet hashmaliciousPhorpiexBrowse
                                                        RqrQG7s66x.dllGet hashmaliciousUnknownBrowse
                                                          gEkl9O5tiu.exeGet hashmaliciousPhorpiexBrowse
                                                            file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                              l3Qj8QhTYZ.exeGet hashmaliciousPhorpiexBrowse
                                                                document_excel.exeGet hashmaliciousUnknownBrowse
                                                                  52.101.8.49Uc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                    vekvtia.exeGet hashmaliciousTofseeBrowse
                                                                      Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                        .exeGet hashmaliciousUnknownBrowse
                                                                          ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                            kPl1mZTpru.exeGet hashmaliciousTofseeBrowse
                                                                              Wc4SadetF5.exeGet hashmaliciousTofseeBrowse
                                                                                L7iza9mNDI.exeGet hashmaliciousTofseeBrowse
                                                                                  file.exeGet hashmaliciousTofseeBrowse
                                                                                    mvu3vh0t.exeGet hashmaliciousTofseeBrowse
                                                                                      217.69.139.150ODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                                                                                        Uc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                                          knkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                            foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                              bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                                Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                                  SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                                    Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                                      ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                                        SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeGet hashmaliciousTofseeBrowse
                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                          mta7.am0.yahoodns.netUc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                                                          • 67.195.228.109
                                                                                                          bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                                          • 67.195.204.77
                                                                                                          Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                                          • 67.195.228.109
                                                                                                          setup.exeGet hashmaliciousTofseeBrowse
                                                                                                          • 98.136.96.76
                                                                                                          m4Jp2TLBHJ.exeGet hashmaliciousTofseeBrowse
                                                                                                          • 67.195.204.77
                                                                                                          SecuriteInfo.com.Trojan-Ransom.StopCrypt.22110.437.exeGet hashmaliciousTofseeBrowse
                                                                                                          • 67.195.204.74
                                                                                                          AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                                          • 67.195.228.94
                                                                                                          dIg0MWRViP.exeGet hashmaliciousTofseeBrowse
                                                                                                          • 67.195.228.94
                                                                                                          rpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                                                                                                          • 98.136.96.91
                                                                                                          SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeGet hashmaliciousPhorpiexBrowse
                                                                                                          • 67.195.228.94
                                                                                                          jotunheim.namevyrcclmm.exeGet hashmaliciousTofseeBrowse
                                                                                                          • 80.66.75.11
                                                                                                          AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                                          • 80.66.75.11
                                                                                                          kPl1mZTpru.exeGet hashmaliciousTofseeBrowse
                                                                                                          • 80.66.75.77
                                                                                                          Wc4SadetF5.exeGet hashmaliciousTofseeBrowse
                                                                                                          • 80.66.75.77
                                                                                                          L7iza9mNDI.exeGet hashmaliciousTofseeBrowse
                                                                                                          • 80.66.75.77
                                                                                                          file.exeGet hashmaliciousTofseeBrowse
                                                                                                          • 80.66.75.77
                                                                                                          U9dDsItOij.exeGet hashmaliciousTofseeBrowse
                                                                                                          • 80.66.75.77
                                                                                                          t26nL0kcxj.exeGet hashmaliciousTofseeBrowse
                                                                                                          • 80.66.75.77
                                                                                                          SecuriteInfo.com.Win32.BotX-gen.15544.10747.exeGet hashmaliciousTofseeBrowse
                                                                                                          • 80.66.75.77
                                                                                                          SecuriteInfo.com.Win32.BotX-gen.28812.11191.exeGet hashmaliciousTofseeBrowse
                                                                                                          • 80.66.75.77
                                                                                                          mxs.mail.ruODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                                                                                                          • 217.69.139.150
                                                                                                          Uc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                                                          • 217.69.139.150
                                                                                                          qkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                                                                          • 94.100.180.31
                                                                                                          vekvtia.exeGet hashmaliciousTofseeBrowse
                                                                                                          • 94.100.180.31
                                                                                                          knkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                                          • 217.69.139.150
                                                                                                          foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                                          • 217.69.139.150
                                                                                                          UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                                          • 94.100.180.31
                                                                                                          bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                                          • 217.69.139.150
                                                                                                          Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                                          • 217.69.139.150
                                                                                                          igvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                                                          • 94.100.180.31
                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                          YAHOO-GQ1USODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                                                                                                          • 67.195.228.109
                                                                                                          Uc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                                                          • 67.195.228.109
                                                                                                          mpsl.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                          • 67.195.2.108
                                                                                                          154.213.187.80-x86-2024-09-01T00_09_56.elfGet hashmaliciousMiraiBrowse
                                                                                                          • 98.137.238.184
                                                                                                          teste.x86.elfGet hashmaliciousMirai, Moobot, OkiruBrowse
                                                                                                          • 98.137.238.174
                                                                                                          https://ashanioliver14.wixsite.com/my-site-1Get hashmaliciousUnknownBrowse
                                                                                                          • 67.195.160.105
                                                                                                          Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                                          • 67.195.228.109
                                                                                                          igvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                                                          • 67.195.228.110
                                                                                                          fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                                          • 67.195.228.94
                                                                                                          SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                                          • 67.195.228.106
                                                                                                          MAILRU-ASMailRuRUODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                                                                                                          • 217.69.139.150
                                                                                                          Uc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                                                          • 217.69.139.150
                                                                                                          qkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                                                                          • 94.100.180.31
                                                                                                          vekvtia.exeGet hashmaliciousTofseeBrowse
                                                                                                          • 94.100.180.31
                                                                                                          knkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                                          • 217.69.139.150
                                                                                                          foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                                          • 217.69.139.150
                                                                                                          UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                                          • 94.100.180.31
                                                                                                          tjigfd64.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                          • 5.181.61.0
                                                                                                          tjigfd64.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                          • 5.181.61.0
                                                                                                          bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                                          • 217.69.139.150
                                                                                                          MICROSOFT-CORP-MSN-AS-BLOCKUSFactura de proforma.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                          • 13.107.137.11
                                                                                                          Payment Details.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                          • 13.107.137.11
                                                                                                          ESW31074TS510.exeGet hashmaliciousDBatLoaderBrowse
                                                                                                          • 13.107.137.11
                                                                                                          PI and payment confirmed Pdf.exeGet hashmaliciousDBatLoaderBrowse
                                                                                                          • 13.107.139.11
                                                                                                          Assessment from SARS.exeGet hashmaliciousDBatLoaderBrowse
                                                                                                          • 13.107.137.11
                                                                                                          https://www.dropbox.com/scl/fo/dypnewy032frqiop6d7gh/AGQRgoJcNqKPbhsYQheP8nM?rlkey=t6ozmhhbporfamqnz8ddx2in0&st=r8w1wv0v&dl=0Get hashmaliciousHTMLPhisherBrowse
                                                                                                          • 13.107.246.73
                                                                                                          https://www.google.com/url?q=https://google.com/url?hl%3Den%26q%3Dhttps://google.com/url?q%3D4xNZLlTBeMrz3JgT2S2x%26rct%3Duxx6lWWQSQg3lz6tBGEQ%26sa%3Dt%26esrc%3DLnMkARnwEn0HQZmQHxxK%26source%3D%26cd%3DCFK8mnhX1pEg7TmGNG8P%26cad%3DnNq1ozyXGrC1kDZTqknt%26ved%3DYxsBoVntlMlmOm9lZwVR%26uact%3D%26url%3Damp%252Fsushanta.com%252F21%252F&source=gmail&ust=1725491985982000&usg=AOvVaw2OjIR7ELr3F4rLhFIHiJIH#OvyuiE-SUREMAYYcmVpbmEuYXZpbGFAc3RndXNhLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                                                                                                          • 13.107.246.60
                                                                                                          https://app.pandadoc.com/document/v2?token=5aa7b81a431a1c96450cb48fd7928ac947bc5aeaGet hashmaliciousUnknownBrowse
                                                                                                          • 150.171.28.10
                                                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                                                          • 52.123.243.83
                                                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                                                          • 94.245.104.56
                                                                                                          MICROSOFT-CORP-MSN-AS-BLOCKUSFactura de proforma.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                          • 13.107.137.11
                                                                                                          Payment Details.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                          • 13.107.137.11
                                                                                                          ESW31074TS510.exeGet hashmaliciousDBatLoaderBrowse
                                                                                                          • 13.107.137.11
                                                                                                          PI and payment confirmed Pdf.exeGet hashmaliciousDBatLoaderBrowse
                                                                                                          • 13.107.139.11
                                                                                                          Assessment from SARS.exeGet hashmaliciousDBatLoaderBrowse
                                                                                                          • 13.107.137.11
                                                                                                          https://www.dropbox.com/scl/fo/dypnewy032frqiop6d7gh/AGQRgoJcNqKPbhsYQheP8nM?rlkey=t6ozmhhbporfamqnz8ddx2in0&st=r8w1wv0v&dl=0Get hashmaliciousHTMLPhisherBrowse
                                                                                                          • 13.107.246.73
                                                                                                          https://www.google.com/url?q=https://google.com/url?hl%3Den%26q%3Dhttps://google.com/url?q%3D4xNZLlTBeMrz3JgT2S2x%26rct%3Duxx6lWWQSQg3lz6tBGEQ%26sa%3Dt%26esrc%3DLnMkARnwEn0HQZmQHxxK%26source%3D%26cd%3DCFK8mnhX1pEg7TmGNG8P%26cad%3DnNq1ozyXGrC1kDZTqknt%26ved%3DYxsBoVntlMlmOm9lZwVR%26uact%3D%26url%3Damp%252Fsushanta.com%252F21%252F&source=gmail&ust=1725491985982000&usg=AOvVaw2OjIR7ELr3F4rLhFIHiJIH#OvyuiE-SUREMAYYcmVpbmEuYXZpbGFAc3RndXNhLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                                                                                                          • 13.107.246.60
                                                                                                          https://app.pandadoc.com/document/v2?token=5aa7b81a431a1c96450cb48fd7928ac947bc5aeaGet hashmaliciousUnknownBrowse
                                                                                                          • 150.171.28.10
                                                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                                                          • 52.123.243.83
                                                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                                                          • 94.245.104.56
                                                                                                          No context
                                                                                                          No context
                                                                                                          Process:C:\Users\user\Desktop\RSno9EH0K9.exe
                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):12841984
                                                                                                          Entropy (8bit):5.51719875100034
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:49152:ELaRlaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaH:E
                                                                                                          MD5:834E2E11D20A334B04B409E9ECD91E76
                                                                                                          SHA1:0E5B9A794295B9B1CC67603927570F9A4A95E699
                                                                                                          SHA-256:3A9E733A24B8A531658A22F1CADFF184693A125A31E009964042BABF40ACB096
                                                                                                          SHA-512:13BCA226E7139B602DDA6DE8BEF9424E4B5B177FC03CC95F409170CE6DD13CAFEF387EF638731B1AFD1B61E42EA8F98DE0FB29E9ECD6091C0CAB00B8511A89C8
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........?G..lG..lG..l.QlF..l(.bl^..l(.WlU..l(.cl"..lN.ZlB..lG..l7..l(.flF..l(.SlF..l(.TlF..lRichG..l........................PE..L....(.d..........................................@.................................M...........................................<....P..@n...........................................................................................................text.............................. ..`.rdata..>'.......(..................@..@.data...@b....... ..................@....rsrc...@n...P......................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):12841984
                                                                                                          Entropy (8bit):5.51719875100034
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:49152:ELaRlaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaH:E
                                                                                                          MD5:834E2E11D20A334B04B409E9ECD91E76
                                                                                                          SHA1:0E5B9A794295B9B1CC67603927570F9A4A95E699
                                                                                                          SHA-256:3A9E733A24B8A531658A22F1CADFF184693A125A31E009964042BABF40ACB096
                                                                                                          SHA-512:13BCA226E7139B602DDA6DE8BEF9424E4B5B177FC03CC95F409170CE6DD13CAFEF387EF638731B1AFD1B61E42EA8F98DE0FB29E9ECD6091C0CAB00B8511A89C8
                                                                                                          Malicious:true
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........?G..lG..lG..l.QlF..l(.bl^..l(.WlU..l(.cl"..lN.ZlB..lG..l7..l(.flF..l(.SlF..l(.TlF..lRichG..l........................PE..L....(.d..........................................@.................................M...........................................<....P..@n...........................................................................................................text.............................. ..`.rdata..>'.......(..................@..@.data...@b....... ..................@....rsrc...@n...P......................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                                                          Process:C:\Windows\SysWOW64\netsh.exe
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):3773
                                                                                                          Entropy (8bit):4.7109073551842435
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
                                                                                                          MD5:DA3247A302D70819F10BCEEBAF400503
                                                                                                          SHA1:2857AA198EE76C86FC929CC3388A56D5FD051844
                                                                                                          SHA-256:5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
                                                                                                          SHA-512:48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
                                                                                                          Malicious:false
                                                                                                          Preview:..A specified value is not valid.....Usage: add rule name=<string>.. dir=in|out.. action=allow|block|bypass.. [program=<program path>].. [service=<service short name>|any].. [description=<string>].. [enable=yes|no (default=yes)].. [profile=public|private|domain|any[,...]].. [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|.. <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)].. [remoteport=0-65535|<port range>[,...]|any (default=any)].. [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|.. tcp|udp|any (default=any)].. [interfacetype=wireless|lan|ras|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes|deferapp|deferuser|no (default=no)].. [security=authenticate|authenc|authdynenc|authnoencap|
                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                          Entropy (8bit):6.567618045686162
                                                                                                          TrID:
                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                          File name:RSno9EH0K9.exe
                                                                                                          File size:218'112 bytes
                                                                                                          MD5:8e456f932787fcd0cadbb598174575b2
                                                                                                          SHA1:22b069c76b86bdb6be8cdafc78019b55c583062e
                                                                                                          SHA256:c55859f35ad07e3e4b13f45fa5fa4c788f7059daac930ea435600a936104c1b5
                                                                                                          SHA512:cb26a33dacdcfe804bdd587ecd44b9bf1c59f357e8701fc4f5e1b04d8d8882466c7743fac51969fe8912e1197a5653986eb4a71edc35eee89051b6c98d546c9d
                                                                                                          SSDEEP:6144:MGDLD6Tj3Vyg0mwiRjaVlodEFjvn/Mq0Vdh1HQ:M+L2n3VygtzRWJjv+Vdz
                                                                                                          TLSH:DA246A1476EF9026EEA7C7340A73D6B1192ABC626EB442BF3294371E2933FD34954352
                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........?G..lG..lG..l..QlF..l(.bl^..l(.WlU..l(.cl"..lN.ZlB..lG..l7..l(.flF..l(.SlF..l(.TlF..lRichG..l........................PE..L..
                                                                                                          Icon Hash:738733b18ba383e4
                                                                                                          Entrypoint:0x401a87
                                                                                                          Entrypoint Section:.text
                                                                                                          Digitally signed:false
                                                                                                          Imagebase:0x400000
                                                                                                          Subsystem:windows gui
                                                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                          DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                          Time Stamp:0x64B12892 [Fri Jul 14 10:50:58 2023 UTC]
                                                                                                          TLS Callbacks:
                                                                                                          CLR (.Net) Version:
                                                                                                          OS Version Major:5
                                                                                                          OS Version Minor:1
                                                                                                          File Version Major:5
                                                                                                          File Version Minor:1
                                                                                                          Subsystem Version Major:5
                                                                                                          Subsystem Version Minor:1
                                                                                                          Import Hash:4466917f30d072b6b108006d1bc57b5b
                                                                                                          Instruction
                                                                                                          call 00007FDBA07D9AD2h
                                                                                                          jmp 00007FDBA07D565Eh
                                                                                                          mov edi, edi
                                                                                                          push ebp
                                                                                                          mov ebp, esp
                                                                                                          sub esp, 00000328h
                                                                                                          mov dword ptr [0041FAF0h], eax
                                                                                                          mov dword ptr [0041FAECh], ecx
                                                                                                          mov dword ptr [0041FAE8h], edx
                                                                                                          mov dword ptr [0041FAE4h], ebx
                                                                                                          mov dword ptr [0041FAE0h], esi
                                                                                                          mov dword ptr [0041FADCh], edi
                                                                                                          mov word ptr [0041FB08h], ss
                                                                                                          mov word ptr [0041FAFCh], cs
                                                                                                          mov word ptr [0041FAD8h], ds
                                                                                                          mov word ptr [0041FAD4h], es
                                                                                                          mov word ptr [0041FAD0h], fs
                                                                                                          mov word ptr [0041FACCh], gs
                                                                                                          pushfd
                                                                                                          pop dword ptr [0041FB00h]
                                                                                                          mov eax, dword ptr [ebp+00h]
                                                                                                          mov dword ptr [0041FAF4h], eax
                                                                                                          mov eax, dword ptr [ebp+04h]
                                                                                                          mov dword ptr [0041FAF8h], eax
                                                                                                          lea eax, dword ptr [ebp+08h]
                                                                                                          mov dword ptr [0041FB04h], eax
                                                                                                          mov eax, dword ptr [ebp-00000320h]
                                                                                                          mov dword ptr [0041FA40h], 00010001h
                                                                                                          mov eax, dword ptr [0041FAF8h]
                                                                                                          mov dword ptr [0041F9F4h], eax
                                                                                                          mov dword ptr [0041F9E8h], C0000409h
                                                                                                          mov dword ptr [0041F9ECh], 00000001h
                                                                                                          mov eax, dword ptr [0041E004h]
                                                                                                          mov dword ptr [ebp-00000328h], eax
                                                                                                          mov eax, dword ptr [0041E008h]
                                                                                                          mov dword ptr [ebp-00000324h], eax
                                                                                                          call dword ptr [000000E4h]
                                                                                                          Programming Language:
                                                                                                          • [C++] VS2010 build 30319
                                                                                                          • [ASM] VS2010 build 30319
                                                                                                          • [ C ] VS2010 build 30319
                                                                                                          • [IMP] VS2008 SP1 build 30729
                                                                                                          • [RES] VS2010 build 30319
                                                                                                          • [LNK] VS2010 build 30319
                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x1ce140x3c.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x250000x16e40.rsrc
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x1b0000x190.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                          .text0x10000x197df0x1980036d9d8ad2432bc42e1160ebd5b09c3b2False0.7763576133578431data7.427995980269359IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                          .rdata0x1b0000x273e0x28009509e792c5338f4b9f36a8ec0ea34ebfFalse0.34833984375data4.957858747827386IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                          .data0x1e0000x62400x2000b95cebcf35f1df9c373b6fe28605ab02False0.1845703125data2.1279534319819424IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                          .rsrc0x250000x16e400x1700028390e7f44a74628179815dad390dc7aFalse0.480521824048913data5.492921090492436IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                          AFX_DIALOG_LAYOUT0x36ba80x2data5.0
                                                                                                          KADORUN0x35b880xbf7ASCII text, with very long lines (3063), with no line terminatorsTurkishTurkey0.6020241593209272
                                                                                                          SIFUKOCUZEYORA0x367800x3faASCII text, with very long lines (1018), with no line terminatorsTurkishTurkey0.6277013752455796
                                                                                                          RT_CURSOR0x36bb00x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.7368421052631579
                                                                                                          RT_CURSOR0x36ce00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.06130705394190871
                                                                                                          RT_ICON0x259500xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.5868869936034116
                                                                                                          RT_ICON0x267f80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.6606498194945848
                                                                                                          RT_ICON0x270a00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.7194700460829493
                                                                                                          RT_ICON0x277680x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.7622832369942196
                                                                                                          RT_ICON0x27cd00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TurkishTurkey0.5440871369294605
                                                                                                          RT_ICON0x2a2780x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TurkishTurkey0.6597091932457786
                                                                                                          RT_ICON0x2b3200x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TurkishTurkey0.6782786885245902
                                                                                                          RT_ICON0x2bca80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TurkishTurkey0.8023049645390071
                                                                                                          RT_ICON0x2c1880xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TurkishTurkey0.3494136460554371
                                                                                                          RT_ICON0x2d0300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TurkishTurkey0.5500902527075813
                                                                                                          RT_ICON0x2d8d80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TurkishTurkey0.6244239631336406
                                                                                                          RT_ICON0x2dfa00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TurkishTurkey0.6791907514450867
                                                                                                          RT_ICON0x2e5080x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TurkishTurkey0.4262448132780083
                                                                                                          RT_ICON0x30ab00x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TurkishTurkey0.5200819672131147
                                                                                                          RT_ICON0x314380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TurkishTurkey0.5079787234042553
                                                                                                          RT_ICON0x319080xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TurkishTurkey0.4069829424307036
                                                                                                          RT_ICON0x327b00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TurkishTurkey0.572202166064982
                                                                                                          RT_ICON0x330580x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TurkishTurkey0.625
                                                                                                          RT_ICON0x337200x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TurkishTurkey0.630057803468208
                                                                                                          RT_ICON0x33c880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TurkishTurkey0.4643527204502814
                                                                                                          RT_ICON0x34d300x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TurkishTurkey0.4504098360655738
                                                                                                          RT_ICON0x356b80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TurkishTurkey0.49556737588652483
                                                                                                          RT_DIALOG0x394600x84data0.7651515151515151
                                                                                                          RT_STRING0x394e80x362data0.4653579676674365
                                                                                                          RT_STRING0x398500x54edata0.4418262150220913
                                                                                                          RT_STRING0x39da00xa0data0.61875
                                                                                                          RT_STRING0x39e400x8cadata0.41244444444444445
                                                                                                          RT_STRING0x3a7100x8ecdata0.4106830122591944
                                                                                                          RT_STRING0x3b0000x8b0data0.4123201438848921
                                                                                                          RT_STRING0x3b8b00x4fedata0.44209702660406885
                                                                                                          RT_STRING0x3bdb00x8edata0.6056338028169014
                                                                                                          RT_ACCELERATOR0x36b800x28data1.025
                                                                                                          RT_GROUP_CURSOR0x392880x22data1.088235294117647
                                                                                                          RT_GROUP_ICON0x318a00x68dataTurkishTurkey0.7019230769230769
                                                                                                          RT_GROUP_ICON0x2c1100x76dataTurkishTurkey0.6610169491525424
                                                                                                          RT_GROUP_ICON0x35b200x68dataTurkishTurkey0.7211538461538461
                                                                                                          RT_VERSION0x392b00x1acdata0.5864485981308412
                                                                                                          DLLImport
                                                                                                          KERNEL32.dllFillConsoleOutputCharacterA, GetConsoleAliasesLengthW, GetNumaProcessorNode, DebugActiveProcessStop, GetDefaultCommConfigW, CallNamedPipeA, WriteConsoleOutputW, HeapAlloc, InterlockedDecrement, GlobalSize, GetEnvironmentStringsW, CreateDirectoryW, GetComputerNameW, GetSystemDefaultLCID, GetModuleHandleW, GetCommandLineA, GetSystemTimes, GlobalAlloc, LoadLibraryW, GetConsoleAliasExesLengthW, SetConsoleMode, GetFileAttributesW, GetBinaryTypeA, GetStartupInfoW, SetConsoleTitleA, GetShortPathNameA, InterlockedExchange, GetLastError, GetProcAddress, CopyFileA, SetStdHandle, EnterCriticalSection, SearchPathA, BuildCommDCBW, GetNumaHighestNodeNumber, OpenWaitableTimerA, LoadLibraryA, UnhandledExceptionFilter, WritePrivateProfileStringA, QueryDosDeviceW, VirtualLock, FoldStringW, GetModuleFileNameA, FreeEnvironmentStringsW, FindAtomW, CopyFileExA, SetFilePointer, WriteConsoleW, EncodePointer, DecodePointer, MultiByteToWideChar, ExitProcess, GetCommandLineW, HeapSetInformation, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, IsDebuggerPresent, WriteFile, GetStdHandle, GetModuleFileNameW, HeapCreate, LeaveCriticalSection, Sleep, HeapSize, GetCPInfo, InterlockedIncrement, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, HeapFree, RtlUnwind, HeapReAlloc, WideCharToMultiByte, LCMapStringW, GetStringTypeW, GetConsoleCP, GetConsoleMode, FlushFileBuffers, IsProcessorFeaturePresent, ReadFile, CloseHandle, CreateFileW
                                                                                                          USER32.dllGetUserObjectInformationW
                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                          TurkishTurkey
                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Sep 6, 2024 16:36:19.227689028 CEST4973725192.168.2.452.101.8.49
                                                                                                          Sep 6, 2024 16:36:20.304121017 CEST4973725192.168.2.452.101.8.49
                                                                                                          Sep 6, 2024 16:36:22.217003107 CEST49738443192.168.2.477.232.41.29
                                                                                                          Sep 6, 2024 16:36:22.217051983 CEST4434973877.232.41.29192.168.2.4
                                                                                                          Sep 6, 2024 16:36:22.217109919 CEST49738443192.168.2.477.232.41.29
                                                                                                          Sep 6, 2024 16:36:22.304138899 CEST4973725192.168.2.452.101.8.49
                                                                                                          Sep 6, 2024 16:36:26.304135084 CEST4973725192.168.2.452.101.8.49
                                                                                                          Sep 6, 2024 16:36:34.304133892 CEST4973725192.168.2.452.101.8.49
                                                                                                          Sep 6, 2024 16:36:39.241991043 CEST4974025192.168.2.467.195.228.111
                                                                                                          Sep 6, 2024 16:36:40.304153919 CEST4974025192.168.2.467.195.228.111
                                                                                                          Sep 6, 2024 16:36:42.304224014 CEST4974025192.168.2.467.195.228.111
                                                                                                          Sep 6, 2024 16:36:46.304169893 CEST4974025192.168.2.467.195.228.111
                                                                                                          Sep 6, 2024 16:36:54.319911957 CEST4974025192.168.2.467.195.228.111
                                                                                                          Sep 6, 2024 16:36:59.273736954 CEST4974125192.168.2.464.233.166.26
                                                                                                          Sep 6, 2024 16:37:00.272990942 CEST4974125192.168.2.464.233.166.26
                                                                                                          Sep 6, 2024 16:37:02.210690975 CEST49738443192.168.2.477.232.41.29
                                                                                                          Sep 6, 2024 16:37:02.210777998 CEST4434973877.232.41.29192.168.2.4
                                                                                                          Sep 6, 2024 16:37:02.210845947 CEST49738443192.168.2.477.232.41.29
                                                                                                          Sep 6, 2024 16:37:02.272945881 CEST4974125192.168.2.464.233.166.26
                                                                                                          Sep 6, 2024 16:37:02.321695089 CEST49742443192.168.2.477.232.41.29
                                                                                                          Sep 6, 2024 16:37:02.321727037 CEST4434974277.232.41.29192.168.2.4
                                                                                                          Sep 6, 2024 16:37:02.321809053 CEST49742443192.168.2.477.232.41.29
                                                                                                          Sep 6, 2024 16:37:06.275820017 CEST4974125192.168.2.464.233.166.26
                                                                                                          Sep 6, 2024 16:37:14.272963047 CEST4974125192.168.2.464.233.166.26
                                                                                                          Sep 6, 2024 16:37:19.291198015 CEST4974325192.168.2.4217.69.139.150
                                                                                                          Sep 6, 2024 16:37:20.304311037 CEST4974325192.168.2.4217.69.139.150
                                                                                                          Sep 6, 2024 16:37:22.319858074 CEST4974325192.168.2.4217.69.139.150
                                                                                                          Sep 6, 2024 16:37:26.335516930 CEST4974325192.168.2.4217.69.139.150
                                                                                                          Sep 6, 2024 16:37:34.351154089 CEST4974325192.168.2.4217.69.139.150
                                                                                                          Sep 6, 2024 16:37:42.320031881 CEST49742443192.168.2.477.232.41.29
                                                                                                          Sep 6, 2024 16:37:42.320127964 CEST4434974277.232.41.29192.168.2.4
                                                                                                          Sep 6, 2024 16:37:42.320223093 CEST49742443192.168.2.477.232.41.29
                                                                                                          Sep 6, 2024 16:37:42.430494070 CEST49744443192.168.2.477.232.41.29
                                                                                                          Sep 6, 2024 16:37:42.430547953 CEST4434974477.232.41.29192.168.2.4
                                                                                                          Sep 6, 2024 16:37:42.430615902 CEST49744443192.168.2.477.232.41.29
                                                                                                          Sep 6, 2024 16:38:22.445233107 CEST49744443192.168.2.477.232.41.29
                                                                                                          Sep 6, 2024 16:38:22.445314884 CEST4434974477.232.41.29192.168.2.4
                                                                                                          Sep 6, 2024 16:38:22.445388079 CEST49744443192.168.2.477.232.41.29
                                                                                                          Sep 6, 2024 16:38:22.558008909 CEST49745443192.168.2.477.232.41.29
                                                                                                          Sep 6, 2024 16:38:22.558052063 CEST4434974577.232.41.29192.168.2.4
                                                                                                          Sep 6, 2024 16:38:22.558140993 CEST49745443192.168.2.477.232.41.29
                                                                                                          Sep 6, 2024 16:38:45.017765999 CEST4974725192.168.2.452.101.11.0
                                                                                                          Sep 6, 2024 16:38:46.023144007 CEST4974725192.168.2.452.101.11.0
                                                                                                          Sep 6, 2024 16:38:48.023159027 CEST4974725192.168.2.452.101.11.0
                                                                                                          Sep 6, 2024 16:38:52.025948048 CEST4974725192.168.2.452.101.11.0
                                                                                                          Sep 6, 2024 16:39:00.023185015 CEST4974725192.168.2.452.101.11.0
                                                                                                          Sep 6, 2024 16:39:02.570230961 CEST49745443192.168.2.477.232.41.29
                                                                                                          Sep 6, 2024 16:39:02.570333958 CEST4434974577.232.41.29192.168.2.4
                                                                                                          Sep 6, 2024 16:39:02.570409060 CEST49745443192.168.2.477.232.41.29
                                                                                                          Sep 6, 2024 16:39:02.680423021 CEST49748443192.168.2.477.232.41.29
                                                                                                          Sep 6, 2024 16:39:02.680466890 CEST4434974877.232.41.29192.168.2.4
                                                                                                          Sep 6, 2024 16:39:02.680572987 CEST49748443192.168.2.477.232.41.29
                                                                                                          Sep 6, 2024 16:39:05.016047001 CEST4974925192.168.2.467.195.228.109
                                                                                                          Sep 6, 2024 16:39:06.023238897 CEST4974925192.168.2.467.195.228.109
                                                                                                          Sep 6, 2024 16:39:08.023399115 CEST4974925192.168.2.467.195.228.109
                                                                                                          Sep 6, 2024 16:39:12.023236990 CEST4974925192.168.2.467.195.228.109
                                                                                                          Sep 6, 2024 16:39:20.023233891 CEST4974925192.168.2.467.195.228.109
                                                                                                          Sep 6, 2024 16:39:25.024322033 CEST4975025192.168.2.464.233.166.26
                                                                                                          Sep 6, 2024 16:39:26.023216963 CEST4975025192.168.2.464.233.166.26
                                                                                                          Sep 6, 2024 16:39:28.023300886 CEST4975025192.168.2.464.233.166.26
                                                                                                          Sep 6, 2024 16:39:32.023252010 CEST4975025192.168.2.464.233.166.26
                                                                                                          Sep 6, 2024 16:39:40.023271084 CEST4975025192.168.2.464.233.166.26
                                                                                                          Sep 6, 2024 16:39:42.679929018 CEST49748443192.168.2.477.232.41.29
                                                                                                          Sep 6, 2024 16:39:42.680027962 CEST4434974877.232.41.29192.168.2.4
                                                                                                          Sep 6, 2024 16:39:42.680130959 CEST49748443192.168.2.477.232.41.29
                                                                                                          Sep 6, 2024 16:39:42.896025896 CEST49751443192.168.2.480.66.75.11
                                                                                                          Sep 6, 2024 16:39:42.896078110 CEST4434975180.66.75.11192.168.2.4
                                                                                                          Sep 6, 2024 16:39:42.896169901 CEST49751443192.168.2.480.66.75.11
                                                                                                          Sep 6, 2024 16:39:45.048800945 CEST4975225192.168.2.4217.69.139.150
                                                                                                          Sep 6, 2024 16:39:46.054541111 CEST4975225192.168.2.4217.69.139.150
                                                                                                          Sep 6, 2024 16:39:48.070254087 CEST4975225192.168.2.4217.69.139.150
                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Sep 6, 2024 16:36:19.168179035 CEST5700453192.168.2.41.1.1.1
                                                                                                          Sep 6, 2024 16:36:19.203022957 CEST53570041.1.1.1192.168.2.4
                                                                                                          Sep 6, 2024 16:36:22.118668079 CEST5970953192.168.2.41.1.1.1
                                                                                                          Sep 6, 2024 16:36:22.212795019 CEST53597091.1.1.1192.168.2.4
                                                                                                          Sep 6, 2024 16:36:39.226639986 CEST5320153192.168.2.41.1.1.1
                                                                                                          Sep 6, 2024 16:36:39.233649969 CEST53532011.1.1.1192.168.2.4
                                                                                                          Sep 6, 2024 16:36:39.234272957 CEST5689453192.168.2.41.1.1.1
                                                                                                          Sep 6, 2024 16:36:39.241333008 CEST53568941.1.1.1192.168.2.4
                                                                                                          Sep 6, 2024 16:36:59.257884026 CEST5427153192.168.2.41.1.1.1
                                                                                                          Sep 6, 2024 16:36:59.265661001 CEST53542711.1.1.1192.168.2.4
                                                                                                          Sep 6, 2024 16:36:59.266172886 CEST5776453192.168.2.41.1.1.1
                                                                                                          Sep 6, 2024 16:36:59.273264885 CEST53577641.1.1.1192.168.2.4
                                                                                                          Sep 6, 2024 16:37:19.273688078 CEST6100953192.168.2.41.1.1.1
                                                                                                          Sep 6, 2024 16:37:19.281508923 CEST53610091.1.1.1192.168.2.4
                                                                                                          Sep 6, 2024 16:37:19.282929897 CEST5455553192.168.2.41.1.1.1
                                                                                                          Sep 6, 2024 16:37:19.290666103 CEST53545551.1.1.1192.168.2.4
                                                                                                          Sep 6, 2024 16:38:44.767280102 CEST6189053192.168.2.41.1.1.1
                                                                                                          Sep 6, 2024 16:38:45.017087936 CEST53618901.1.1.1192.168.2.4
                                                                                                          Sep 6, 2024 16:39:05.008553028 CEST5779653192.168.2.41.1.1.1
                                                                                                          Sep 6, 2024 16:39:05.015393019 CEST53577961.1.1.1192.168.2.4
                                                                                                          Sep 6, 2024 16:39:42.790118933 CEST6296653192.168.2.41.1.1.1
                                                                                                          Sep 6, 2024 16:39:42.895200968 CEST53629661.1.1.1192.168.2.4
                                                                                                          Sep 6, 2024 16:39:45.039819002 CEST6078953192.168.2.41.1.1.1
                                                                                                          Sep 6, 2024 16:39:45.048182964 CEST53607891.1.1.1192.168.2.4
                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                          Sep 6, 2024 16:36:19.168179035 CEST192.168.2.41.1.1.10x9285Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:36:22.118668079 CEST192.168.2.41.1.1.10x243Standard query (0)vanaheim.cnA (IP address)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:36:39.226639986 CEST192.168.2.41.1.1.10x5ff7Standard query (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:36:39.234272957 CEST192.168.2.41.1.1.10x1133Standard query (0)mta7.am0.yahoodns.netA (IP address)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:36:59.257884026 CEST192.168.2.41.1.1.10xc79fStandard query (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:36:59.266172886 CEST192.168.2.41.1.1.10xcec0Standard query (0)smtp.google.comA (IP address)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:37:19.273688078 CEST192.168.2.41.1.1.10x6cd9Standard query (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:37:19.282929897 CEST192.168.2.41.1.1.10xceb2Standard query (0)mxs.mail.ruA (IP address)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:38:44.767280102 CEST192.168.2.41.1.1.10x4eedStandard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:39:05.008553028 CEST192.168.2.41.1.1.10xd105Standard query (0)mta7.am0.yahoodns.netA (IP address)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:39:42.790118933 CEST192.168.2.41.1.1.10x9691Standard query (0)jotunheim.nameA (IP address)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:39:45.039819002 CEST192.168.2.41.1.1.10xdcc7Standard query (0)mxs.mail.ruA (IP address)IN (0x0001)false
                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                          Sep 6, 2024 16:36:19.203022957 CEST1.1.1.1192.168.2.40x9285No error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:36:19.203022957 CEST1.1.1.1192.168.2.40x9285No error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:36:19.203022957 CEST1.1.1.1192.168.2.40x9285No error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:36:19.203022957 CEST1.1.1.1192.168.2.40x9285No error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:36:22.212795019 CEST1.1.1.1192.168.2.40x243No error (0)vanaheim.cn77.232.41.29A (IP address)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:36:39.233649969 CEST1.1.1.1192.168.2.40x5ff7No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:36:39.233649969 CEST1.1.1.1192.168.2.40x5ff7No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:36:39.233649969 CEST1.1.1.1192.168.2.40x5ff7No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:36:39.241333008 CEST1.1.1.1192.168.2.40x1133No error (0)mta7.am0.yahoodns.net67.195.228.111A (IP address)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:36:39.241333008 CEST1.1.1.1192.168.2.40x1133No error (0)mta7.am0.yahoodns.net67.195.204.73A (IP address)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:36:39.241333008 CEST1.1.1.1192.168.2.40x1133No error (0)mta7.am0.yahoodns.net67.195.228.94A (IP address)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:36:39.241333008 CEST1.1.1.1192.168.2.40x1133No error (0)mta7.am0.yahoodns.net98.136.96.74A (IP address)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:36:39.241333008 CEST1.1.1.1192.168.2.40x1133No error (0)mta7.am0.yahoodns.net67.195.228.110A (IP address)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:36:39.241333008 CEST1.1.1.1192.168.2.40x1133No error (0)mta7.am0.yahoodns.net67.195.228.109A (IP address)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:36:39.241333008 CEST1.1.1.1192.168.2.40x1133No error (0)mta7.am0.yahoodns.net98.136.96.76A (IP address)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:36:39.241333008 CEST1.1.1.1192.168.2.40x1133No error (0)mta7.am0.yahoodns.net67.195.204.77A (IP address)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:36:59.265661001 CEST1.1.1.1192.168.2.40xc79fNo error (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:36:59.273264885 CEST1.1.1.1192.168.2.40xcec0No error (0)smtp.google.com64.233.166.26A (IP address)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:36:59.273264885 CEST1.1.1.1192.168.2.40xcec0No error (0)smtp.google.com64.233.166.27A (IP address)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:36:59.273264885 CEST1.1.1.1192.168.2.40xcec0No error (0)smtp.google.com74.125.71.27A (IP address)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:36:59.273264885 CEST1.1.1.1192.168.2.40xcec0No error (0)smtp.google.com74.125.71.26A (IP address)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:36:59.273264885 CEST1.1.1.1192.168.2.40xcec0No error (0)smtp.google.com74.125.133.26A (IP address)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:37:19.281508923 CEST1.1.1.1192.168.2.40x6cd9No error (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:37:19.290666103 CEST1.1.1.1192.168.2.40xceb2No error (0)mxs.mail.ru217.69.139.150A (IP address)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:37:19.290666103 CEST1.1.1.1192.168.2.40xceb2No error (0)mxs.mail.ru94.100.180.31A (IP address)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:38:45.017087936 CEST1.1.1.1192.168.2.40x4eedNo error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:38:45.017087936 CEST1.1.1.1192.168.2.40x4eedNo error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:38:45.017087936 CEST1.1.1.1192.168.2.40x4eedNo error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:38:45.017087936 CEST1.1.1.1192.168.2.40x4eedNo error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:39:05.015393019 CEST1.1.1.1192.168.2.40xd105No error (0)mta7.am0.yahoodns.net67.195.228.109A (IP address)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:39:05.015393019 CEST1.1.1.1192.168.2.40xd105No error (0)mta7.am0.yahoodns.net67.195.204.73A (IP address)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:39:05.015393019 CEST1.1.1.1192.168.2.40xd105No error (0)mta7.am0.yahoodns.net67.195.228.110A (IP address)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:39:05.015393019 CEST1.1.1.1192.168.2.40xd105No error (0)mta7.am0.yahoodns.net98.136.96.75A (IP address)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:39:05.015393019 CEST1.1.1.1192.168.2.40xd105No error (0)mta7.am0.yahoodns.net67.195.228.111A (IP address)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:39:05.015393019 CEST1.1.1.1192.168.2.40xd105No error (0)mta7.am0.yahoodns.net67.195.204.77A (IP address)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:39:05.015393019 CEST1.1.1.1192.168.2.40xd105No error (0)mta7.am0.yahoodns.net67.195.204.79A (IP address)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:39:05.015393019 CEST1.1.1.1192.168.2.40xd105No error (0)mta7.am0.yahoodns.net67.195.228.94A (IP address)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:39:42.895200968 CEST1.1.1.1192.168.2.40x9691No error (0)jotunheim.name80.66.75.11A (IP address)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:39:45.048182964 CEST1.1.1.1192.168.2.40xdcc7No error (0)mxs.mail.ru217.69.139.150A (IP address)IN (0x0001)false
                                                                                                          Sep 6, 2024 16:39:45.048182964 CEST1.1.1.1192.168.2.40xdcc7No error (0)mxs.mail.ru94.100.180.31A (IP address)IN (0x0001)false

                                                                                                          Click to jump to process

                                                                                                          Click to jump to process

                                                                                                          Click to dive into process behavior distribution

                                                                                                          Click to jump to process

                                                                                                          Target ID:0
                                                                                                          Start time:10:35:40
                                                                                                          Start date:06/09/2024
                                                                                                          Path:C:\Users\user\Desktop\RSno9EH0K9.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Users\user\Desktop\RSno9EH0K9.exe"
                                                                                                          Imagebase:0x400000
                                                                                                          File size:218'112 bytes
                                                                                                          MD5 hash:8E456F932787FCD0CADBB598174575B2
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.4129020290.000000000055B000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000003.1722807602.0000000002090000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000003.1722807602.0000000002090000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000003.1722807602.0000000002090000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                          Reputation:low
                                                                                                          Has exited:false

                                                                                                          Target ID:1
                                                                                                          Start time:10:35:45
                                                                                                          Start date:06/09/2024
                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gxtfamnt\
                                                                                                          Imagebase:0x240000
                                                                                                          File size:236'544 bytes
                                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          Target ID:2
                                                                                                          Start time:10:35:45
                                                                                                          Start date:06/09/2024
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                          File size:862'208 bytes
                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          Target ID:3
                                                                                                          Start time:10:35:46
                                                                                                          Start date:06/09/2024
                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\nutgoowa.exe" C:\Windows\SysWOW64\gxtfamnt\
                                                                                                          Imagebase:0x240000
                                                                                                          File size:236'544 bytes
                                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          Target ID:4
                                                                                                          Start time:10:35:46
                                                                                                          Start date:06/09/2024
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                          File size:862'208 bytes
                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          Target ID:5
                                                                                                          Start time:10:35:46
                                                                                                          Start date:06/09/2024
                                                                                                          Path:C:\Windows\SysWOW64\sc.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Windows\System32\sc.exe" create gxtfamnt binPath= "C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exe /d\"C:\Users\user\Desktop\RSno9EH0K9.exe\"" type= own start= auto DisplayName= "wifi support"
                                                                                                          Imagebase:0x1000000
                                                                                                          File size:61'440 bytes
                                                                                                          MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:moderate
                                                                                                          Has exited:true

                                                                                                          Target ID:6
                                                                                                          Start time:10:35:46
                                                                                                          Start date:06/09/2024
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                          File size:862'208 bytes
                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          Target ID:7
                                                                                                          Start time:10:35:47
                                                                                                          Start date:06/09/2024
                                                                                                          Path:C:\Windows\SysWOW64\sc.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Windows\System32\sc.exe" description gxtfamnt "wifi internet conection"
                                                                                                          Imagebase:0x1000000
                                                                                                          File size:61'440 bytes
                                                                                                          MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:moderate
                                                                                                          Has exited:true

                                                                                                          Target ID:8
                                                                                                          Start time:10:35:47
                                                                                                          Start date:06/09/2024
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                          File size:862'208 bytes
                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          Target ID:9
                                                                                                          Start time:10:35:47
                                                                                                          Start date:06/09/2024
                                                                                                          Path:C:\Windows\SysWOW64\sc.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Windows\System32\sc.exe" start gxtfamnt
                                                                                                          Imagebase:0x1000000
                                                                                                          File size:61'440 bytes
                                                                                                          MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:moderate
                                                                                                          Has exited:true

                                                                                                          Target ID:10
                                                                                                          Start time:10:35:47
                                                                                                          Start date:06/09/2024
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                          File size:862'208 bytes
                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          Target ID:11
                                                                                                          Start time:10:35:47
                                                                                                          Start date:06/09/2024
                                                                                                          Path:C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exe /d"C:\Users\user\Desktop\RSno9EH0K9.exe"
                                                                                                          Imagebase:0x400000
                                                                                                          File size:12'841'984 bytes
                                                                                                          MD5 hash:834E2E11D20A334B04B409E9ECD91E76
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000B.00000002.2249215134.0000000000533000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: unknown
                                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: ditekSHen
                                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000002.2249441711.0000000000DB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000B.00000002.2249441711.0000000000DB0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000B.00000002.2249441711.0000000000DB0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000003.1947096591.0000000000D50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000B.00000003.1947096591.0000000000D50000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000B.00000003.1947096591.0000000000D50000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                          Has exited:true

                                                                                                          Target ID:12
                                                                                                          Start time:10:35:48
                                                                                                          Start date:06/09/2024
                                                                                                          Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                                                          Imagebase:0x1560000
                                                                                                          File size:82'432 bytes
                                                                                                          MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:true

                                                                                                          Target ID:13
                                                                                                          Start time:10:35:48
                                                                                                          Start date:06/09/2024
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                          File size:862'208 bytes
                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:true

                                                                                                          Target ID:17
                                                                                                          Start time:10:36:07
                                                                                                          Start date:06/09/2024
                                                                                                          Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:svchost.exe
                                                                                                          Imagebase:0x650000
                                                                                                          File size:46'504 bytes
                                                                                                          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                          Has exited:false

                                                                                                          Reset < >

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:4.1%
                                                                                                            Dynamic/Decrypted Code Coverage:2%
                                                                                                            Signature Coverage:26.3%
                                                                                                            Total number of Nodes:1598
                                                                                                            Total number of Limit Nodes:21
                                                                                                            execution_graph 14933 2070005 14938 207092b GetPEB 14933->14938 14935 2070030 14940 207003c 14935->14940 14939 2070972 14938->14939 14939->14935 14941 2070049 14940->14941 14955 2070e0f SetErrorMode SetErrorMode 14941->14955 14946 2070265 14947 20702ce VirtualProtect 14946->14947 14949 207030b 14947->14949 14948 2070439 VirtualFree 14953 20705f4 LoadLibraryA 14948->14953 14954 20704be 14948->14954 14949->14948 14950 20704e3 LoadLibraryA 14950->14954 14952 20708c7 14953->14952 14954->14950 14954->14953 14956 2070223 14955->14956 14957 2070d90 14956->14957 14958 2070dad 14957->14958 14959 2070dbb GetPEB 14958->14959 14960 2070238 VirtualAlloc 14958->14960 14959->14960 14960->14946 14961 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 15079 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14961->15079 14963 409a95 14964 409aa3 GetModuleHandleA GetModuleFileNameA 14963->14964 14969 40a3c7 14963->14969 14976 409ac4 14964->14976 14965 40a41c CreateThread WSAStartup 15248 40e52e 14965->15248 16126 40405e CreateEventA 14965->16126 14966 40a406 DeleteFileA 14966->14969 14970 40a40d 14966->14970 14968 409afd GetCommandLineA 14977 409b22 14968->14977 14969->14965 14969->14966 14969->14970 14972 40a3ed GetLastError 14969->14972 14970->14965 14971 40a445 15267 40eaaf 14971->15267 14972->14970 14974 40a3f8 Sleep 14972->14974 14974->14966 14975 40a44d 15271 401d96 14975->15271 14976->14968 14982 409c0c 14977->14982 14988 409b47 14977->14988 14979 40a457 15319 4080c9 14979->15319 15080 4096aa 14982->15080 14992 409b96 lstrlenA 14988->14992 14994 409b58 14988->14994 14989 40a1d2 14995 40a1e3 GetCommandLineA 14989->14995 14990 409c39 14993 40a167 GetModuleHandleA GetModuleFileNameA 14990->14993 15086 404280 CreateEventA 14990->15086 14992->14994 14997 409c05 ExitProcess 14993->14997 14998 40a189 14993->14998 14994->14997 15003 40675c 21 API calls 14994->15003 15022 40a205 14995->15022 14998->14997 15005 40a1b2 GetDriveTypeA 14998->15005 15006 409be3 15003->15006 15005->14997 15007 40a1c5 15005->15007 15006->14997 15185 406a60 CreateFileA 15006->15185 15229 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 15007->15229 15014 40a491 15015 40a49f GetTickCount 15014->15015 15018 40a4be Sleep 15014->15018 15021 40a4b7 GetTickCount 15014->15021 15365 40c913 15014->15365 15015->15014 15015->15018 15016 409ca0 GetTempPathA 15017 409e3e 15016->15017 15020 409cba 15016->15020 15028 409e6b GetEnvironmentVariableA 15017->15028 15029 409e04 15017->15029 15018->15014 15141 4099d2 lstrcpyA 15020->15141 15021->15018 15025 40a285 lstrlenA 15022->15025 15038 40a239 15022->15038 15025->15038 15028->15029 15030 409e7d 15028->15030 15224 40ec2e 15029->15224 15031 4099d2 16 API calls 15030->15031 15032 409e9d 15031->15032 15032->15029 15037 409eb0 lstrcpyA lstrlenA 15032->15037 15035 409d5f 15204 406cc9 15035->15204 15036 40a3c2 15241 4098f2 15036->15241 15039 409ef4 15037->15039 15237 406ec3 15038->15237 15043 406dc2 6 API calls 15039->15043 15046 409f03 15039->15046 15042 40a35f 15042->15036 15042->15042 15049 40a37b 15042->15049 15043->15046 15044 40a39d StartServiceCtrlDispatcherA 15044->15036 15047 409f32 RegOpenKeyExA 15046->15047 15050 409f48 RegSetValueExA RegCloseKey 15047->15050 15053 409f70 15047->15053 15048 409cf6 15148 409326 15048->15148 15049->15044 15050->15053 15059 409f9d GetModuleHandleA GetModuleFileNameA 15053->15059 15054 409e0c DeleteFileA 15054->15017 15055 409dde GetFileAttributesExA 15055->15054 15056 409df7 15055->15056 15056->15029 15058 409dff 15056->15058 15214 4096ff 15058->15214 15061 409fc2 15059->15061 15062 40a093 15059->15062 15061->15062 15068 409ff1 GetDriveTypeA 15061->15068 15063 40a103 CreateProcessA 15062->15063 15064 40a0a4 wsprintfA 15062->15064 15065 40a13a 15063->15065 15066 40a12a DeleteFileA 15063->15066 15220 402544 15064->15220 15065->15029 15071 4096ff 3 API calls 15065->15071 15066->15065 15068->15062 15070 40a00d 15068->15070 15074 40a02d lstrcatA 15070->15074 15071->15029 15075 40a046 15074->15075 15076 40a052 lstrcatA 15075->15076 15077 40a064 lstrcatA 15075->15077 15076->15077 15077->15062 15078 40a081 lstrcatA 15077->15078 15078->15062 15079->14963 15081 4096b9 15080->15081 15468 4073ff 15081->15468 15083 4096e2 15084 4096f7 15083->15084 15488 40704c 15083->15488 15084->14989 15084->14990 15087 4042a5 15086->15087 15088 40429d 15086->15088 15513 403ecd 15087->15513 15088->14993 15113 40675c 15088->15113 15090 4042b0 15517 404000 15090->15517 15093 4043c1 CloseHandle 15093->15088 15094 4042ce 15523 403f18 WriteFile 15094->15523 15099 4043ba CloseHandle 15099->15093 15100 404318 15101 403f18 4 API calls 15100->15101 15102 404331 15101->15102 15103 403f18 4 API calls 15102->15103 15104 40434a 15103->15104 15531 40ebcc GetProcessHeap RtlAllocateHeap 15104->15531 15107 403f18 4 API calls 15108 404389 15107->15108 15109 40ec2e codecvt 4 API calls 15108->15109 15110 40438f 15109->15110 15111 403f8c 4 API calls 15110->15111 15112 40439f CloseHandle CloseHandle 15111->15112 15112->15088 15114 406784 CreateFileA 15113->15114 15115 40677a SetFileAttributesA 15113->15115 15116 4067a4 CreateFileA 15114->15116 15117 4067b5 15114->15117 15115->15114 15116->15117 15118 4067c5 15117->15118 15119 4067ba SetFileAttributesA 15117->15119 15120 406977 15118->15120 15121 4067cf GetFileSize 15118->15121 15119->15118 15120->14993 15120->15016 15120->15017 15122 4067e5 15121->15122 15140 406965 15121->15140 15123 4067ed ReadFile 15122->15123 15122->15140 15125 406811 SetFilePointer 15123->15125 15123->15140 15124 40696e FindCloseChangeNotification 15124->15120 15126 40682a ReadFile 15125->15126 15125->15140 15127 406848 SetFilePointer 15126->15127 15126->15140 15128 406867 15127->15128 15127->15140 15129 4068d5 15128->15129 15130 406878 ReadFile 15128->15130 15129->15124 15132 40ebcc 4 API calls 15129->15132 15131 4068d0 15130->15131 15134 406891 15130->15134 15131->15129 15133 4068f8 15132->15133 15135 406900 SetFilePointer 15133->15135 15133->15140 15134->15130 15134->15131 15136 40695a 15135->15136 15137 40690d ReadFile 15135->15137 15139 40ec2e codecvt 4 API calls 15136->15139 15137->15136 15138 406922 15137->15138 15138->15124 15139->15140 15140->15124 15142 4099eb 15141->15142 15143 409a2f lstrcatA 15142->15143 15144 40ee2a 15143->15144 15145 409a4b lstrcatA 15144->15145 15146 406a60 13 API calls 15145->15146 15147 409a60 15146->15147 15147->15017 15147->15048 15198 406dc2 15147->15198 15537 401910 15148->15537 15151 40934a GetModuleHandleA GetModuleFileNameA 15153 40937f 15151->15153 15154 4093a4 15153->15154 15155 4093d9 15153->15155 15156 4093c3 wsprintfA 15154->15156 15157 409401 wsprintfA 15155->15157 15158 409415 15156->15158 15157->15158 15160 406cc9 5 API calls 15158->15160 15182 4094a0 15158->15182 15168 409439 15160->15168 15161 40962f 15167 409646 15161->15167 15567 401820 15161->15567 15162 4094ac 15162->15161 15163 4094e8 RegOpenKeyExA 15162->15163 15165 409502 15163->15165 15166 4094fb 15163->15166 15171 40951f RegQueryValueExA 15165->15171 15166->15161 15170 40958a 15166->15170 15177 4095d6 15167->15177 15547 4091eb 15167->15547 15552 40ef1e lstrlenA 15168->15552 15170->15167 15173 409593 15170->15173 15174 409530 15171->15174 15175 409539 15171->15175 15173->15177 15554 40f0e4 15173->15554 15178 40956e RegCloseKey 15174->15178 15179 409556 RegQueryValueExA 15175->15179 15176 409462 15180 40947e wsprintfA 15176->15180 15177->15054 15177->15055 15178->15166 15179->15174 15179->15178 15180->15182 15539 406edd 15182->15539 15183 4095bb 15183->15177 15561 4018e0 15183->15561 15186 406b8c GetLastError 15185->15186 15187 406a8f GetDiskFreeSpaceA 15185->15187 15189 406b86 15186->15189 15188 406ac5 15187->15188 15197 406ad7 15187->15197 15615 40eb0e 15188->15615 15189->14997 15193 406b56 FindCloseChangeNotification 15193->15189 15196 406b65 GetLastError CloseHandle 15193->15196 15194 406b36 GetLastError CloseHandle 15195 406b7f DeleteFileA 15194->15195 15195->15189 15196->15195 15609 406987 15197->15609 15199 406e24 15198->15199 15200 406dd7 15198->15200 15199->15035 15201 406cc9 5 API calls 15200->15201 15202 406ddc 15201->15202 15202->15199 15202->15202 15203 406e02 GetVolumeInformationA 15202->15203 15203->15199 15205 406cdc GetModuleHandleA GetProcAddress 15204->15205 15206 406dbe lstrcpyA lstrcatA lstrcatA 15204->15206 15207 406d12 GetSystemDirectoryA 15205->15207 15210 406cfd 15205->15210 15206->15048 15208 406d27 GetWindowsDirectoryA 15207->15208 15209 406d1e 15207->15209 15212 406d42 15208->15212 15209->15208 15211 406d8b 15209->15211 15210->15207 15210->15211 15211->15206 15213 40ef1e lstrlenA 15212->15213 15213->15211 15215 402544 15214->15215 15216 40972d RegOpenKeyExA 15215->15216 15217 409740 15216->15217 15218 409765 15216->15218 15219 40974f RegDeleteValueA RegCloseKey 15217->15219 15218->15029 15219->15218 15221 402554 lstrcatA 15220->15221 15222 40ee2a 15221->15222 15223 40a0ec lstrcatA 15222->15223 15223->15063 15225 40ec37 15224->15225 15226 40a15d 15224->15226 15623 40eba0 15225->15623 15226->14993 15226->14997 15230 402544 15229->15230 15231 40919e wsprintfA 15230->15231 15232 4091bb 15231->15232 15626 409064 GetTempPathA 15232->15626 15235 4091d5 ShellExecuteA 15236 4091e7 15235->15236 15236->14997 15238 406ed5 15237->15238 15239 406ecc 15237->15239 15238->15042 15240 406e36 2 API calls 15239->15240 15240->15238 15242 4098f6 15241->15242 15243 404280 30 API calls 15242->15243 15244 409904 Sleep 15242->15244 15245 409915 15242->15245 15243->15242 15244->15242 15244->15245 15247 409947 15245->15247 15633 40977c 15245->15633 15247->14969 15655 40dd05 GetTickCount 15248->15655 15250 40e538 15662 40dbcf 15250->15662 15252 40e544 15253 40e555 GetFileSize 15252->15253 15257 40e5b8 15252->15257 15254 40e5b1 CloseHandle 15253->15254 15255 40e566 15253->15255 15254->15257 15672 40db2e 15255->15672 15681 40e3ca RegOpenKeyExA 15257->15681 15259 40e576 ReadFile 15259->15254 15261 40e58d 15259->15261 15676 40e332 15261->15676 15262 40e5f2 15265 40e629 15262->15265 15266 40e3ca 19 API calls 15262->15266 15265->14971 15266->15265 15268 40eaba 15267->15268 15269 40eabe 15267->15269 15268->14975 15269->15268 15270 40dd05 6 API calls 15269->15270 15270->15268 15272 40ee2a 15271->15272 15273 401db4 GetVersionExA 15272->15273 15274 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 15273->15274 15276 401e24 15274->15276 15277 401e16 GetCurrentProcess 15274->15277 15734 40e819 15276->15734 15277->15276 15279 401e3d 15280 40e819 11 API calls 15279->15280 15281 401e4e 15280->15281 15282 401e77 15281->15282 15741 40df70 15281->15741 15750 40ea84 15282->15750 15285 401e6c 15287 40df70 12 API calls 15285->15287 15287->15282 15288 40e819 11 API calls 15289 401e93 15288->15289 15754 40199c inet_addr LoadLibraryA 15289->15754 15292 40e819 11 API calls 15293 401eb9 15292->15293 15294 401ed8 15293->15294 15295 40f04e 4 API calls 15293->15295 15296 40e819 11 API calls 15294->15296 15297 401ec9 15295->15297 15298 401eee 15296->15298 15299 40ea84 30 API calls 15297->15299 15300 401f0a 15298->15300 15767 401b71 15298->15767 15299->15294 15302 40e819 11 API calls 15300->15302 15303 401f23 15302->15303 15305 401f3f 15303->15305 15771 401bdf 15303->15771 15304 401efd 15306 40ea84 30 API calls 15304->15306 15308 40e819 11 API calls 15305->15308 15306->15300 15310 401f5e 15308->15310 15312 401f77 15310->15312 15313 40ea84 30 API calls 15310->15313 15311 40ea84 30 API calls 15311->15305 15778 4030b5 15312->15778 15313->15312 15316 406ec3 2 API calls 15318 401f8e GetTickCount 15316->15318 15318->14979 15320 406ec3 2 API calls 15319->15320 15321 4080eb 15320->15321 15322 4080f9 15321->15322 15323 4080ef 15321->15323 15325 40704c 16 API calls 15322->15325 15826 407ee6 15323->15826 15327 408110 15325->15327 15326 4080f4 15328 40675c 21 API calls 15326->15328 15338 408269 CreateThread 15326->15338 15327->15326 15330 408156 RegOpenKeyExA 15327->15330 15329 408244 15328->15329 15335 40ec2e codecvt 4 API calls 15329->15335 15329->15338 15330->15326 15331 40816d RegQueryValueExA 15330->15331 15332 4081f7 15331->15332 15334 40818d 15331->15334 15333 40820d RegCloseKey 15332->15333 15336 40ec2e codecvt 4 API calls 15332->15336 15333->15326 15334->15332 15337 40ebcc 4 API calls 15334->15337 15335->15338 15343 4081dd 15336->15343 15339 4081a0 15337->15339 15344 405e6c 15338->15344 16156 40877e 15338->16156 15339->15333 15340 4081aa RegQueryValueExA 15339->15340 15340->15332 15341 4081c4 15340->15341 15342 40ebcc 4 API calls 15341->15342 15342->15343 15343->15333 15894 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15344->15894 15346 405e71 15895 40e654 15346->15895 15348 405ec1 15349 403132 15348->15349 15350 40df70 12 API calls 15349->15350 15351 40313b 15350->15351 15352 40c125 15351->15352 15906 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15352->15906 15354 40c12d 15355 40e654 13 API calls 15354->15355 15356 40c2bd 15355->15356 15357 40e654 13 API calls 15356->15357 15358 40c2c9 15357->15358 15359 40e654 13 API calls 15358->15359 15360 40a47a 15359->15360 15361 408db1 15360->15361 15362 408dbc 15361->15362 15363 40e654 13 API calls 15362->15363 15364 408dec Sleep 15363->15364 15364->15014 15366 40c92f 15365->15366 15367 40c93c 15366->15367 15907 40c517 15366->15907 15369 40ca2b 15367->15369 15370 40e819 11 API calls 15367->15370 15369->15014 15371 40c96a 15370->15371 15372 40e819 11 API calls 15371->15372 15373 40c97d 15372->15373 15374 40e819 11 API calls 15373->15374 15375 40c990 15374->15375 15376 40c9aa 15375->15376 15377 40ebcc 4 API calls 15375->15377 15376->15369 15924 402684 15376->15924 15377->15376 15382 40ca26 15931 40c8aa 15382->15931 15385 40ca44 15386 40ca4b closesocket 15385->15386 15387 40ca83 15385->15387 15386->15382 15388 40ea84 30 API calls 15387->15388 15389 40caac 15388->15389 15390 40f04e 4 API calls 15389->15390 15391 40cab2 15390->15391 15392 40ea84 30 API calls 15391->15392 15393 40caca 15392->15393 15394 40ea84 30 API calls 15393->15394 15395 40cad9 15394->15395 15939 40c65c 15395->15939 15398 40cb60 closesocket 15398->15369 15400 40dad2 closesocket 15401 40e318 23 API calls 15400->15401 15401->15369 15402 40df4c 20 API calls 15418 40cb70 15402->15418 15407 40e654 13 API calls 15407->15418 15410 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15410->15418 15414 40cc1c GetTempPathA 15414->15418 15415 40ea84 30 API calls 15415->15418 15416 40d569 closesocket Sleep 15986 40e318 15416->15986 15417 40d815 wsprintfA 15417->15418 15418->15400 15418->15402 15418->15407 15418->15410 15418->15414 15418->15415 15418->15416 15418->15417 15419 40c517 23 API calls 15418->15419 15421 40e8a1 30 API calls 15418->15421 15423 40c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15418->15423 15424 40cfe3 GetSystemDirectoryA 15418->15424 15425 40675c 21 API calls 15418->15425 15426 40d027 GetSystemDirectoryA 15418->15426 15427 40cfad GetEnvironmentVariableA 15418->15427 15428 40d105 lstrcatA 15418->15428 15429 40ef1e lstrlenA 15418->15429 15430 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15418->15430 15431 40cc9f CreateFileA 15418->15431 15432 40d15b CreateFileA 15418->15432 15437 40d149 SetFileAttributesA 15418->15437 15439 40d36e GetEnvironmentVariableA 15418->15439 15440 40d1bf SetFileAttributesA 15418->15440 15441 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15418->15441 15443 407ead 6 API calls 15418->15443 15444 40d22d GetEnvironmentVariableA 15418->15444 15445 40d3af lstrcatA 15418->15445 15448 407fcf 64 API calls 15418->15448 15449 40d3f2 CreateFileA 15418->15449 15456 40d4b1 CreateProcessA 15418->15456 15457 40d3e0 SetFileAttributesA 15418->15457 15458 40d26e lstrcatA 15418->15458 15460 40d2b1 CreateFileA 15418->15460 15462 407ee6 64 API calls 15418->15462 15463 40d452 SetFileAttributesA 15418->15463 15465 40d29f SetFileAttributesA 15418->15465 15467 40d31d SetFileAttributesA 15418->15467 15947 40c75d 15418->15947 15959 407e2f 15418->15959 15981 407ead 15418->15981 15991 4031d0 15418->15991 16008 403c09 15418->16008 16018 403a00 15418->16018 16022 40e7b4 15418->16022 16025 40c06c 15418->16025 16031 406f5f GetUserNameA 15418->16031 16042 40e854 15418->16042 16052 407dd6 15418->16052 15419->15418 15421->15418 15422 40d582 ExitProcess 15423->15418 15424->15418 15425->15418 15426->15418 15427->15418 15428->15418 15429->15418 15430->15418 15431->15418 15433 40ccc6 WriteFile 15431->15433 15432->15418 15434 40d182 WriteFile CloseHandle 15432->15434 15435 40cdcc CloseHandle 15433->15435 15436 40cced CloseHandle 15433->15436 15434->15418 15435->15418 15442 40cd2f 15436->15442 15437->15432 15438 40cd16 wsprintfA 15438->15442 15439->15418 15440->15418 15441->15418 15442->15438 15968 407fcf 15442->15968 15443->15418 15444->15418 15445->15418 15445->15449 15448->15418 15449->15418 15452 40d415 WriteFile CloseHandle 15449->15452 15450 40cd81 WaitForSingleObject CloseHandle CloseHandle 15453 40f04e 4 API calls 15450->15453 15451 40cda5 15454 407ee6 64 API calls 15451->15454 15452->15418 15453->15451 15455 40cdbd DeleteFileA 15454->15455 15455->15418 15456->15418 15459 40d4e8 CloseHandle CloseHandle 15456->15459 15457->15449 15458->15418 15458->15460 15459->15418 15460->15418 15461 40d2d8 WriteFile CloseHandle 15460->15461 15461->15418 15462->15418 15463->15418 15465->15460 15467->15418 15469 40741b 15468->15469 15470 406dc2 6 API calls 15469->15470 15471 40743f 15470->15471 15472 407469 RegOpenKeyExA 15471->15472 15473 4077f9 15472->15473 15483 407487 ___ascii_stricmp 15472->15483 15473->15083 15474 407703 RegEnumKeyA 15475 407714 RegCloseKey 15474->15475 15474->15483 15475->15473 15476 4074d2 RegOpenKeyExA 15476->15483 15477 40772c 15479 407742 RegCloseKey 15477->15479 15480 40774b 15477->15480 15478 407521 RegQueryValueExA 15478->15483 15479->15480 15481 4077ec RegCloseKey 15480->15481 15481->15473 15482 4076e4 RegCloseKey 15482->15483 15483->15474 15483->15476 15483->15477 15483->15478 15483->15482 15485 40f1a5 lstrlenA 15483->15485 15486 40777e GetFileAttributesExA 15483->15486 15487 407769 15483->15487 15484 4077e3 RegCloseKey 15484->15481 15485->15483 15486->15487 15487->15484 15489 407073 15488->15489 15490 4070b9 RegOpenKeyExA 15489->15490 15491 4070d0 15490->15491 15505 4071b8 15490->15505 15492 406dc2 6 API calls 15491->15492 15495 4070d5 15492->15495 15493 40719b RegEnumValueA 15494 4071af RegCloseKey 15493->15494 15493->15495 15494->15505 15495->15493 15497 4071d0 15495->15497 15511 40f1a5 lstrlenA 15495->15511 15498 407205 RegCloseKey 15497->15498 15499 407227 15497->15499 15498->15505 15500 4072b8 ___ascii_stricmp 15499->15500 15501 40728e RegCloseKey 15499->15501 15502 4072cd RegCloseKey 15500->15502 15503 4072dd 15500->15503 15501->15505 15502->15505 15504 407311 RegCloseKey 15503->15504 15507 407335 15503->15507 15504->15505 15505->15084 15506 4073d5 RegCloseKey 15508 4073e4 15506->15508 15507->15506 15509 40737e GetFileAttributesExA 15507->15509 15510 407397 15507->15510 15509->15510 15510->15506 15512 40f1c3 15511->15512 15512->15495 15514 403ee2 15513->15514 15515 403edc 15513->15515 15514->15090 15516 406dc2 6 API calls 15515->15516 15516->15514 15518 40400b CreateFileA 15517->15518 15519 40402c GetLastError 15518->15519 15521 404052 15518->15521 15520 404037 15519->15520 15519->15521 15520->15521 15522 404041 Sleep 15520->15522 15521->15088 15521->15093 15521->15094 15522->15518 15522->15521 15524 403f7c 15523->15524 15525 403f4e GetLastError 15523->15525 15527 403f8c ReadFile 15524->15527 15525->15524 15526 403f5b WaitForSingleObject GetOverlappedResult 15525->15526 15526->15524 15528 403ff0 15527->15528 15529 403fc2 GetLastError 15527->15529 15528->15099 15528->15100 15529->15528 15530 403fcf WaitForSingleObject GetOverlappedResult 15529->15530 15530->15528 15534 40eb74 15531->15534 15535 40eb7b GetProcessHeap HeapSize 15534->15535 15536 404350 15534->15536 15535->15536 15536->15107 15538 401924 GetVersionExA 15537->15538 15538->15151 15540 406f55 15539->15540 15541 406eef AllocateAndInitializeSid 15539->15541 15540->15162 15542 406f44 15541->15542 15543 406f1c CheckTokenMembership 15541->15543 15542->15540 15573 406e36 GetUserNameW 15542->15573 15544 406f3b FreeSid 15543->15544 15545 406f2e 15543->15545 15544->15542 15545->15544 15548 409308 15547->15548 15551 40920e 15547->15551 15548->15177 15549 4092f1 Sleep 15549->15551 15550 4092bf ShellExecuteA 15550->15548 15550->15551 15551->15548 15551->15549 15551->15550 15551->15551 15553 40ef32 15552->15553 15553->15176 15555 40f0f1 15554->15555 15556 40f0ed 15554->15556 15557 40f119 15555->15557 15558 40f0fa lstrlenA SysAllocStringByteLen 15555->15558 15556->15183 15560 40f11c MultiByteToWideChar 15557->15560 15559 40f117 15558->15559 15558->15560 15559->15183 15560->15559 15562 401820 17 API calls 15561->15562 15564 4018f2 15562->15564 15563 4018f9 15563->15177 15564->15563 15576 401280 15564->15576 15566 401908 15566->15177 15588 401000 15567->15588 15569 401839 15570 401851 GetCurrentProcess 15569->15570 15571 40183d 15569->15571 15572 401864 15570->15572 15571->15167 15572->15167 15574 406e97 15573->15574 15575 406e5f LookupAccountNameW 15573->15575 15574->15540 15575->15574 15577 4012e1 15576->15577 15578 4016f9 GetLastError 15577->15578 15581 4013a8 15577->15581 15579 401699 15578->15579 15579->15566 15580 401570 lstrlenW 15580->15581 15581->15579 15581->15580 15581->15581 15582 4015be GetStartupInfoW 15581->15582 15583 4015ff CreateProcessWithLogonW 15581->15583 15587 401668 CloseHandle 15581->15587 15582->15581 15584 4016bf GetLastError 15583->15584 15585 40163f WaitForSingleObject 15583->15585 15584->15579 15585->15581 15586 401659 CloseHandle 15585->15586 15586->15581 15587->15581 15589 40100d LoadLibraryA 15588->15589 15597 401023 15588->15597 15590 401021 15589->15590 15589->15597 15590->15569 15591 4010b5 GetProcAddress 15592 4010d1 GetProcAddress 15591->15592 15593 40127b 15591->15593 15592->15593 15594 4010f0 GetProcAddress 15592->15594 15593->15569 15594->15593 15595 401110 GetProcAddress 15594->15595 15595->15593 15596 401130 GetProcAddress 15595->15596 15596->15593 15598 40114f GetProcAddress 15596->15598 15597->15591 15608 4010ae 15597->15608 15598->15593 15599 40116f GetProcAddress 15598->15599 15599->15593 15600 40118f GetProcAddress 15599->15600 15600->15593 15601 4011ae GetProcAddress 15600->15601 15601->15593 15602 4011ce GetProcAddress 15601->15602 15602->15593 15603 4011ee GetProcAddress 15602->15603 15603->15593 15604 401209 GetProcAddress 15603->15604 15604->15593 15605 401225 GetProcAddress 15604->15605 15605->15593 15606 401241 GetProcAddress 15605->15606 15606->15593 15607 40125c GetProcAddress 15606->15607 15607->15593 15608->15569 15610 4069b9 WriteFile 15609->15610 15612 406a3c 15610->15612 15614 4069ff 15610->15614 15612->15193 15612->15194 15613 406a10 WriteFile 15613->15612 15613->15614 15614->15612 15614->15613 15616 40eb17 15615->15616 15618 40eb21 15615->15618 15619 40eae4 15616->15619 15618->15197 15620 40eb02 GetProcAddress 15619->15620 15621 40eaed LoadLibraryA 15619->15621 15620->15618 15621->15620 15622 40eb01 15621->15622 15622->15618 15624 40eba7 GetProcessHeap HeapSize 15623->15624 15625 40ebbf GetProcessHeap HeapFree 15623->15625 15624->15625 15625->15226 15627 40908d 15626->15627 15628 4090e2 wsprintfA 15627->15628 15629 40ee2a 15628->15629 15630 4090fd CreateFileA 15629->15630 15631 40911a lstrlenA WriteFile CloseHandle 15630->15631 15632 40913f 15630->15632 15631->15632 15632->15235 15632->15236 15634 40ee2a 15633->15634 15635 409794 CreateProcessA 15634->15635 15636 4097c2 15635->15636 15637 4097bb 15635->15637 15638 4097d4 GetThreadContext 15636->15638 15637->15247 15639 409801 15638->15639 15640 4097f5 15638->15640 15647 40637c 15639->15647 15641 4097f6 TerminateProcess 15640->15641 15641->15637 15643 409816 15643->15641 15644 40981e WriteProcessMemory 15643->15644 15644->15640 15645 40983b SetThreadContext 15644->15645 15645->15640 15646 409858 ResumeThread 15645->15646 15646->15637 15648 406386 15647->15648 15649 40638a GetModuleHandleA VirtualAlloc 15647->15649 15648->15643 15650 4063b6 15649->15650 15654 4063f5 15649->15654 15651 4063be VirtualAllocEx 15650->15651 15652 4063d6 15651->15652 15651->15654 15653 4063df WriteProcessMemory 15652->15653 15653->15654 15654->15643 15656 40dd41 InterlockedExchange 15655->15656 15657 40dd20 GetCurrentThreadId 15656->15657 15658 40dd4a 15656->15658 15659 40dd53 GetCurrentThreadId 15657->15659 15660 40dd2e GetTickCount 15657->15660 15658->15659 15659->15250 15660->15658 15661 40dd39 Sleep 15660->15661 15661->15656 15663 40dbf0 15662->15663 15695 40db67 GetEnvironmentVariableA 15663->15695 15665 40dc19 15666 40dcda 15665->15666 15667 40db67 3 API calls 15665->15667 15666->15252 15668 40dc5c 15667->15668 15668->15666 15669 40db67 3 API calls 15668->15669 15670 40dc9b 15669->15670 15670->15666 15671 40db67 3 API calls 15670->15671 15671->15666 15673 40db3a 15672->15673 15675 40db55 15672->15675 15699 40ebed 15673->15699 15675->15254 15675->15259 15708 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15676->15708 15678 40e3be 15678->15254 15679 40e342 15679->15678 15711 40de24 15679->15711 15682 40e528 15681->15682 15683 40e3f4 15681->15683 15682->15262 15684 40e434 RegQueryValueExA 15683->15684 15685 40e458 15684->15685 15686 40e51d RegCloseKey 15684->15686 15687 40e46e RegQueryValueExA 15685->15687 15686->15682 15687->15685 15688 40e488 15687->15688 15688->15686 15689 40db2e 8 API calls 15688->15689 15690 40e499 15689->15690 15690->15686 15691 40e4b9 RegQueryValueExA 15690->15691 15692 40e4e8 15690->15692 15691->15690 15691->15692 15692->15686 15693 40e332 14 API calls 15692->15693 15694 40e513 15693->15694 15694->15686 15696 40db89 lstrcpyA CreateFileA 15695->15696 15697 40dbca 15695->15697 15696->15665 15697->15665 15700 40ec01 15699->15700 15701 40ebf6 15699->15701 15703 40eba0 codecvt 2 API calls 15700->15703 15702 40ebcc 4 API calls 15701->15702 15704 40ebfe 15702->15704 15705 40ec0a GetProcessHeap HeapReAlloc 15703->15705 15704->15675 15706 40eb74 2 API calls 15705->15706 15707 40ec28 15706->15707 15707->15675 15722 40eb41 15708->15722 15712 40de3a 15711->15712 15716 40de4e 15712->15716 15726 40dd84 15712->15726 15715 40ebed 8 API calls 15720 40def6 15715->15720 15716->15679 15717 40de76 15730 40ddcf 15717->15730 15719 40de9e 15719->15715 15719->15716 15720->15716 15721 40ddcf lstrcmpA 15720->15721 15721->15716 15723 40eb54 15722->15723 15724 40eb4a 15722->15724 15723->15679 15725 40eae4 2 API calls 15724->15725 15725->15723 15727 40ddc5 15726->15727 15728 40dd96 15726->15728 15727->15717 15727->15719 15728->15727 15729 40ddad lstrcmpiA 15728->15729 15729->15727 15729->15728 15732 40dddd 15730->15732 15733 40de20 15730->15733 15731 40ddfa lstrcmpA 15731->15732 15732->15731 15732->15733 15733->15716 15735 40dd05 6 API calls 15734->15735 15736 40e821 15735->15736 15737 40dd84 lstrcmpiA 15736->15737 15738 40e82c 15737->15738 15739 40e844 15738->15739 15782 402480 15738->15782 15739->15279 15742 40dd05 6 API calls 15741->15742 15743 40df7c 15742->15743 15744 40dd84 lstrcmpiA 15743->15744 15748 40df89 15744->15748 15745 40dfc4 15745->15285 15746 40ddcf lstrcmpA 15746->15748 15747 40ec2e codecvt 4 API calls 15747->15748 15748->15745 15748->15746 15748->15747 15749 40dd84 lstrcmpiA 15748->15749 15749->15748 15751 40ea98 15750->15751 15791 40e8a1 15751->15791 15753 401e84 15753->15288 15755 4019d5 GetProcAddress GetProcAddress GetProcAddress 15754->15755 15758 4019ce 15754->15758 15756 401ab3 FreeLibrary 15755->15756 15757 401a04 15755->15757 15756->15758 15757->15756 15759 401a14 GetProcessHeap 15757->15759 15758->15292 15759->15758 15761 401a2e HeapAlloc 15759->15761 15761->15758 15762 401a42 15761->15762 15763 401a52 HeapReAlloc 15762->15763 15765 401a62 15762->15765 15763->15765 15764 401aa1 FreeLibrary 15764->15758 15765->15764 15766 401a96 HeapFree 15765->15766 15766->15764 15819 401ac3 LoadLibraryA 15767->15819 15770 401bcf 15770->15304 15772 401ac3 12 API calls 15771->15772 15773 401c09 15772->15773 15774 401c41 15773->15774 15775 401c0d GetComputerNameA 15773->15775 15774->15311 15776 401c45 GetVolumeInformationA 15775->15776 15777 401c1f 15775->15777 15776->15774 15777->15774 15777->15776 15779 40ee2a 15778->15779 15780 4030d0 gethostname gethostbyname 15779->15780 15781 401f82 15780->15781 15781->15316 15781->15318 15785 402419 lstrlenA 15782->15785 15784 402491 15784->15739 15786 40243d lstrlenA 15785->15786 15789 402474 15785->15789 15787 402464 lstrlenA 15786->15787 15788 40244e lstrcmpiA 15786->15788 15787->15786 15787->15789 15788->15787 15790 40245c 15788->15790 15789->15784 15790->15787 15790->15789 15792 40dd05 6 API calls 15791->15792 15793 40e8b4 15792->15793 15794 40dd84 lstrcmpiA 15793->15794 15795 40e8c0 15794->15795 15796 40e90a 15795->15796 15797 40e8c8 lstrcpynA 15795->15797 15799 402419 4 API calls 15796->15799 15805 40ea27 15796->15805 15798 40e8f5 15797->15798 15812 40df4c 15798->15812 15800 40e926 lstrlenA lstrlenA 15799->15800 15802 40e96a 15800->15802 15803 40e94c lstrlenA 15800->15803 15802->15805 15807 40ebcc 4 API calls 15802->15807 15803->15802 15804 40e901 15806 40dd84 lstrcmpiA 15804->15806 15805->15753 15806->15796 15808 40e98f 15807->15808 15808->15805 15809 40df4c 20 API calls 15808->15809 15810 40ea1e 15809->15810 15811 40ec2e codecvt 4 API calls 15810->15811 15811->15805 15813 40dd05 6 API calls 15812->15813 15814 40df51 15813->15814 15815 40f04e 4 API calls 15814->15815 15816 40df58 15815->15816 15817 40de24 10 API calls 15816->15817 15818 40df63 15817->15818 15818->15804 15820 401ae2 GetProcAddress 15819->15820 15821 401b68 GetComputerNameA GetVolumeInformationA 15819->15821 15820->15821 15822 401af5 15820->15822 15821->15770 15823 40ebed 8 API calls 15822->15823 15824 401b29 15822->15824 15823->15822 15824->15821 15824->15824 15825 40ec2e codecvt 4 API calls 15824->15825 15825->15821 15827 406ec3 2 API calls 15826->15827 15828 407ef4 15827->15828 15829 4073ff 17 API calls 15828->15829 15838 407fc9 15828->15838 15830 407f16 15829->15830 15830->15838 15839 407809 GetUserNameA 15830->15839 15832 407f63 15833 40ef1e lstrlenA 15832->15833 15832->15838 15834 407fa6 15833->15834 15835 40ef1e lstrlenA 15834->15835 15836 407fb7 15835->15836 15863 407a95 RegOpenKeyExA 15836->15863 15838->15326 15840 40783d LookupAccountNameA 15839->15840 15841 407a8d 15839->15841 15840->15841 15842 407874 GetLengthSid GetFileSecurityA 15840->15842 15841->15832 15842->15841 15843 4078a8 GetSecurityDescriptorOwner 15842->15843 15844 4078c5 EqualSid 15843->15844 15845 40791d GetSecurityDescriptorDacl 15843->15845 15844->15845 15846 4078dc LocalAlloc 15844->15846 15845->15841 15851 407941 15845->15851 15846->15845 15847 4078ef InitializeSecurityDescriptor 15846->15847 15849 407916 LocalFree 15847->15849 15850 4078fb SetSecurityDescriptorOwner 15847->15850 15848 40795b GetAce 15848->15851 15849->15845 15850->15849 15852 40790b SetFileSecurityA 15850->15852 15851->15841 15851->15848 15853 407980 EqualSid 15851->15853 15854 407a3d 15851->15854 15855 4079be EqualSid 15851->15855 15856 40799d DeleteAce 15851->15856 15852->15849 15853->15851 15854->15841 15857 407a43 LocalAlloc 15854->15857 15855->15851 15856->15851 15857->15841 15858 407a56 InitializeSecurityDescriptor 15857->15858 15859 407a62 SetSecurityDescriptorDacl 15858->15859 15860 407a86 LocalFree 15858->15860 15859->15860 15861 407a73 SetFileSecurityA 15859->15861 15860->15841 15861->15860 15862 407a83 15861->15862 15862->15860 15864 407ac4 15863->15864 15865 407acb GetUserNameA 15863->15865 15864->15838 15866 407da7 RegCloseKey 15865->15866 15867 407aed LookupAccountNameA 15865->15867 15866->15864 15867->15866 15868 407b24 RegGetKeySecurity 15867->15868 15868->15866 15869 407b49 GetSecurityDescriptorOwner 15868->15869 15870 407b63 EqualSid 15869->15870 15871 407bb8 GetSecurityDescriptorDacl 15869->15871 15870->15871 15872 407b74 LocalAlloc 15870->15872 15873 407da6 15871->15873 15880 407bdc 15871->15880 15872->15871 15874 407b8a InitializeSecurityDescriptor 15872->15874 15873->15866 15875 407bb1 LocalFree 15874->15875 15876 407b96 SetSecurityDescriptorOwner 15874->15876 15875->15871 15876->15875 15878 407ba6 RegSetKeySecurity 15876->15878 15877 407bf8 GetAce 15877->15880 15878->15875 15879 407c1d EqualSid 15879->15880 15880->15873 15880->15877 15880->15879 15881 407c5f EqualSid 15880->15881 15882 407cd9 15880->15882 15883 407c3a DeleteAce 15880->15883 15881->15880 15882->15873 15884 407d5a LocalAlloc 15882->15884 15886 407cf2 RegOpenKeyExA 15882->15886 15883->15880 15884->15873 15885 407d70 InitializeSecurityDescriptor 15884->15885 15887 407d7c SetSecurityDescriptorDacl 15885->15887 15888 407d9f LocalFree 15885->15888 15886->15884 15890 407d0f 15886->15890 15887->15888 15889 407d8c RegSetKeySecurity 15887->15889 15888->15873 15889->15888 15891 407d9c 15889->15891 15892 407d43 RegSetValueExA 15890->15892 15891->15888 15892->15884 15893 407d54 15892->15893 15893->15884 15894->15346 15896 40dd05 6 API calls 15895->15896 15899 40e65f 15896->15899 15897 40e6a5 15898 40ebcc 4 API calls 15897->15898 15902 40e6f5 15897->15902 15901 40e6b0 15898->15901 15899->15897 15900 40e68c lstrcmpA 15899->15900 15900->15899 15901->15902 15904 40e6b7 15901->15904 15905 40e6e0 lstrcpynA 15901->15905 15903 40e71d lstrcmpA 15902->15903 15902->15904 15903->15902 15904->15348 15905->15902 15906->15354 15908 40c525 15907->15908 15909 40c532 15907->15909 15908->15909 15912 40ec2e codecvt 4 API calls 15908->15912 15910 40c548 15909->15910 16059 40e7ff 15909->16059 15913 40c54f 15910->15913 15914 40e7ff lstrcmpiA 15910->15914 15912->15909 15913->15367 15915 40c615 15914->15915 15915->15913 15917 40ebcc 4 API calls 15915->15917 15917->15913 15918 40c5d1 15920 40ebcc 4 API calls 15918->15920 15919 40e819 11 API calls 15921 40c5b7 15919->15921 15920->15913 15922 40f04e 4 API calls 15921->15922 15923 40c5bf 15922->15923 15923->15910 15923->15918 15925 402692 inet_addr 15924->15925 15926 40268e 15924->15926 15925->15926 15927 40269e gethostbyname 15925->15927 15928 40f428 15926->15928 15927->15926 16062 40f315 15928->16062 15933 40c8d2 15931->15933 15932 40c907 15932->15369 15933->15932 15934 40c517 23 API calls 15933->15934 15934->15932 15935 40f43e 15936 40f473 recv 15935->15936 15937 40f458 15936->15937 15938 40f47c 15936->15938 15937->15936 15937->15938 15938->15385 15940 40c670 15939->15940 15941 40c67d 15939->15941 15942 40ebcc 4 API calls 15940->15942 15943 40ebcc 4 API calls 15941->15943 15945 40c699 15941->15945 15942->15941 15943->15945 15944 40c6f3 15944->15398 15944->15418 15945->15944 15946 40c73c send 15945->15946 15946->15944 15948 40c770 15947->15948 15949 40c77d 15947->15949 15950 40ebcc 4 API calls 15948->15950 15951 40c799 15949->15951 15952 40ebcc 4 API calls 15949->15952 15950->15949 15953 40c7b5 15951->15953 15954 40ebcc 4 API calls 15951->15954 15952->15951 15955 40f43e recv 15953->15955 15954->15953 15956 40c7cb 15955->15956 15957 40f43e recv 15956->15957 15958 40c7d3 15956->15958 15957->15958 15958->15418 16075 407db7 15959->16075 15962 407e96 15962->15418 15963 40f04e 4 API calls 15965 407e4c 15963->15965 15964 40f04e 4 API calls 15964->15962 15966 40f04e 4 API calls 15965->15966 15967 407e70 15965->15967 15966->15967 15967->15962 15967->15964 15969 406ec3 2 API calls 15968->15969 15970 407fdd 15969->15970 15971 4073ff 17 API calls 15970->15971 15980 4080c2 CreateProcessA 15970->15980 15972 407fff 15971->15972 15972->15972 15973 407809 21 API calls 15972->15973 15972->15980 15974 40804d 15973->15974 15975 40ef1e lstrlenA 15974->15975 15974->15980 15976 40809e 15975->15976 15977 40ef1e lstrlenA 15976->15977 15978 4080af 15977->15978 15979 407a95 24 API calls 15978->15979 15979->15980 15980->15450 15980->15451 15982 407db7 2 API calls 15981->15982 15983 407eb8 15982->15983 15984 40f04e 4 API calls 15983->15984 15985 407ece DeleteFileA 15984->15985 15985->15418 15987 40dd05 6 API calls 15986->15987 15988 40e31d 15987->15988 16079 40e177 15988->16079 15990 40e326 15990->15422 15992 4031f3 15991->15992 15994 4031ec 15991->15994 15993 40ebcc 4 API calls 15992->15993 16000 4031fc 15993->16000 15994->15418 15995 403459 15998 40f04e 4 API calls 15995->15998 15996 40349d 15997 40ec2e codecvt 4 API calls 15996->15997 15997->15994 15999 40345f 15998->15999 16002 4030fa 4 API calls 15999->16002 16000->15994 16000->16000 16001 40ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 16000->16001 16003 40344d 16000->16003 16005 40344b 16000->16005 16007 403141 lstrcmpiA 16000->16007 16105 4030fa GetTickCount 16000->16105 16001->16000 16002->15994 16004 40ec2e codecvt 4 API calls 16003->16004 16004->16005 16005->15995 16005->15996 16007->16000 16009 4030fa 4 API calls 16008->16009 16010 403c1a 16009->16010 16014 403ce6 16010->16014 16110 403a72 16010->16110 16013 403a72 9 API calls 16017 403c5e 16013->16017 16014->15418 16015 403a72 9 API calls 16015->16017 16016 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 16016->16017 16017->16014 16017->16015 16017->16016 16019 403a10 16018->16019 16020 4030fa 4 API calls 16019->16020 16021 403a1a 16020->16021 16021->15418 16023 40dd05 6 API calls 16022->16023 16024 40e7be 16023->16024 16024->15418 16026 40c105 16025->16026 16027 40c07e wsprintfA 16025->16027 16026->15418 16119 40bfce GetTickCount wsprintfA 16027->16119 16029 40c0ef 16120 40bfce GetTickCount wsprintfA 16029->16120 16032 407047 16031->16032 16033 406f88 LookupAccountNameA 16031->16033 16032->15418 16035 407025 16033->16035 16036 406fcb 16033->16036 16037 406edd 5 API calls 16035->16037 16039 406fdb ConvertSidToStringSidA 16036->16039 16038 40702a wsprintfA 16037->16038 16038->16032 16039->16035 16040 406ff1 16039->16040 16041 407013 LocalFree 16040->16041 16041->16035 16043 40dd05 6 API calls 16042->16043 16044 40e85c 16043->16044 16045 40dd84 lstrcmpiA 16044->16045 16046 40e867 16045->16046 16047 40e885 lstrcpyA 16046->16047 16121 4024a5 16046->16121 16124 40dd69 16047->16124 16053 407db7 2 API calls 16052->16053 16054 407de1 16053->16054 16055 407e16 16054->16055 16056 40f04e 4 API calls 16054->16056 16055->15418 16057 407df2 16056->16057 16057->16055 16058 40f04e 4 API calls 16057->16058 16058->16055 16060 40dd84 lstrcmpiA 16059->16060 16061 40c58e 16060->16061 16061->15910 16061->15918 16061->15919 16063 40ca1d 16062->16063 16064 40f33b 16062->16064 16063->15382 16063->15935 16065 40f347 htons socket 16064->16065 16066 40f382 ioctlsocket 16065->16066 16067 40f374 closesocket 16065->16067 16068 40f3aa connect select 16066->16068 16069 40f39d 16066->16069 16067->16063 16068->16063 16071 40f3f2 __WSAFDIsSet 16068->16071 16070 40f39f closesocket 16069->16070 16070->16063 16071->16070 16072 40f403 ioctlsocket 16071->16072 16074 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 16072->16074 16074->16063 16076 407dc8 InterlockedExchange 16075->16076 16077 407dc0 Sleep 16076->16077 16078 407dd4 16076->16078 16077->16076 16078->15963 16078->15967 16080 40e184 16079->16080 16081 40e223 16080->16081 16093 40e2e4 16080->16093 16095 40dfe2 16080->16095 16083 40dfe2 8 API calls 16081->16083 16081->16093 16087 40e23c 16083->16087 16084 40e1be 16084->16081 16085 40dbcf 3 API calls 16084->16085 16088 40e1d6 16085->16088 16086 40e21a CloseHandle 16086->16081 16087->16093 16099 40e095 RegCreateKeyExA 16087->16099 16088->16081 16088->16086 16089 40e1f9 WriteFile 16088->16089 16089->16086 16091 40e213 16089->16091 16091->16086 16092 40e2a3 16092->16093 16094 40e095 4 API calls 16092->16094 16093->15990 16094->16093 16096 40dffc 16095->16096 16098 40e024 16095->16098 16097 40db2e 8 API calls 16096->16097 16096->16098 16097->16098 16098->16084 16100 40e172 16099->16100 16102 40e0c0 16099->16102 16100->16092 16101 40e13d 16103 40e14e RegDeleteValueA RegCloseKey 16101->16103 16102->16101 16104 40e115 RegSetValueExA 16102->16104 16103->16100 16104->16101 16104->16102 16106 403122 InterlockedExchange 16105->16106 16107 40312e 16106->16107 16108 40310f GetTickCount 16106->16108 16107->16000 16108->16107 16109 40311a Sleep 16108->16109 16109->16106 16111 40f04e 4 API calls 16110->16111 16118 403a83 16111->16118 16112 403ac1 16112->16013 16112->16014 16113 403be6 16114 40ec2e codecvt 4 API calls 16113->16114 16114->16112 16115 403bc0 16115->16113 16117 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 16115->16117 16116 403b66 lstrlenA 16116->16112 16116->16118 16117->16115 16118->16112 16118->16115 16118->16116 16119->16029 16120->16026 16122 402419 4 API calls 16121->16122 16123 4024b6 16122->16123 16123->16047 16125 40dd79 lstrlenA 16124->16125 16125->15418 16127 404084 16126->16127 16128 40407d 16126->16128 16129 403ecd 6 API calls 16127->16129 16130 40408f 16129->16130 16131 404000 3 API calls 16130->16131 16132 404095 16131->16132 16133 404130 16132->16133 16134 4040c0 16132->16134 16135 403ecd 6 API calls 16133->16135 16139 403f18 4 API calls 16134->16139 16136 404159 CreateNamedPipeA 16135->16136 16137 404167 Sleep 16136->16137 16138 404188 ConnectNamedPipe 16136->16138 16137->16133 16141 404176 CloseHandle 16137->16141 16140 404195 GetLastError 16138->16140 16151 4041ab 16138->16151 16142 4040da 16139->16142 16144 40425e DisconnectNamedPipe 16140->16144 16140->16151 16141->16138 16143 403f8c 4 API calls 16142->16143 16145 4040ec 16143->16145 16144->16138 16146 404127 CloseHandle 16145->16146 16147 404101 16145->16147 16146->16133 16148 403f18 4 API calls 16147->16148 16149 40411c ExitProcess 16148->16149 16150 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 16150->16151 16151->16138 16151->16144 16151->16150 16152 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 16151->16152 16153 40426a CloseHandle CloseHandle 16151->16153 16152->16151 16154 40e318 23 API calls 16153->16154 16155 40427b 16154->16155 16155->16155 16157 408791 16156->16157 16158 40879f 16156->16158 16159 40f04e 4 API calls 16157->16159 16160 4087bc 16158->16160 16161 40f04e 4 API calls 16158->16161 16159->16158 16162 40e819 11 API calls 16160->16162 16161->16160 16163 4087d7 16162->16163 16175 408803 16163->16175 16177 4026b2 gethostbyaddr 16163->16177 16165 4087eb 16167 40e8a1 30 API calls 16165->16167 16165->16175 16167->16175 16170 40e819 11 API calls 16170->16175 16171 4088a0 Sleep 16171->16175 16172 4026b2 2 API calls 16172->16175 16173 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 16173->16175 16175->16170 16175->16171 16175->16172 16175->16173 16176 40e8a1 30 API calls 16175->16176 16182 40c4d6 16175->16182 16185 40c4e2 16175->16185 16188 402011 16175->16188 16223 408328 16175->16223 16176->16175 16178 4026fb 16177->16178 16179 4026cd 16177->16179 16178->16165 16180 4026e1 inet_ntoa 16179->16180 16181 4026de 16179->16181 16180->16181 16181->16165 16275 40c2dc 16182->16275 16186 40c2dc 141 API calls 16185->16186 16187 40c4ec 16186->16187 16187->16175 16189 402020 16188->16189 16190 40202e 16188->16190 16191 40f04e 4 API calls 16189->16191 16192 40204b 16190->16192 16193 40f04e 4 API calls 16190->16193 16191->16190 16194 40206e GetTickCount 16192->16194 16195 40f04e 4 API calls 16192->16195 16193->16192 16196 4020db GetTickCount 16194->16196 16206 402090 16194->16206 16198 402068 16195->16198 16197 402132 GetTickCount GetTickCount 16196->16197 16208 4020e7 16196->16208 16200 40f04e 4 API calls 16197->16200 16198->16194 16199 4020d4 GetTickCount 16199->16196 16202 402159 16200->16202 16201 40212b GetTickCount 16201->16197 16204 4021b4 16202->16204 16207 40e854 13 API calls 16202->16207 16203 402684 2 API calls 16203->16206 16209 40f04e 4 API calls 16204->16209 16206->16199 16206->16203 16210 4020ce 16206->16210 16610 401978 16206->16610 16211 40218e 16207->16211 16208->16201 16216 401978 15 API calls 16208->16216 16217 402125 16208->16217 16615 402ef8 16208->16615 16213 4021d1 16209->16213 16210->16199 16215 40e819 11 API calls 16211->16215 16214 4021f2 16213->16214 16218 40ea84 30 API calls 16213->16218 16214->16175 16219 40219c 16215->16219 16216->16208 16217->16201 16220 4021ec 16218->16220 16219->16204 16623 401c5f 16219->16623 16221 40f04e 4 API calls 16220->16221 16221->16214 16224 407dd6 6 API calls 16223->16224 16225 40833c 16224->16225 16226 406ec3 2 API calls 16225->16226 16230 408340 16225->16230 16227 40834f 16226->16227 16228 40835c 16227->16228 16232 40846b 16227->16232 16229 4073ff 17 API calls 16228->16229 16237 408373 16229->16237 16230->16175 16231 40675c 21 API calls 16248 4085df 16231->16248 16234 4084a7 RegOpenKeyExA 16232->16234 16261 408450 16232->16261 16233 408626 GetTempPathA 16236 408638 16233->16236 16238 4084c0 RegQueryValueExA 16234->16238 16239 40852f 16234->16239 16695 406ba7 IsBadCodePtr 16236->16695 16237->16230 16255 4083ea RegOpenKeyExA 16237->16255 16237->16261 16241 408521 RegCloseKey 16238->16241 16242 4084dd 16238->16242 16245 408564 RegOpenKeyExA 16239->16245 16251 4085a5 16239->16251 16240 4086ad 16243 408762 16240->16243 16244 407e2f 6 API calls 16240->16244 16241->16239 16242->16241 16250 40ebcc 4 API calls 16242->16250 16243->16230 16247 40ec2e codecvt 4 API calls 16243->16247 16252 4086bb 16244->16252 16249 408573 16245->16249 16245->16251 16246 40875b DeleteFileA 16246->16243 16247->16230 16248->16233 16248->16236 16248->16243 16249->16249 16253 408585 RegSetValueExA RegCloseKey 16249->16253 16254 4084f0 16250->16254 16258 40ec2e codecvt 4 API calls 16251->16258 16251->16261 16252->16246 16262 4086e0 lstrcpyA lstrlenA 16252->16262 16253->16251 16254->16241 16256 4084f8 RegQueryValueExA 16254->16256 16259 4083fd RegQueryValueExA 16255->16259 16255->16261 16256->16241 16257 408515 16256->16257 16260 40ec2e codecvt 4 API calls 16257->16260 16258->16261 16263 40842d RegSetValueExA 16259->16263 16264 40841e 16259->16264 16265 40851d 16260->16265 16261->16231 16261->16248 16266 407fcf 64 API calls 16262->16266 16267 408447 RegCloseKey 16263->16267 16264->16263 16264->16267 16265->16241 16268 408719 CreateProcessA 16266->16268 16267->16261 16269 40873d CloseHandle CloseHandle 16268->16269 16270 40874f 16268->16270 16269->16243 16271 407ee6 64 API calls 16270->16271 16272 408754 16271->16272 16273 407ead 6 API calls 16272->16273 16274 40875a 16273->16274 16274->16246 16291 40a4c7 GetTickCount 16275->16291 16278 40c45e 16282 40c4d2 16278->16282 16283 40c4ab InterlockedIncrement CreateThread 16278->16283 16279 40c300 GetTickCount 16281 40c337 16279->16281 16280 40c326 16280->16281 16284 40c32b GetTickCount 16280->16284 16281->16278 16286 40c363 GetTickCount 16281->16286 16282->16175 16283->16282 16285 40c4cb CloseHandle 16283->16285 16296 40b535 16283->16296 16284->16281 16285->16282 16286->16278 16287 40c373 16286->16287 16288 40c378 GetTickCount 16287->16288 16289 40c37f 16287->16289 16288->16289 16290 40c43b GetTickCount 16289->16290 16290->16278 16292 40a4f7 InterlockedExchange 16291->16292 16293 40a500 16292->16293 16294 40a4e4 GetTickCount 16292->16294 16293->16278 16293->16279 16293->16280 16294->16293 16295 40a4ef Sleep 16294->16295 16295->16292 16297 40b566 16296->16297 16298 40ebcc 4 API calls 16297->16298 16299 40b587 16298->16299 16300 40ebcc 4 API calls 16299->16300 16333 40b590 16300->16333 16301 40bdcd InterlockedDecrement 16302 40bde2 16301->16302 16304 40ec2e codecvt 4 API calls 16302->16304 16305 40bdea 16304->16305 16306 40ec2e codecvt 4 API calls 16305->16306 16308 40bdf2 16306->16308 16307 40bdb7 Sleep 16307->16333 16309 40be05 16308->16309 16311 40ec2e codecvt 4 API calls 16308->16311 16310 40bdcc 16310->16301 16311->16309 16312 40ebed 8 API calls 16312->16333 16315 40b6b6 lstrlenA 16315->16333 16316 4030b5 2 API calls 16316->16333 16317 40b6ed lstrcpyA 16371 405ce1 16317->16371 16318 40e819 11 API calls 16318->16333 16321 40b731 lstrlenA 16321->16333 16322 40b71f lstrcmpA 16322->16321 16322->16333 16323 40b772 GetTickCount 16323->16333 16324 40bd49 InterlockedIncrement 16468 40a628 16324->16468 16327 40b7ce InterlockedIncrement 16381 40acd7 16327->16381 16328 40bc5b InterlockedIncrement 16328->16333 16331 40b912 GetTickCount 16331->16333 16332 40b826 InterlockedIncrement 16332->16323 16333->16301 16333->16307 16333->16310 16333->16312 16333->16315 16333->16316 16333->16317 16333->16318 16333->16321 16333->16322 16333->16323 16333->16324 16333->16327 16333->16328 16333->16331 16333->16332 16334 40b932 GetTickCount 16333->16334 16335 40bcdc closesocket 16333->16335 16337 405ce1 22 API calls 16333->16337 16338 4038f0 6 API calls 16333->16338 16341 40a7c1 22 API calls 16333->16341 16343 40bba6 InterlockedIncrement 16333->16343 16345 40bc4c closesocket 16333->16345 16347 40ba71 wsprintfA 16333->16347 16349 40ab81 lstrcpynA InterlockedIncrement 16333->16349 16350 40ef1e lstrlenA 16333->16350 16351 405ded 12 API calls 16333->16351 16353 403e10 16333->16353 16356 403e4f 16333->16356 16359 40384f 16333->16359 16379 40a7a3 inet_ntoa 16333->16379 16386 40abee 16333->16386 16398 401feb GetTickCount 16333->16398 16399 40a688 16333->16399 16422 403cfb 16333->16422 16425 40b3c5 16333->16425 16456 40ab81 16333->16456 16334->16333 16336 40bc6d InterlockedIncrement 16334->16336 16335->16333 16336->16333 16337->16333 16338->16333 16341->16333 16343->16333 16345->16333 16402 40a7c1 16347->16402 16349->16333 16350->16333 16351->16333 16354 4030fa 4 API calls 16353->16354 16355 403e1d 16354->16355 16355->16333 16357 4030fa 4 API calls 16356->16357 16358 403e5c 16357->16358 16358->16333 16360 4030fa 4 API calls 16359->16360 16361 403863 16360->16361 16362 4038b9 16361->16362 16363 403889 16361->16363 16370 4038b2 16361->16370 16477 4035f9 16362->16477 16471 403718 16363->16471 16368 403718 6 API calls 16368->16370 16369 4035f9 6 API calls 16369->16370 16370->16333 16372 405cf4 16371->16372 16373 405cec 16371->16373 16375 404bd1 4 API calls 16372->16375 16483 404bd1 GetTickCount 16373->16483 16376 405d02 16375->16376 16488 405472 16376->16488 16380 40a7b9 16379->16380 16380->16333 16382 40f315 14 API calls 16381->16382 16383 40aceb 16382->16383 16384 40acff 16383->16384 16385 40f315 14 API calls 16383->16385 16384->16333 16385->16384 16387 40abfb 16386->16387 16390 40ac65 16387->16390 16551 402f22 16387->16551 16389 40f315 14 API calls 16389->16390 16390->16389 16391 40ac8a 16390->16391 16392 40ac6f 16390->16392 16391->16333 16394 40ab81 2 API calls 16392->16394 16393 40ac23 16393->16390 16395 402684 2 API calls 16393->16395 16396 40ac81 16394->16396 16395->16393 16559 4038f0 16396->16559 16398->16333 16573 40a63d 16399->16573 16401 40a696 16401->16333 16403 40a87d lstrlenA send 16402->16403 16404 40a7df 16402->16404 16405 40a899 16403->16405 16406 40a8bf 16403->16406 16404->16403 16410 40a7fa wsprintfA 16404->16410 16413 40a80a 16404->16413 16414 40a8f2 16404->16414 16407 40a8a5 wsprintfA 16405->16407 16421 40a89e 16405->16421 16408 40a8c4 send 16406->16408 16406->16414 16407->16421 16411 40a8d8 wsprintfA 16408->16411 16408->16414 16409 40a978 recv 16409->16414 16415 40a982 16409->16415 16410->16413 16411->16421 16412 40a9b0 wsprintfA 16412->16421 16413->16403 16414->16409 16414->16412 16414->16415 16416 4030b5 2 API calls 16415->16416 16415->16421 16417 40ab05 16416->16417 16418 40e819 11 API calls 16417->16418 16419 40ab17 16418->16419 16420 40a7a3 inet_ntoa 16419->16420 16420->16421 16421->16333 16423 4030fa 4 API calls 16422->16423 16424 403d0b 16423->16424 16424->16333 16426 405ce1 22 API calls 16425->16426 16427 40b3e6 16426->16427 16428 405ce1 22 API calls 16427->16428 16429 40b404 16428->16429 16430 40b440 16429->16430 16431 40ef7c 3 API calls 16429->16431 16432 40ef7c 3 API calls 16430->16432 16433 40b42b 16431->16433 16434 40b458 wsprintfA 16432->16434 16435 40ef7c 3 API calls 16433->16435 16436 40ef7c 3 API calls 16434->16436 16435->16430 16437 40b480 16436->16437 16438 40ef7c 3 API calls 16437->16438 16439 40b493 16438->16439 16440 40ef7c 3 API calls 16439->16440 16441 40b4bb 16440->16441 16578 40ad89 GetLocalTime SystemTimeToFileTime 16441->16578 16445 40b4cc 16446 40ef7c 3 API calls 16445->16446 16447 40b4dd 16446->16447 16448 40b211 7 API calls 16447->16448 16449 40b4ec 16448->16449 16450 40ef7c 3 API calls 16449->16450 16451 40b4fd 16450->16451 16452 40b211 7 API calls 16451->16452 16453 40b509 16452->16453 16454 40ef7c 3 API calls 16453->16454 16455 40b51a 16454->16455 16455->16333 16457 40abe9 GetTickCount 16456->16457 16459 40ab8c 16456->16459 16461 40a51d 16457->16461 16458 40aba8 lstrcpynA 16458->16459 16459->16457 16459->16458 16460 40abe1 InterlockedIncrement 16459->16460 16460->16459 16462 40a4c7 4 API calls 16461->16462 16463 40a52c 16462->16463 16464 40a542 GetTickCount 16463->16464 16466 40a539 GetTickCount 16463->16466 16464->16466 16467 40a56c 16466->16467 16467->16333 16469 40a4c7 4 API calls 16468->16469 16470 40a633 16469->16470 16470->16333 16472 40f04e 4 API calls 16471->16472 16474 40372a 16472->16474 16473 403847 16473->16368 16473->16370 16474->16473 16475 4037b3 GetCurrentThreadId 16474->16475 16475->16474 16476 4037c8 GetCurrentThreadId 16475->16476 16476->16474 16478 40f04e 4 API calls 16477->16478 16482 40360c 16478->16482 16479 4036f1 16479->16369 16479->16370 16480 4036da GetCurrentThreadId 16480->16479 16481 4036e5 GetCurrentThreadId 16480->16481 16481->16479 16482->16479 16482->16480 16484 404bff InterlockedExchange 16483->16484 16485 404c08 16484->16485 16486 404bec GetTickCount 16484->16486 16485->16372 16486->16485 16487 404bf7 Sleep 16486->16487 16487->16484 16507 404763 16488->16507 16490 40548a 16491 405b58 16490->16491 16501 40558d lstrcpynA 16490->16501 16502 405a9f lstrcpyA 16490->16502 16503 405472 13 API calls 16490->16503 16504 405935 lstrcpynA 16490->16504 16505 4058e7 lstrcpyA 16490->16505 16506 404ae6 8 API calls 16490->16506 16511 404ae6 16490->16511 16515 40ef7c lstrlenA lstrlenA lstrlenA 16490->16515 16517 404699 16491->16517 16494 404763 lstrlenA 16495 405b6e 16494->16495 16538 404f9f 16495->16538 16497 405b79 16497->16333 16499 405549 lstrlenA 16499->16490 16501->16490 16502->16490 16503->16490 16504->16490 16505->16490 16506->16490 16509 40477a 16507->16509 16508 404859 16508->16490 16509->16508 16510 40480d lstrlenA 16509->16510 16510->16509 16512 404af3 16511->16512 16514 404b03 16511->16514 16513 40ebed 8 API calls 16512->16513 16513->16514 16514->16499 16516 40efb4 16515->16516 16516->16490 16543 4045b3 16517->16543 16520 4045b3 7 API calls 16521 4046c6 16520->16521 16522 4045b3 7 API calls 16521->16522 16523 4046d8 16522->16523 16524 4045b3 7 API calls 16523->16524 16525 4046ea 16524->16525 16526 4045b3 7 API calls 16525->16526 16527 4046ff 16526->16527 16528 4045b3 7 API calls 16527->16528 16529 404711 16528->16529 16530 4045b3 7 API calls 16529->16530 16531 404723 16530->16531 16532 40ef7c 3 API calls 16531->16532 16533 404735 16532->16533 16534 40ef7c 3 API calls 16533->16534 16535 40474a 16534->16535 16536 40ef7c 3 API calls 16535->16536 16537 40475c 16536->16537 16537->16494 16539 404fac 16538->16539 16542 404fb0 16538->16542 16539->16497 16540 404ffd 16540->16497 16541 404fd5 IsBadCodePtr 16541->16542 16542->16540 16542->16541 16544 4045c1 16543->16544 16545 4045c8 16543->16545 16546 40ebcc 4 API calls 16544->16546 16547 4045e1 16545->16547 16548 40ebcc 4 API calls 16545->16548 16546->16545 16549 404691 16547->16549 16550 40ef7c 3 API calls 16547->16550 16548->16547 16549->16520 16550->16547 16566 402d21 GetModuleHandleA 16551->16566 16554 402fcf GetProcessHeap HeapFree 16558 402f44 16554->16558 16555 402f4f 16557 402f6b GetProcessHeap HeapFree 16555->16557 16556 402f85 16556->16554 16556->16556 16557->16558 16558->16393 16560 403900 16559->16560 16564 403980 16559->16564 16561 4030fa 4 API calls 16560->16561 16565 40390a 16561->16565 16562 40391b GetCurrentThreadId 16562->16565 16563 403939 GetCurrentThreadId 16563->16565 16564->16391 16565->16562 16565->16563 16565->16564 16567 402d46 LoadLibraryA 16566->16567 16568 402d5b GetProcAddress 16566->16568 16567->16568 16571 402d54 16567->16571 16569 402d6b 16568->16569 16568->16571 16570 402d97 GetProcessHeap HeapAlloc 16569->16570 16569->16571 16572 402db5 lstrcpynA 16569->16572 16570->16569 16570->16571 16571->16555 16571->16556 16571->16558 16572->16569 16574 40a645 16573->16574 16575 40a64d 16573->16575 16574->16401 16576 40a66e 16575->16576 16577 40a65e GetTickCount 16575->16577 16576->16401 16577->16576 16579 40adbf 16578->16579 16603 40ad08 gethostname 16579->16603 16582 4030b5 2 API calls 16583 40add3 16582->16583 16584 40a7a3 inet_ntoa 16583->16584 16586 40ade4 16583->16586 16584->16586 16585 40ae85 wsprintfA 16587 40ef7c 3 API calls 16585->16587 16586->16585 16589 40ae36 wsprintfA wsprintfA 16586->16589 16588 40aebb 16587->16588 16590 40ef7c 3 API calls 16588->16590 16591 40ef7c 3 API calls 16589->16591 16592 40aed2 16590->16592 16591->16586 16593 40b211 16592->16593 16594 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16593->16594 16595 40b2af GetLocalTime 16593->16595 16596 40b2d2 16594->16596 16595->16596 16597 40b2d9 SystemTimeToFileTime 16596->16597 16598 40b31c GetTimeZoneInformation 16596->16598 16599 40b2ec 16597->16599 16600 40b33a wsprintfA 16598->16600 16601 40b312 FileTimeToSystemTime 16599->16601 16600->16445 16601->16598 16604 40ad71 16603->16604 16605 40ad26 lstrlenA 16603->16605 16607 40ad85 16604->16607 16608 40ad79 lstrcpyA 16604->16608 16605->16604 16609 40ad68 lstrlenA 16605->16609 16607->16582 16608->16607 16609->16604 16611 40f428 14 API calls 16610->16611 16612 40198a 16611->16612 16613 401990 closesocket 16612->16613 16614 401998 16612->16614 16613->16614 16614->16206 16616 402d21 6 API calls 16615->16616 16617 402f01 16616->16617 16618 402f0f 16617->16618 16631 402df2 GetModuleHandleA 16617->16631 16620 402684 2 API calls 16618->16620 16622 402f1f 16618->16622 16621 402f1d 16620->16621 16621->16208 16622->16208 16627 401c80 16623->16627 16624 401cc2 wsprintfA 16626 402684 2 API calls 16624->16626 16625 401d1c 16625->16625 16628 401d47 wsprintfA 16625->16628 16626->16627 16627->16624 16627->16625 16630 401d79 16627->16630 16629 402684 2 API calls 16628->16629 16629->16630 16630->16204 16632 402e10 LoadLibraryA 16631->16632 16633 402e0b 16631->16633 16634 402e17 16632->16634 16633->16632 16633->16634 16635 402ef1 16634->16635 16636 402e28 GetProcAddress 16634->16636 16635->16618 16636->16635 16637 402e3e GetProcessHeap HeapAlloc 16636->16637 16639 402e62 16637->16639 16638 402ede GetProcessHeap HeapFree 16638->16635 16639->16635 16639->16638 16640 402e7f htons inet_addr 16639->16640 16641 402ea5 gethostbyname 16639->16641 16643 402ceb 16639->16643 16640->16639 16640->16641 16641->16639 16644 402cf2 16643->16644 16646 402d1c 16644->16646 16647 402d0e Sleep 16644->16647 16648 402a62 GetProcessHeap HeapAlloc 16644->16648 16646->16639 16647->16644 16647->16646 16649 402a92 16648->16649 16650 402a99 socket 16648->16650 16649->16644 16651 402cd3 GetProcessHeap HeapFree 16650->16651 16652 402ab4 16650->16652 16651->16649 16652->16651 16666 402abd 16652->16666 16653 402adb htons 16668 4026ff 16653->16668 16655 402b04 select 16655->16666 16656 402cb3 GetProcessHeap HeapFree closesocket 16656->16649 16657 402b3f recv 16657->16666 16658 402b66 htons 16659 402ca4 16658->16659 16658->16666 16659->16656 16660 402b87 htons 16660->16659 16660->16666 16662 402bf3 GetProcessHeap HeapAlloc 16662->16666 16664 402c17 htons 16683 402871 16664->16683 16666->16653 16666->16655 16666->16656 16666->16657 16666->16658 16666->16659 16666->16660 16666->16662 16666->16664 16667 402c4d GetProcessHeap HeapFree 16666->16667 16675 402923 16666->16675 16687 402904 16666->16687 16667->16666 16669 40271d 16668->16669 16670 402717 16668->16670 16672 40272b GetTickCount htons 16669->16672 16671 40ebcc 4 API calls 16670->16671 16671->16669 16673 4027cc htons htons sendto 16672->16673 16674 40278a 16672->16674 16673->16666 16674->16673 16676 402944 16675->16676 16678 40293d 16675->16678 16691 402816 htons 16676->16691 16678->16666 16679 402871 htons 16680 402950 16679->16680 16680->16678 16680->16679 16681 4029bd htons htons htons 16680->16681 16681->16678 16682 4029f6 GetProcessHeap HeapAlloc 16681->16682 16682->16678 16682->16680 16684 4028e3 16683->16684 16686 402889 16683->16686 16684->16666 16685 4028c3 htons 16685->16684 16685->16686 16686->16684 16686->16685 16688 402921 16687->16688 16689 402908 16687->16689 16688->16666 16690 402909 GetProcessHeap HeapFree 16689->16690 16690->16688 16690->16690 16692 40286b 16691->16692 16693 402836 16691->16693 16692->16680 16693->16692 16694 40285c htons 16693->16694 16694->16692 16694->16693 16696 406bc0 16695->16696 16697 406bbc 16695->16697 16698 406bd4 16696->16698 16699 40ebcc 4 API calls 16696->16699 16697->16240 16698->16240 16700 406be4 16699->16700 16700->16698 16701 406c07 CreateFileA 16700->16701 16702 406bfc 16700->16702 16704 406c34 WriteFile 16701->16704 16705 406c2a 16701->16705 16703 40ec2e codecvt 4 API calls 16702->16703 16703->16698 16707 406c49 CloseHandle DeleteFileA 16704->16707 16708 406c5a CloseHandle 16704->16708 16706 40ec2e codecvt 4 API calls 16705->16706 16706->16698 16707->16705 16709 40ec2e codecvt 4 API calls 16708->16709 16709->16698 14874 41a7d0 14877 41a3e0 14874->14877 14876 41a7d5 14878 41a408 14877->14878 14879 41a498 6 API calls 14878->14879 14898 41a5a8 14878->14898 14880 41a4ff 6 API calls 14879->14880 14881 41a575 GetSystemDefaultLCID 14880->14881 14884 41a584 RtlEnterCriticalSection 14881->14884 14885 41a58f 14881->14885 14882 41a5f2 GetSystemTimes 14886 41a616 14882->14886 14882->14898 14883 41a5e2 GetUserObjectInformationW 14883->14882 14884->14885 14889 41a598 LoadLibraryA 14885->14889 14885->14898 14887 41a614 14886->14887 14888 41a61f FoldStringW 14886->14888 14890 41a63d 8 API calls 14887->14890 14891 41a6cc GlobalAlloc 14887->14891 14888->14887 14889->14898 14901 41a69c 14890->14901 14892 41a6e9 14891->14892 14893 41a71c LoadLibraryW 14891->14893 14892->14893 14904 41a110 GetModuleHandleW GetProcAddress VirtualProtect 14893->14904 14896 41a72c 14905 41a370 14896->14905 14898->14882 14898->14883 14898->14887 14899 41a749 GlobalSize 14900 41a731 14899->14900 14900->14899 14902 41a773 InterlockedExchange 14900->14902 14903 41a789 14900->14903 14901->14891 14902->14900 14903->14876 14904->14896 14906 41a392 14905->14906 14907 41a386 QueryDosDeviceW 14905->14907 14916 41a260 14906->14916 14907->14906 14910 41a3a5 FreeEnvironmentStringsW 14911 41a3ad 14910->14911 14919 41a2a0 14911->14919 14914 41a3c4 RtlAllocateHeap GetNumaProcessorNode 14915 41a3da 14914->14915 14915->14900 14917 41a277 GetStartupInfoW LoadLibraryA 14916->14917 14918 41a289 14916->14918 14917->14918 14918->14910 14918->14911 14920 41a2d5 14919->14920 14921 41a2c4 BuildCommDCBW 14919->14921 14922 41a2dd WritePrivateProfileStringA UnhandledExceptionFilter 14920->14922 14925 41a2f3 14920->14925 14921->14925 14922->14925 14923 41a33f 14923->14914 14923->14915 14925->14923 14926 41a329 GetShortPathNameA 14925->14926 14927 41a290 14925->14927 14926->14925 14930 41a210 14927->14930 14931 41a23b 14930->14931 14932 41a22c VirtualLock 14930->14932 14931->14925 14932->14931 16710 55b88e 16711 55b89d 16710->16711 16714 55c02e 16711->16714 16719 55c049 16714->16719 16715 55c052 CreateToolhelp32Snapshot 16716 55c06e Module32First 16715->16716 16715->16719 16717 55b8a6 16716->16717 16718 55c07d 16716->16718 16721 55bced 16718->16721 16719->16715 16719->16716 16722 55bd18 16721->16722 16723 55bd61 16722->16723 16724 55bd29 VirtualAlloc 16722->16724 16723->16723 16724->16723
                                                                                                            APIs
                                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                                              • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                                              • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                                              • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                                            • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                                            • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                                            • ExitProcess.KERNEL32 ref: 00409C06
                                                                                                            • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                                            • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                                            • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                                            • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                                            • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                                            • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                                            • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                                            • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                                            • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                                            • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                                            • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                                            • wsprintfA.USER32 ref: 0040A0B6
                                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                                            • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                                            • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                                            • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                                            • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                                            • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                                              • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                                              • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                                              • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                                            • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                                            • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                                            • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                                            • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                                            • DeleteFileA.KERNEL32(004133D8), ref: 0040A407
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                                            • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                                            • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                                            • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                                            • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                                            • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                                            • String ID: "$"$"$%X%08X$D$P$PromptOnSecureDesktop$\
                                                                                                            • API String ID: 2089075347-2824936573
                                                                                                            • Opcode ID: 603121095b7679364f468b5179938349acae34033f0d3c12a89c9af7faf008a0
                                                                                                            • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                                            • Opcode Fuzzy Hash: 603121095b7679364f468b5179938349acae34033f0d3c12a89c9af7faf008a0
                                                                                                            • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 264 41a3e0-41a405 265 41a408-41a40e 264->265 266 41a410-41a41a 265->266 267 41a41f-41a429 265->267 266->267 268 41a42b-41a446 267->268 269 41a44c-41a453 267->269 268->269 269->265 270 41a455-41a45d 269->270 272 41a460-41a466 270->272 273 41a474-41a47e 272->273 274 41a468-41a46e 272->274 275 41a480 273->275 276 41a482-41a489 273->276 274->273 275->276 276->272 277 41a48b-41a492 276->277 278 41a498-41a582 InterlockedDecrement SetConsoleTitleA GlobalSize FindAtomW SearchPathA SetConsoleMode GetDefaultCommConfigW CopyFileExA GetEnvironmentStringsW WriteConsoleOutputW GetNumaHighestNodeNumber DebugActiveProcessStop GetSystemDefaultLCID 277->278 279 41a5ca-41a5d6 277->279 286 41a584-41a589 RtlEnterCriticalSection 278->286 287 41a58f-41a596 278->287 280 41a5d8-41a5e0 279->280 284 41a5f2-41a609 GetSystemTimes 280->284 285 41a5e2-41a5ec GetUserObjectInformationW 280->285 288 41a616-41a61d 284->288 289 41a60b-41a612 284->289 285->284 286->287 292 41a5a8-41a5c7 287->292 293 41a598-41a5a2 LoadLibraryA 287->293 290 41a62f-41a637 288->290 291 41a61f-41a629 FoldStringW 288->291 289->280 294 41a614 289->294 295 41a63d-41a6c6 GetConsoleAliasesLengthW CallNamedPipeA GetComputerNameW CopyFileA GetFileAttributesW GetConsoleAliasExesLengthW OpenWaitableTimerA GetBinaryType 290->295 296 41a6cc-41a6e7 GlobalAlloc 290->296 291->290 292->279 293->292 294->290 295->296 297 41a6e9-41a6f4 296->297 298 41a71c-41a727 LoadLibraryW call 41a110 296->298 301 41a700-41a710 297->301 307 41a72c-41a73f call 41a370 298->307 304 41a712 301->304 305 41a717-41a71a 301->305 304->305 305->298 305->301 313 41a740-41a747 307->313 314 41a749-41a759 GlobalSize 313->314 315 41a75d-41a763 313->315 314->315 316 41a765 call 41a100 315->316 317 41a76a-41a771 315->317 316->317 320 41a780-41a787 317->320 321 41a773-41a77a InterlockedExchange 317->321 320->313 323 41a789-41a799 320->323 321->320 325 41a7a0-41a7a5 323->325 326 41a7a7-41a7ad 325->326 327 41a7af-41a7b5 325->327 326->327 329 41a7b7-41a7cb 326->329 327->325 327->329
                                                                                                            APIs
                                                                                                            • InterlockedDecrement.KERNEL32(?), ref: 0041A49D
                                                                                                            • SetConsoleTitleA.KERNEL32(00000000), ref: 0041A4A5
                                                                                                            • GlobalSize.KERNEL32(00000000), ref: 0041A4AD
                                                                                                            • FindAtomW.KERNEL32(00000000), ref: 0041A4B5
                                                                                                            • SearchPathA.KERNEL32(0041C9BC,0041C9A0,0041C980,00000000,?,?), ref: 0041A4D9
                                                                                                            • SetConsoleMode.KERNEL32(00000000,00000000), ref: 0041A4E3
                                                                                                            • GetDefaultCommConfigW.KERNEL32(00000000,?,00000000), ref: 0041A50B
                                                                                                            • CopyFileExA.KERNEL32(0041C9E8,0041C9DC,00000000,00000000,00000000,00000000), ref: 0041A523
                                                                                                            • GetEnvironmentStringsW.KERNEL32 ref: 0041A529
                                                                                                            • WriteConsoleOutputW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0041A548
                                                                                                            • GetNumaHighestNodeNumber.KERNEL32(?), ref: 0041A553
                                                                                                            • DebugActiveProcessStop.KERNEL32(00000000), ref: 0041A55B
                                                                                                            • GetSystemDefaultLCID.KERNEL32 ref: 0041A575
                                                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 0041A589
                                                                                                            • LoadLibraryA.KERNEL32(00000000), ref: 0041A5A2
                                                                                                            • GetUserObjectInformationW.USER32(00000000,00000000,00000000,00000000,00000000), ref: 0041A5EC
                                                                                                            • GetSystemTimes.KERNELBASE(?,?,?), ref: 0041A601
                                                                                                            • FoldStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0041A629
                                                                                                            • GetConsoleAliasesLengthW.KERNEL32(00000000), ref: 0041A64C
                                                                                                            • CallNamedPipeA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041A659
                                                                                                            • GetComputerNameW.KERNEL32(00000000,00000000), ref: 0041A661
                                                                                                            • CopyFileA.KERNEL32(0041CA6C,0041CA44,00000000), ref: 0041A672
                                                                                                            • GetFileAttributesW.KERNEL32(00000000), ref: 0041A679
                                                                                                            • GetConsoleAliasExesLengthW.KERNEL32 ref: 0041A67F
                                                                                                            • OpenWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 0041A688
                                                                                                            • GetBinaryType.KERNEL32(00000000,00000000), ref: 0041A690
                                                                                                            • GlobalAlloc.KERNELBASE(00000000,004220DC), ref: 0041A6CF
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128822017.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_415000_RSno9EH0K9.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Console$File$CopyDefaultGlobalLengthSystem$ActiveAliasAliasesAllocAtomAttributesBinaryCallCommComputerConfigCriticalDebugDecrementEnterEnvironmentExesFindFoldHighestInformationInterlockedLibraryLoadModeNameNamedNodeNumaNumberObjectOpenOutputPathPipeProcessSearchSectionSizeStopStringStringsTimerTimesTitleTypeUserWaitableWrite
                                                                                                            • String ID: k`$}$
                                                                                                            • API String ID: 1387190455-956986773
                                                                                                            • Opcode ID: 912131365e5db89625fd3543ccbcbedf9a45265c402bb1bea6a2fe20e74cab5a
                                                                                                            • Instruction ID: 0557cc61fcd4be446cea29f0adcb16bc1319e3bbd06375e612c880dc7daf55e9
                                                                                                            • Opcode Fuzzy Hash: 912131365e5db89625fd3543ccbcbedf9a45265c402bb1bea6a2fe20e74cab5a
                                                                                                            • Instruction Fuzzy Hash: 41A11771A45310AFD320AB61DC49BDB7BA4EB4C715F00803AF659A61E0D7789981CBEF

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 564 409326-409348 call 401910 GetVersionExA 567 409358-40935c 564->567 568 40934a-409356 564->568 569 409360-40937d GetModuleHandleA GetModuleFileNameA 567->569 568->569 570 409385-4093a2 569->570 571 40937f 569->571 572 4093a4-4093d7 call 402544 wsprintfA 570->572 573 4093d9-409412 call 402544 wsprintfA 570->573 571->570 578 409415-40942c call 40ee2a 572->578 573->578 581 4094a3-4094b3 call 406edd 578->581 582 40942e-409432 578->582 587 4094b9-4094f9 call 402544 RegOpenKeyExA 581->587 588 40962f-409632 581->588 582->581 584 409434-4094a0 call 406cc9 call 40ef00 call 402544 call 40ef1e call 402544 wsprintfA call 40ee2a 582->584 584->581 598 409502-40952e call 402544 RegQueryValueExA 587->598 599 4094fb-409500 587->599 590 409634-409637 588->590 593 409639-40964a call 401820 590->593 594 40967b-409682 590->594 609 40964c-409662 593->609 610 40966d-409679 593->610 601 409683 call 4091eb 594->601 617 409530-409537 598->617 618 409539-409565 call 402544 RegQueryValueExA 598->618 603 40957a-40957f 599->603 613 409688-409690 601->613 607 409581-409584 603->607 608 40958a-40958d 603->608 607->590 607->608 608->594 614 409593-40959a 608->614 615 409664-40966b 609->615 616 40962b-40962d 609->616 610->601 620 409692 613->620 621 409698-4096a0 613->621 623 40961a-40961f 614->623 624 40959c-4095a1 614->624 615->616 622 4096a2-4096a9 616->622 625 40956e-409577 RegCloseKey 617->625 618->625 633 409567 618->633 620->621 621->622 628 409625 623->628 624->623 629 4095a3-4095c0 call 40f0e4 624->629 625->603 628->616 637 4095c2-4095db call 4018e0 629->637 638 40960c-409618 629->638 633->625 637->622 641 4095e1-4095f9 637->641 638->628 641->622 642 4095ff-409607 641->642 642->622
                                                                                                            APIs
                                                                                                            • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                                            • wsprintfA.USER32 ref: 004093CE
                                                                                                            • wsprintfA.USER32 ref: 0040940C
                                                                                                            • wsprintfA.USER32 ref: 0040948D
                                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                                            • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                                            • String ID: PromptOnSecureDesktop$runas
                                                                                                            • API String ID: 3696105349-2220793183
                                                                                                            • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                                            • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                                            • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                                            • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 643 40405e-40407b CreateEventA 644 404084-4040a8 call 403ecd call 404000 643->644 645 40407d-404081 643->645 650 404130-40413e call 40ee2a 644->650 651 4040ae-4040be call 40ee2a 644->651 656 40413f-404165 call 403ecd CreateNamedPipeA 650->656 651->650 657 4040c0-4040f1 call 40eca5 call 403f18 call 403f8c 651->657 662 404167-404174 Sleep 656->662 663 404188-404193 ConnectNamedPipe 656->663 674 4040f3-4040ff 657->674 675 404127-40412a CloseHandle 657->675 662->656 667 404176-404182 CloseHandle 662->667 665 404195-4041a5 GetLastError 663->665 666 4041ab-4041c0 call 403f8c 663->666 665->666 670 40425e-404265 DisconnectNamedPipe 665->670 666->663 676 4041c2-4041f2 call 403f18 call 403f8c 666->676 667->663 670->663 674->675 677 404101-404121 call 403f18 ExitProcess 674->677 675->650 676->670 684 4041f4-404200 676->684 684->670 685 404202-404215 call 403f8c 684->685 685->670 688 404217-40421b 685->688 688->670 689 40421d-404230 call 403f8c 688->689 689->670 692 404232-404236 689->692 692->663 693 40423c-404251 call 403f18 692->693 696 404253-404259 693->696 697 40426a-404276 CloseHandle * 2 call 40e318 693->697 696->663 699 40427b 697->699 699->699
                                                                                                            APIs
                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                                            • ExitProcess.KERNEL32 ref: 00404121
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CreateEventExitProcess
                                                                                                            • String ID: PromptOnSecureDesktop
                                                                                                            • API String ID: 2404124870-2980165447
                                                                                                            • Opcode ID: 7de862f9e9b35a1df311cf9a4407cf261d5ef3a80a072fcdc92d6b04e029e81b
                                                                                                            • Instruction ID: a90c6c4c2b7f8b8208d93dc1fe438bcf4b3bc6ab1fe170e3c7599fd426c471ab
                                                                                                            • Opcode Fuzzy Hash: 7de862f9e9b35a1df311cf9a4407cf261d5ef3a80a072fcdc92d6b04e029e81b
                                                                                                            • Instruction Fuzzy Hash: 3851A3B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 738 406a60-406a89 CreateFileA 739 406b8c-406ba1 GetLastError 738->739 740 406a8f-406ac3 GetDiskFreeSpaceA 738->740 743 406ba3-406ba6 739->743 741 406ac5-406adc call 40eb0e 740->741 742 406b1d-406b34 call 406987 740->742 741->742 750 406ade 741->750 748 406b56-406b63 FindCloseChangeNotification 742->748 749 406b36-406b54 GetLastError CloseHandle 742->749 752 406b65-406b7d GetLastError CloseHandle 748->752 753 406b86-406b8a 748->753 751 406b7f-406b80 DeleteFileA 749->751 754 406ae0-406ae5 750->754 755 406ae7-406afb call 40eca5 750->755 751->753 752->751 753->743 754->755 756 406afd-406aff 754->756 755->742 756->742 759 406b01 756->759 760 406b03-406b08 759->760 761 406b0a-406b17 call 40eca5 759->761 760->742 760->761 761->742
                                                                                                            APIs
                                                                                                            • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,74DE8A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                                            • GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                                            • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                                            • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseErrorLast$FileHandle$ChangeCreateDeleteDiskFindFreeNotificationSpace
                                                                                                            • String ID: PromptOnSecureDesktop
                                                                                                            • API String ID: 1251348514-2980165447
                                                                                                            • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                            • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                                            • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                            • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                                            • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                                            • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Time$CountFileInformationSystemTickVolume
                                                                                                            • String ID:
                                                                                                            • API String ID: 1209300637-0
                                                                                                            • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                                            • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                                            • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                                            • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64
                                                                                                            APIs
                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0055C056
                                                                                                            • Module32First.KERNEL32(00000000,00000224), ref: 0055C076
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129020290.000000000055B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0055B000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_55b000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                            • String ID:
                                                                                                            • API String ID: 3833638111-0
                                                                                                            • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                            • Instruction ID: a0424db33bef8df2c5b5168469dfc1d4b5284498f89977c6cd2020d554e68ae9
                                                                                                            • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                            • Instruction Fuzzy Hash: CEF09631500711EFD7203BF9989DB6E7EECBF49726F10052AEA52910D0DBB0EC494A61
                                                                                                            APIs
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                                            • RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                                              • Part of subcall function 0040EB74: GetProcessHeap.KERNEL32(00000000,00000000,0040EC28,00000000,?,0040DB55,7FFF0001), ref: 0040EB81
                                                                                                              • Part of subcall function 0040EB74: HeapSize.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EB88
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Heap$Process$AllocateSize
                                                                                                            • String ID:
                                                                                                            • API String ID: 2559512979-0
                                                                                                            • Opcode ID: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                                            • Instruction ID: 42103369b453d960252fa070f8f6fdc0a0ffae9c693debdf4c74a5c852f77059
                                                                                                            • Opcode Fuzzy Hash: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                                            • Instruction Fuzzy Hash: 54C0803210422077C60127A57C0CEDA3E74DF04352F084425F505C1160CB794880879D

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 331 4073ff-407419 332 40741b 331->332 333 40741d-407422 331->333 332->333 334 407424 333->334 335 407426-40742b 333->335 334->335 336 407430-407435 335->336 337 40742d 335->337 338 407437 336->338 339 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 336->339 337->336 338->339 344 407487-40749d call 40ee2a 339->344 345 4077f9-4077fe call 40ee2a 339->345 351 407703-40770e RegEnumKeyA 344->351 350 407801 345->350 354 407804-407808 350->354 352 4074a2-4074b1 call 406cad 351->352 353 407714-40771d RegCloseKey 351->353 357 4074b7-4074cc call 40f1a5 352->357 358 4076ed-407700 352->358 353->350 357->358 361 4074d2-4074f8 RegOpenKeyExA 357->361 358->351 362 407727-40772a 361->362 363 4074fe-407530 call 402544 RegQueryValueExA 361->363 364 407755-407764 call 40ee2a 362->364 365 40772c-407740 call 40ef00 362->365 363->362 371 407536-40753c 363->371 376 4076df-4076e2 364->376 373 407742-407745 RegCloseKey 365->373 374 40774b-40774e 365->374 375 40753f-407544 371->375 373->374 378 4077ec-4077f7 RegCloseKey 374->378 375->375 377 407546-40754b 375->377 376->358 379 4076e4-4076e7 RegCloseKey 376->379 377->364 380 407551-40756b call 40ee95 377->380 378->354 379->358 380->364 383 407571-407593 call 402544 call 40ee95 380->383 388 407753 383->388 389 407599-4075a0 383->389 388->364 390 4075a2-4075c6 call 40ef00 call 40ed03 389->390 391 4075c8-4075d7 call 40ed03 389->391 397 4075d8-4075da 390->397 391->397 399 4075dc 397->399 400 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 397->400 399->400 409 407626-40762b 400->409 409->409 410 40762d-407634 409->410 411 407637-40763c 410->411 411->411 412 40763e-407642 411->412 413 407644-407656 call 40ed77 412->413 414 40765c-407673 call 40ed23 412->414 413->414 421 407769-40777c call 40ef00 413->421 419 407680 414->419 420 407675-40767e 414->420 422 407683-40768e call 406cad 419->422 420->422 426 4077e3-4077e6 RegCloseKey 421->426 428 407722-407725 422->428 429 407694-4076bf call 40f1a5 call 406c96 422->429 426->378 430 4076dd 428->430 435 4076c1-4076c7 429->435 436 4076d8 429->436 430->376 435->436 437 4076c9-4076d2 435->437 436->430 437->436 438 40777e-407797 GetFileAttributesExA 437->438 439 407799 438->439 440 40779a-40779f 438->440 439->440 441 4077a1 440->441 442 4077a3-4077a8 440->442 441->442 443 4077c4-4077c8 442->443 444 4077aa-4077c0 call 40ee08 442->444 446 4077d7-4077dc 443->446 447 4077ca-4077d6 call 40ef00 443->447 444->443 450 4077e0-4077e2 446->450 451 4077de 446->451 447->446 450->426 451->450
                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,74DF0F10,00000000), ref: 00407472
                                                                                                            • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00000101,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 004074F0
                                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407528
                                                                                                            • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 004076E7
                                                                                                            • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                                            • RegCloseKey.KERNELBASE(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407717
                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407745
                                                                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 004077EF
                                                                                                              • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 004077E6
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                                            • String ID: "$PromptOnSecureDesktop
                                                                                                            • API String ID: 3433985886-3108538426
                                                                                                            • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                                            • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                                            • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                                            • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 453 40704c-407071 454 407073 453->454 455 407075-40707a 453->455 454->455 456 40707c 455->456 457 40707e-407083 455->457 456->457 458 407085 457->458 459 407087-40708c 457->459 458->459 460 407090-4070ca call 402544 RegOpenKeyExA 459->460 461 40708e 459->461 464 4070d0-4070f6 call 406dc2 460->464 465 4071b8-4071c8 call 40ee2a 460->465 461->460 471 40719b-4071a9 RegEnumValueA 464->471 470 4071cb-4071cf 465->470 472 4070fb-4070fd 471->472 473 4071af-4071b2 RegCloseKey 471->473 474 40716e-407194 472->474 475 4070ff-407102 472->475 473->465 474->471 475->474 476 407104-407107 475->476 476->474 477 407109-40710d 476->477 477->474 478 40710f-407133 call 402544 call 40eed1 477->478 483 4071d0-407203 call 402544 call 40ee95 call 40ee2a 478->483 484 407139-407145 call 406cad 478->484 499 407205-407212 RegCloseKey 483->499 500 407227-40722e 483->500 490 407147-40715c call 40f1a5 484->490 491 40715e-40716b call 40ee2a 484->491 490->483 490->491 491->474 501 407222-407225 499->501 502 407214-407221 call 40ef00 499->502 503 407230-407256 call 40ef00 call 40ed23 500->503 504 40725b-40728c call 402544 call 40ee95 call 40ee2a 500->504 501->470 502->501 503->504 516 407258 503->516 518 4072b8-4072cb call 40ed77 504->518 519 40728e-40729a RegCloseKey 504->519 516->504 526 4072dd-4072f4 call 40ed23 518->526 527 4072cd-4072d8 RegCloseKey 518->527 520 4072aa-4072b3 519->520 521 40729c-4072a9 call 40ef00 519->521 520->470 521->520 530 407301 526->530 531 4072f6-4072ff 526->531 527->470 532 407304-40730f call 406cad 530->532 531->532 535 407311-40731d RegCloseKey 532->535 536 407335-40735d call 406c96 532->536 537 40732d-407330 535->537 538 40731f-40732c call 40ef00 535->538 543 4073d5-4073e2 RegCloseKey 536->543 544 40735f-407365 536->544 537->520 538->537 546 4073f2-4073f7 543->546 547 4073e4-4073f1 call 40ef00 543->547 544->543 545 407367-407370 544->545 545->543 548 407372-40737c 545->548 547->546 550 40739d-4073a2 548->550 551 40737e-407395 GetFileAttributesExA 548->551 553 4073a4 550->553 554 4073a6-4073a9 550->554 551->550 555 407397 551->555 553->554 556 4073b9-4073bc 554->556 557 4073ab-4073b8 call 40ef00 554->557 555->550 559 4073cb-4073cd 556->559 560 4073be-4073ca call 40ef00 556->560 557->556 559->543 560->559
                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000101,74DF0F10,?,74DF0F10,00000000), ref: 004070C2
                                                                                                            • RegEnumValueA.KERNELBASE(74DF0F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,74DF0F10,00000000), ref: 0040719E
                                                                                                            • RegCloseKey.KERNELBASE(74DF0F10,?,74DF0F10,00000000), ref: 004071B2
                                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407208
                                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407291
                                                                                                            • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 004072D0
                                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407314
                                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 004073D8
                                                                                                              • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                                            • String ID: $"$PromptOnSecureDesktop
                                                                                                            • API String ID: 4293430545-98143240
                                                                                                            • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                                            • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                                            • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                                            • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 700 40675c-406778 701 406784-4067a2 CreateFileA 700->701 702 40677a-40677e SetFileAttributesA 700->702 703 4067a4-4067b2 CreateFileA 701->703 704 4067b5-4067b8 701->704 702->701 703->704 705 4067c5-4067c9 704->705 706 4067ba-4067bf SetFileAttributesA 704->706 707 406977-406986 705->707 708 4067cf-4067df GetFileSize 705->708 706->705 709 4067e5-4067e7 708->709 710 40696b 708->710 709->710 711 4067ed-40680b ReadFile 709->711 712 40696e-406971 FindCloseChangeNotification 710->712 711->710 713 406811-406824 SetFilePointer 711->713 712->707 713->710 714 40682a-406842 ReadFile 713->714 714->710 715 406848-406861 SetFilePointer 714->715 715->710 716 406867-406876 715->716 717 4068d5-4068df 716->717 718 406878-40688f ReadFile 716->718 717->712 719 4068e5-4068eb 717->719 720 406891-40689e 718->720 721 4068d2 718->721 722 4068f0-4068fe call 40ebcc 719->722 723 4068ed 719->723 724 4068a0-4068b5 720->724 725 4068b7-4068ba 720->725 721->717 722->710 731 406900-40690b SetFilePointer 722->731 723->722 727 4068bd-4068c3 724->727 725->727 729 4068c5 727->729 730 4068c8-4068ce 727->730 729->730 730->718 732 4068d0 730->732 733 40695a-406969 call 40ec2e 731->733 734 40690d-406920 ReadFile 731->734 732->717 733->712 734->733 735 406922-406958 734->735 735->712
                                                                                                            APIs
                                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 0040677E
                                                                                                            • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 0040679A
                                                                                                            • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 004067B0
                                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 004067BF
                                                                                                            • GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 004067D3
                                                                                                            • ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,74DF0F10,00000000), ref: 00406807
                                                                                                            • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040681F
                                                                                                            • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 0040683E
                                                                                                            • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040685C
                                                                                                            • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,74DF0F10,00000000), ref: 0040688B
                                                                                                            • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,74DF0F10,00000000), ref: 00406906
                                                                                                            • ReadFile.KERNEL32(000000FF,004121A8,00000000,00408244,00000000,?,74DF0F10,00000000), ref: 0040691C
                                                                                                            • FindCloseChangeNotification.KERNELBASE(000000FF,?,74DF0F10,00000000), ref: 00406971
                                                                                                              • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                                              • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                                                            • String ID:
                                                                                                            • API String ID: 1400801100-0
                                                                                                            • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                                            • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                                            • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                                            • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 764 207003c-2070047 765 207004c-2070263 call 2070a3f call 2070e0f call 2070d90 VirtualAlloc 764->765 766 2070049 764->766 781 2070265-2070289 call 2070a69 765->781 782 207028b-2070292 765->782 766->765 787 20702ce-20703c2 VirtualProtect call 2070cce call 2070ce7 781->787 784 20702a1-20702b0 782->784 786 20702b2-20702cc 784->786 784->787 786->784 793 20703d1-20703e0 787->793 794 20703e2-2070437 call 2070ce7 793->794 795 2070439-20704b8 VirtualFree 793->795 794->793 797 20705f4-20705fe 795->797 798 20704be-20704cd 795->798 801 2070604-207060d 797->801 802 207077f-2070789 797->802 800 20704d3-20704dd 798->800 800->797 806 20704e3-2070505 LoadLibraryA 800->806 801->802 807 2070613-2070637 801->807 804 20707a6-20707b0 802->804 805 207078b-20707a3 802->805 808 20707b6-20707cb 804->808 809 207086e-20708be LoadLibraryA 804->809 805->804 810 2070517-2070520 806->810 811 2070507-2070515 806->811 812 207063e-2070648 807->812 813 20707d2-20707d5 808->813 816 20708c7-20708f9 809->816 814 2070526-2070547 810->814 811->814 812->802 815 207064e-207065a 812->815 817 20707d7-20707e0 813->817 818 2070824-2070833 813->818 819 207054d-2070550 814->819 815->802 820 2070660-207066a 815->820 821 2070902-207091d 816->821 822 20708fb-2070901 816->822 823 20707e4-2070822 817->823 824 20707e2 817->824 828 2070839-207083c 818->828 825 2070556-207056b 819->825 826 20705e0-20705ef 819->826 827 207067a-2070689 820->827 822->821 823->813 824->818 832 207056f-207057a 825->832 833 207056d 825->833 826->800 829 2070750-207077a 827->829 830 207068f-20706b2 827->830 828->809 831 207083e-2070847 828->831 829->812 836 20706b4-20706ed 830->836 837 20706ef-20706fc 830->837 838 207084b-207086c 831->838 839 2070849 831->839 834 207057c-2070599 832->834 835 207059b-20705bb 832->835 833->826 847 20705bd-20705db 834->847 835->847 836->837 841 20706fe-2070748 837->841 842 207074b 837->842 838->828 839->809 841->842 842->827 847->819
                                                                                                            APIs
                                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0207024D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual
                                                                                                            • String ID: cess$kernel32.dll
                                                                                                            • API String ID: 4275171209-1230238691
                                                                                                            • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                            • Instruction ID: 50efd5ea452f4a254e78f57e487951b55c6c7cb92d3f8d917f5750a4a807583a
                                                                                                            • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                            • Instruction Fuzzy Hash: D5525875E012299FDBA4CF58C984BACBBB1BF09304F1481D9E94DAB251DB30AA85DF14

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 848 41a6f6-41a6fd 849 41a700-41a710 848->849 850 41a712 849->850 851 41a717-41a71a 849->851 850->851 851->849 852 41a71c-41a73f LoadLibraryW call 41a110 call 41a370 851->852 857 41a740-41a747 852->857 858 41a749-41a759 GlobalSize 857->858 859 41a75d-41a763 857->859 858->859 860 41a765 call 41a100 859->860 861 41a76a-41a771 859->861 860->861 863 41a780-41a787 861->863 864 41a773-41a77a InterlockedExchange 861->864 863->857 866 41a789-41a799 863->866 864->863 867 41a7a0-41a7a5 866->867 868 41a7a7-41a7ad 867->868 869 41a7af-41a7b5 867->869 868->869 870 41a7b7-41a7cb 868->870 869->867 869->870
                                                                                                            APIs
                                                                                                            • LoadLibraryW.KERNELBASE(0041CAA4), ref: 0041A721
                                                                                                            • GlobalSize.KERNEL32(00000000), ref: 0041A74B
                                                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 0041A77A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128822017.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_415000_RSno9EH0K9.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ExchangeGlobalInterlockedLibraryLoadSize
                                                                                                            • String ID: k`$}$
                                                                                                            • API String ID: 1230614907-956986773
                                                                                                            • Opcode ID: b196a47d2894aa0dcdf6a77986d9a740ccb2e35e64265e3ef150c0d4e0576575
                                                                                                            • Instruction ID: 3d00e1cb30f40c3e3da36ac5a5c5ee68e1b26f71aacc13917bf9e631e8b9cb0e
                                                                                                            • Opcode Fuzzy Hash: b196a47d2894aa0dcdf6a77986d9a740ccb2e35e64265e3ef150c0d4e0576575
                                                                                                            • Instruction Fuzzy Hash: E11138306452409BC720A720DC867EBB760EB49315F14443EE66A961E1CB7898A2CBDF

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                                            • lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                                            • lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                                              • Part of subcall function 00406A60: CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,74DE8A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                                              • Part of subcall function 00406A60: GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                                              • Part of subcall function 00406A60: GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                                              • Part of subcall function 00406A60: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                                              • Part of subcall function 00406A60: DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Filelstrcat$CloseCreateDeleteDiskErrorFreeHandleLastSpacelstrcpy
                                                                                                            • String ID: PromptOnSecureDesktop
                                                                                                            • API String ID: 4131120076-2980165447
                                                                                                            • Opcode ID: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                                            • Instruction ID: c4e01e0c9c22f42140b45f86cbdbc152d24ce0e59ed2090f1037bb69612005af
                                                                                                            • Opcode Fuzzy Hash: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                                            • Instruction Fuzzy Hash: 0501A27294020877EA103F62EC47F9F3F1DEB44728F00483AF619790D2D9BA95709AAC

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 887 41a110-41a205 GetModuleHandleW GetProcAddress VirtualProtect
                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNEL32(00421FB0), ref: 0041A1AE
                                                                                                            • GetProcAddress.KERNEL32(00000000,00420720), ref: 0041A1E1
                                                                                                            • VirtualProtect.KERNELBASE(00421DFC,004220DC,00000040,?), ref: 0041A200
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128822017.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_415000_RSno9EH0K9.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 2099061454-3916222277
                                                                                                            • Opcode ID: 0b67f6005c2e5e9acb061c7fc40d55ff61bcf7b67a2c75165a0cd6f5a2922ed5
                                                                                                            • Instruction ID: 620725763d30a95ae7b3b8aff8441e0f00cd701f24deb9c65bf4b569524bed01
                                                                                                            • Opcode Fuzzy Hash: 0b67f6005c2e5e9acb061c7fc40d55ff61bcf7b67a2c75165a0cd6f5a2922ed5
                                                                                                            • Instruction Fuzzy Hash: C6112964718240DED720CF64FE05B067AF1FBAC784F815278D1548B2B2EBB526468B5D

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 888 404000-404008 889 40400b-40402a CreateFileA 888->889 890 404057 889->890 891 40402c-404035 GetLastError 889->891 892 404059-40405c 890->892 893 404052 891->893 894 404037-40403a 891->894 896 404054-404056 892->896 893->896 894->893 895 40403c-40403f 894->895 895->892 897 404041-404050 Sleep 895->897 897->889 897->893
                                                                                                            APIs
                                                                                                            • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,PromptOnSecureDesktop,004042B6,00000000,00000001,PromptOnSecureDesktop,00000000,?,004098FD), ref: 00404021
                                                                                                            • GetLastError.KERNEL32(?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 0040402C
                                                                                                            • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404046
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CreateErrorFileLastSleep
                                                                                                            • String ID: PromptOnSecureDesktop
                                                                                                            • API String ID: 408151869-2980165447
                                                                                                            • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                                            • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                                            • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                                            • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 898 406987-4069b7 899 4069e0 898->899 900 4069b9-4069be 898->900 902 4069e4-4069fd WriteFile 899->902 900->899 901 4069c0-4069d0 900->901 903 4069d2 901->903 904 4069d5-4069de 901->904 905 406a4d-406a51 902->905 906 4069ff-406a02 902->906 903->904 904->902 908 406a53-406a56 905->908 909 406a59 905->909 906->905 907 406a04-406a08 906->907 911 406a0a-406a0d 907->911 912 406a3c-406a3e 907->912 908->909 910 406a5b-406a5f 909->910 913 406a10-406a2e WriteFile 911->913 912->910 914 406a40-406a4b 913->914 915 406a30-406a33 913->915 914->910 915->914 916 406a35-406a3a 915->916 916->912 916->913
                                                                                                            APIs
                                                                                                            • WriteFile.KERNELBASE(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                                            • WriteFile.KERNELBASE(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FileWrite
                                                                                                            • String ID: ,k@
                                                                                                            • API String ID: 3934441357-1053005162
                                                                                                            • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                                            • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                                            • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                                            • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 918 4091eb-409208 919 409308 918->919 920 40920e-40921c call 40ed03 918->920 922 40930b-40930f 919->922 924 40921e-40922c call 40ed03 920->924 925 40923f-409249 920->925 924->925 931 40922e-409230 924->931 927 409250-409270 call 40ee08 925->927 928 40924b 925->928 934 409272-40927f 927->934 935 4092dd-4092e1 927->935 928->927 933 409233-409238 931->933 933->933 940 40923a-40923c 933->940 936 409281-409285 934->936 937 40929b-40929e 934->937 938 4092e3-4092e5 935->938 939 4092e7-4092e8 935->939 936->936 941 409287 936->941 943 4092a0 937->943 944 40928e-409293 937->944 938->939 942 4092ea-4092ef 938->942 939->935 940->925 941->937 947 4092f1-4092f6 Sleep 942->947 948 4092fc-409302 942->948 949 4092a8-4092ab 943->949 945 409295-409298 944->945 946 409289-40928c 944->946 945->949 950 40929a 945->950 946->944 946->950 947->948 948->919 948->920 951 4092a2-4092a5 949->951 952 4092ad-4092b0 949->952 950->937 953 4092b2 951->953 954 4092a7 951->954 952->953 955 4092bd 952->955 957 4092b5-4092b9 953->957 954->949 956 4092bf-4092db ShellExecuteA 955->956 956->935 958 409310-409324 956->958 957->957 959 4092bb 957->959 958->922 959->956
                                                                                                            APIs
                                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000023,00000000,00000000), ref: 004092CF
                                                                                                            • Sleep.KERNELBASE(000001F4,00000000,00000000,000000C8), ref: 004092F6
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ExecuteShellSleep
                                                                                                            • String ID:
                                                                                                            • API String ID: 4194306370-0
                                                                                                            • Opcode ID: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                                                            • Instruction ID: 2238cefa34e52eac0eed51a1b9fc18e9663c37cde2c16e9a3df151323357230f
                                                                                                            • Opcode Fuzzy Hash: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                                                            • Instruction Fuzzy Hash: E941EE718083497EEB269664988C7E73BA49B52300F2809FFD492B72D3D7BC4D818759
                                                                                                            APIs
                                                                                                            • SetErrorMode.KERNELBASE(00000400,?,?,02070223,?,?), ref: 02070E19
                                                                                                            • SetErrorMode.KERNELBASE(00000000,?,?,02070223,?,?), ref: 02070E1E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorMode
                                                                                                            • String ID:
                                                                                                            • API String ID: 2340568224-0
                                                                                                            • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                            • Instruction ID: 455c2124494d89fefc595ca8015f7c2e2e7cbe2ef3c0df78bb7229cd438db30c
                                                                                                            • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                            • Instruction Fuzzy Hash: C2D0123154522877D7412A94DC09BCD7B5CDF09B66F008011FB0DD9080C770954046E9
                                                                                                            APIs
                                                                                                              • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                                              • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                                              • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                                              • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                                            • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                                            • String ID:
                                                                                                            • API String ID: 1823874839-0
                                                                                                            • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                                            • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                                            • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                                            • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C
                                                                                                            APIs
                                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0055BD3E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129020290.000000000055B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0055B000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_55b000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 4275171209-0
                                                                                                            • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                            • Instruction ID: aac5ca6e7c5fd0edba4c7bc08baee7225a93558f621866982ba934578ca4389c
                                                                                                            • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                            • Instruction Fuzzy Hash: C9112B79A00208EFDB01DF98C989E99BFF5EF08351F058095F9489B362D371EA50DB80
                                                                                                            APIs
                                                                                                            • closesocket.WS2_32(?), ref: 0040CA4E
                                                                                                            • closesocket.WS2_32(?), ref: 0040CB63
                                                                                                            • GetTempPathA.KERNEL32(00000120,?), ref: 0040CC28
                                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040CCB4
                                                                                                            • WriteFile.KERNEL32(0040A4B3,?,-000000E8,?,00000000), ref: 0040CCDC
                                                                                                            • CloseHandle.KERNEL32(0040A4B3), ref: 0040CCED
                                                                                                            • wsprintfA.USER32 ref: 0040CD21
                                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040CD77
                                                                                                            • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0040CD89
                                                                                                            • CloseHandle.KERNEL32(?), ref: 0040CD98
                                                                                                            • CloseHandle.KERNEL32(?), ref: 0040CD9D
                                                                                                            • DeleteFileA.KERNEL32(?), ref: 0040CDC4
                                                                                                            • CloseHandle.KERNEL32(0040A4B3), ref: 0040CDCC
                                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040CFB1
                                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040CFEF
                                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040D033
                                                                                                            • lstrcatA.KERNEL32(?,?), ref: 0040D10C
                                                                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040D155
                                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0040D171
                                                                                                            • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040D195
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0040D19C
                                                                                                            • SetFileAttributesA.KERNEL32(?,00000002), ref: 0040D1C8
                                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D231
                                                                                                            • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D27C
                                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D2AB
                                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2C7
                                                                                                            • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2EB
                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2F2
                                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D326
                                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D372
                                                                                                            • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D3BD
                                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D3EC
                                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D408
                                                                                                            • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D428
                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D42F
                                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D45B
                                                                                                            • CreateProcessA.KERNEL32(?,00410264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040D4DE
                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4F4
                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4FC
                                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D513
                                                                                                            • closesocket.WS2_32(?), ref: 0040D56C
                                                                                                            • Sleep.KERNEL32(000003E8), ref: 0040D577
                                                                                                            • ExitProcess.KERNEL32 ref: 0040D583
                                                                                                            • wsprintfA.USER32 ref: 0040D81F
                                                                                                              • Part of subcall function 0040C65C: send.WS2_32(00000000,?,00000000), ref: 0040C74B
                                                                                                            • closesocket.WS2_32(?), ref: 0040DAD5
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                                            • String ID: .dat$.sys$4$@$PromptOnSecureDesktop$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                                            • API String ID: 562065436-3791576231
                                                                                                            • Opcode ID: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                                                            • Instruction ID: 1bec03d5b3261cfbda03ea9d0ba23ae7472bbf6119f1c93de8fbd0284471d070
                                                                                                            • Opcode Fuzzy Hash: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                                                            • Instruction Fuzzy Hash: 1BB2B471D00209BBEB209FA4DD85FEA7BB9EB08304F14457BF505B22D1D7789A898B5C
                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                                            • GetProcAddress.KERNEL32(?,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                                            • GetProcAddress.KERNEL32(?,RtlSetLastWin32Error), ref: 004010E1
                                                                                                            • GetProcAddress.KERNEL32(?,NtTerminateProcess), ref: 00401101
                                                                                                            • GetProcAddress.KERNEL32(?,RtlFreeSid), ref: 00401121
                                                                                                            • GetProcAddress.KERNEL32(?,RtlInitUnicodeString), ref: 00401140
                                                                                                            • GetProcAddress.KERNEL32(?,NtSetInformationThread), ref: 00401160
                                                                                                            • GetProcAddress.KERNEL32(?,NtSetInformationToken), ref: 00401180
                                                                                                            • GetProcAddress.KERNEL32(?,RtlNtStatusToDosError), ref: 0040119F
                                                                                                            • GetProcAddress.KERNEL32(?,NtClose), ref: 004011BF
                                                                                                            • GetProcAddress.KERNEL32(?,NtOpenProcessToken), ref: 004011DF
                                                                                                            • GetProcAddress.KERNEL32(?,NtDuplicateToken), ref: 004011FE
                                                                                                            • GetProcAddress.KERNEL32(?,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$LibraryLoad
                                                                                                            • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                                            • API String ID: 2238633743-3228201535
                                                                                                            • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                                            • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                                            • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                                            • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                                            APIs
                                                                                                            • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                                            • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                                            • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                                            • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                                            • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                                            • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                                            • wsprintfA.USER32 ref: 0040B3B7
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                                            • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                                            • API String ID: 766114626-2976066047
                                                                                                            • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                            • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                                            • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                            • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                                            APIs
                                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                                            • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                                            • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                                            • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                                            • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                                            • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                                            • String ID: D
                                                                                                            • API String ID: 3722657555-2746444292
                                                                                                            • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                            • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                                            • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                            • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                                            APIs
                                                                                                            • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                                            • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ExecuteShelllstrlen
                                                                                                            • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDu$uac$useless$wusa.exe
                                                                                                            • API String ID: 1628651668-179334549
                                                                                                            • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                                            • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                                            • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                                            • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                                            APIs
                                                                                                            • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                                            • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                                            • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                                            • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                                              • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                                            • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                                            • API String ID: 4207808166-1381319158
                                                                                                            • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                                            • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                                            • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                                            • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                                            APIs
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,74DEF380), ref: 00402A83
                                                                                                            • HeapAlloc.KERNEL32(00000000,?,74DEF380), ref: 00402A86
                                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                                            • htons.WS2_32(00000000), ref: 00402ADB
                                                                                                            • select.WS2_32 ref: 00402B28
                                                                                                            • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                                            • htons.WS2_32(?), ref: 00402B71
                                                                                                            • htons.WS2_32(?), ref: 00402B8C
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                                            • String ID:
                                                                                                            • API String ID: 1639031587-0
                                                                                                            • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                                            • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                                            • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                                            • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                                            APIs
                                                                                                            • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                                                            • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                                            • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                                            • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Read$AddressLibraryLoadProc
                                                                                                            • String ID:
                                                                                                            • API String ID: 2438460464-0
                                                                                                            • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                                            • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                                            • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                                            • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                                            APIs
                                                                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                                            • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                                            • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                            • String ID: *p@
                                                                                                            • API String ID: 3429775523-2474123842
                                                                                                            • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                                            • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                                            • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                                            • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                                            • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 1965334864-0
                                                                                                            • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                                            • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                                            • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                                            • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(00000000), ref: 020765F6
                                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 02076610
                                                                                                            • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 02076631
                                                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 02076652
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 1965334864-0
                                                                                                            • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                                            • Instruction ID: 46179a3a0aaea34c7aae579e4898fa5cfa8f056555277c7595840c2cfc0c1023
                                                                                                            • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                                            • Instruction Fuzzy Hash: D9118F71A00218BFDB219F65DC09F9B3FACEB057A5F004024FA09A7250D7B2DD109AA8
                                                                                                            APIs
                                                                                                            • CreateFileW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000100), ref: 00408E5F
                                                                                                            • DeviceIoControl.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00408EAB
                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408EB4
                                                                                                              • Part of subcall function 00408DF1: GetSystemTime.KERNEL32(?,004129F8,?,?,00408E8B,?), ref: 00408DFC
                                                                                                              • Part of subcall function 00408DF1: SystemTimeToFileTime.KERNEL32(?,00408E8B,?,?,00408E8B,?), ref: 00408E0A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Time$FileSystem$CloseControlCreateDeviceHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 3754425949-0
                                                                                                            • Opcode ID: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                                            • Instruction ID: 6158522553dbc768b3fa764069f531a078bfca64040c8912efb0c234455cb59d
                                                                                                            • Opcode Fuzzy Hash: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                                            • Instruction Fuzzy Hash: CD11C8726402047BEB115F95CD4EEDB3F6DEB85714F00452AF611B62C1DAB9985087A8
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: .$GetProcAddress.$l
                                                                                                            • API String ID: 0-2784972518
                                                                                                            • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                                            • Instruction ID: 222ddb5058cdaa74dd46892d462cb25282b0ac1eeaab041149d7128d3079800e
                                                                                                            • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                                            • Instruction Fuzzy Hash: F93148B6910709DFDB11CF99C880AEEBBFAFF48324F15414AD841A7210D771EA45CBA8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                                            • Instruction ID: 64893a5cec851924fefc00027ac9d8258265f32e823952a4835c6918c3f2ac29
                                                                                                            • Opcode Fuzzy Hash: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                                            • Instruction Fuzzy Hash: 59714BB4501B41CFD360CF66D548782BBE0BB54308F10CD6ED5AAAB790DBB86588DF98
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129020290.000000000055B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0055B000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_55b000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                            • Instruction ID: 98d6d6ebb41ee96b45b24e697e20f239677a0296b5247bd69e606752dd59cc2b
                                                                                                            • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                            • Instruction Fuzzy Hash: 8711AC72340101AFEB40CE55DC95FA277EAFB89360B298066EE08CB306D775EC02C7A0
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                                            • Instruction ID: 66d3bfaf20fd564e0585c70b27a7874832981b92015a23908fb0f7bf5be4acea
                                                                                                            • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                                            • Instruction Fuzzy Hash: A5012672E107008FDF22CF60C804BAA33F6FB86206F1542B5D90AD7281E370A841CB84
                                                                                                            APIs
                                                                                                            • ExitProcess.KERNEL32 ref: 02079E6D
                                                                                                            • lstrcpy.KERNEL32(?,00000000), ref: 02079FE1
                                                                                                            • lstrcat.KERNEL32(?,?), ref: 02079FF2
                                                                                                            • lstrcat.KERNEL32(?,0041070C), ref: 0207A004
                                                                                                            • GetFileAttributesExA.KERNEL32(?,?,?), ref: 0207A054
                                                                                                            • DeleteFileA.KERNEL32(?), ref: 0207A09F
                                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 0207A0D6
                                                                                                            • lstrcpy.KERNEL32 ref: 0207A12F
                                                                                                            • lstrlen.KERNEL32(00000022), ref: 0207A13C
                                                                                                            • GetTempPathA.KERNEL32(000001F4,?), ref: 02079F13
                                                                                                              • Part of subcall function 02077029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 02077081
                                                                                                              • Part of subcall function 02076F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\bsoavhio,02077043), ref: 02076F4E
                                                                                                              • Part of subcall function 02076F30: GetProcAddress.KERNEL32(00000000), ref: 02076F55
                                                                                                              • Part of subcall function 02076F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02076F7B
                                                                                                              • Part of subcall function 02076F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02076F92
                                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 0207A1A2
                                                                                                            • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0207A1C5
                                                                                                            • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 0207A214
                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 0207A21B
                                                                                                            • GetDriveTypeA.KERNEL32(?), ref: 0207A265
                                                                                                            • lstrcat.KERNEL32(?,00000000), ref: 0207A29F
                                                                                                            • lstrcat.KERNEL32(?,00410A34), ref: 0207A2C5
                                                                                                            • lstrcat.KERNEL32(?,00000022), ref: 0207A2D9
                                                                                                            • lstrcat.KERNEL32(?,00410A34), ref: 0207A2F4
                                                                                                            • wsprintfA.USER32 ref: 0207A31D
                                                                                                            • lstrcat.KERNEL32(?,00000000), ref: 0207A345
                                                                                                            • lstrcat.KERNEL32(?,?), ref: 0207A364
                                                                                                            • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 0207A387
                                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 0207A398
                                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0207A1D1
                                                                                                              • Part of subcall function 02079966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 0207999D
                                                                                                              • Part of subcall function 02079966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 020799BD
                                                                                                              • Part of subcall function 02079966: RegCloseKey.ADVAPI32(?), ref: 020799C6
                                                                                                            • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 0207A3DB
                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 0207A3E2
                                                                                                            • GetDriveTypeA.KERNEL32(00000022), ref: 0207A41D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                                            • String ID: "$"$"$D$P$\
                                                                                                            • API String ID: 1653845638-2605685093
                                                                                                            • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                                            • Instruction ID: a7f7d49a490379781659faf533d64774c24892aedaeec51e993afbe0bee0c257
                                                                                                            • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                                            • Instruction Fuzzy Hash: E6F12FB1D4035DAFDF11DBA08C88FEF7BBDAB08304F0484A6E605E2141E7759A859F69
                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,004133B0,?), ref: 00407B16
                                                                                                            • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                                            • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                                            • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                                            • String ID: D$PromptOnSecureDesktop
                                                                                                            • API String ID: 2976863881-1403908072
                                                                                                            • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                                            • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                                            • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                                            • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 02077D21
                                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 02077D46
                                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02077D7D
                                                                                                            • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 02077DA2
                                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 02077DC0
                                                                                                            • EqualSid.ADVAPI32(?,?), ref: 02077DD1
                                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 02077DE5
                                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02077DF3
                                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02077E03
                                                                                                            • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 02077E12
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 02077E19
                                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02077E35
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                                            • String ID: D$PromptOnSecureDesktop
                                                                                                            • API String ID: 2976863881-1403908072
                                                                                                            • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                                            • Instruction ID: 2dcd942a7c63e8e3f0090fc945f6749ccd03f6d14ec483dd244ded16a22c6c0e
                                                                                                            • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                                            • Instruction Fuzzy Hash: 92A14E71D00219AFDF52CFA0DD88FEEBBB9FB08344F048169E505E6160D7758A85DB68
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                                            • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                                            • API String ID: 2400214276-165278494
                                                                                                            • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                                            • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                                            • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                                            • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                                            APIs
                                                                                                            • wsprintfA.USER32 ref: 0040A7FB
                                                                                                            • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                                            • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                                            • wsprintfA.USER32 ref: 0040A8AF
                                                                                                            • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                                            • wsprintfA.USER32 ref: 0040A8E2
                                                                                                            • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                                            • wsprintfA.USER32 ref: 0040A9B9
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: wsprintf$send$lstrlenrecv
                                                                                                            • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                                            • API String ID: 3650048968-2394369944
                                                                                                            • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                                            • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                                            • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                                            • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                                            APIs
                                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 02077A96
                                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02077ACD
                                                                                                            • GetLengthSid.ADVAPI32(?), ref: 02077ADF
                                                                                                            • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 02077B01
                                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 02077B1F
                                                                                                            • EqualSid.ADVAPI32(?,?), ref: 02077B39
                                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 02077B4A
                                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02077B58
                                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02077B68
                                                                                                            • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 02077B77
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 02077B7E
                                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02077B9A
                                                                                                            • GetAce.ADVAPI32(?,?,?), ref: 02077BCA
                                                                                                            • EqualSid.ADVAPI32(?,?), ref: 02077BF1
                                                                                                            • DeleteAce.ADVAPI32(?,?), ref: 02077C0A
                                                                                                            • EqualSid.ADVAPI32(?,?), ref: 02077C2C
                                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 02077CB1
                                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02077CBF
                                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 02077CD0
                                                                                                            • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 02077CE0
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 02077CEE
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                                            • String ID: D
                                                                                                            • API String ID: 3722657555-2746444292
                                                                                                            • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                            • Instruction ID: 3726faceb8032262de8c2d261be3fa4fd564b7e3dcee59b0e75bf6cdef1ca1b2
                                                                                                            • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                            • Instruction Fuzzy Hash: 3A813D72D00219AFEB12CFA4DD44FEEBBB8AF0C344F04806AE605E6160D7759641DBA8
                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                                            • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                                            • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                                            • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Value$CloseOpenQuery
                                                                                                            • String ID: PromptOnSecureDesktop$localcfg
                                                                                                            • API String ID: 237177642-1678164370
                                                                                                            • Opcode ID: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                                            • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                                            • Opcode Fuzzy Hash: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                                            • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                                            APIs
                                                                                                            • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                                            • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                                            • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                                            • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                                            • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                                            • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                                            • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                                            • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                                            • API String ID: 835516345-270533642
                                                                                                            • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                                            • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                                            • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                                            • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 0207865A
                                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 0207867B
                                                                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 020786A8
                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 020786B1
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Value$CloseOpenQuery
                                                                                                            • String ID: "$PromptOnSecureDesktop
                                                                                                            • API String ID: 237177642-3108538426
                                                                                                            • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                                            • Instruction ID: d3a1a78929ed929e1adb6df1e3c3439814830ce8c880bd753d9c5cb2d935d8a4
                                                                                                            • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                                            • Instruction Fuzzy Hash: ABC18271D00349BEEB529BA4DD88EEF7BBDEB04304F148065F605E6050E7B18A94BB69
                                                                                                            APIs
                                                                                                            • ShellExecuteExW.SHELL32(?), ref: 02071601
                                                                                                            • lstrlenW.KERNEL32(-00000003), ref: 020717D8
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ExecuteShelllstrlen
                                                                                                            • String ID: $<$@$D
                                                                                                            • API String ID: 1628651668-1974347203
                                                                                                            • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                                            • Instruction ID: 4423b60101dd8438128f98c04ba79caaa4b7ed3b414c9d10e94c359f01226777
                                                                                                            • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                                            • Instruction Fuzzy Hash: 38F17BB19083419FD721CF64C888BABF7E5FB88304F00892DF59A97290D7B49945CB6A
                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 020776D9
                                                                                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 02077757
                                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 0207778F
                                                                                                            • ___ascii_stricmp.LIBCMT ref: 020778B4
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 0207794E
                                                                                                            • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0207796D
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 0207797E
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 020779AC
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 02077A56
                                                                                                              • Part of subcall function 0207F40C: lstrlen.KERNEL32(000000E4,00000000,PromptOnSecureDesktop,000000E4,0207772A,?), ref: 0207F414
                                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 020779F6
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 02077A4D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                                            • String ID: "$PromptOnSecureDesktop
                                                                                                            • API String ID: 3433985886-3108538426
                                                                                                            • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                                            • Instruction ID: 8fcb3b0ebb3ab7e8eb440d2a9672330f2d80b8dfbfcd34045237d1380ad546b7
                                                                                                            • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                                            • Instruction Fuzzy Hash: 03C19571D00309AFEB52DBA4DC44FEEBBF9EF49350F1440A5E504E6160EB719A84DB68
                                                                                                            APIs
                                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02072CED
                                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 02072D07
                                                                                                            • htons.WS2_32(00000000), ref: 02072D42
                                                                                                            • select.WS2_32 ref: 02072D8F
                                                                                                            • recv.WS2_32(?,00000000,00001000,00000000), ref: 02072DB1
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02072E62
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                                            • String ID:
                                                                                                            • API String ID: 127016686-0
                                                                                                            • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                                            • Instruction ID: 7c716a1e4cde9ac805a1805f09798e15a061875cd6d2b88f0f30b8daff92fba8
                                                                                                            • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                                            • Instruction Fuzzy Hash: 1B61C071D04305AFC361AF64DC08BABBBE8FB48755F044819FD8497251D7B5D880EBAA
                                                                                                            APIs
                                                                                                            • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                                              • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                                              • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                                              • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                                              • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                                              • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                                              • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                                            • wsprintfA.USER32 ref: 0040AEA5
                                                                                                              • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                                            • wsprintfA.USER32 ref: 0040AE4F
                                                                                                            • wsprintfA.USER32 ref: 0040AE5E
                                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                                            • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                                            • API String ID: 3631595830-1816598006
                                                                                                            • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                                            • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                                            • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                                            • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(iphlpapi.dll,74DF23A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                                            • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                                            • htons.WS2_32(00000035), ref: 00402E88
                                                                                                            • inet_addr.WS2_32(?), ref: 00402E93
                                                                                                            • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                                            • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                                            • String ID: GetNetworkParams$iphlpapi.dll
                                                                                                            • API String ID: 929413710-2099955842
                                                                                                            • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                                            • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                                            • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                                            • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                                            APIs
                                                                                                            • GetVersionExA.KERNEL32(?), ref: 020795A7
                                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 020795D5
                                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 020795DC
                                                                                                            • wsprintfA.USER32 ref: 02079635
                                                                                                            • wsprintfA.USER32 ref: 02079673
                                                                                                            • wsprintfA.USER32 ref: 020796F4
                                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 02079758
                                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 0207978D
                                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 020797D8
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                                            • String ID: PromptOnSecureDesktop
                                                                                                            • API String ID: 3696105349-2980165447
                                                                                                            • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                                            • Instruction ID: 2d092e8976ec99b8d4821bd0390a8a2cce1d78025936137ac7c9141ef0b8282e
                                                                                                            • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                                            • Instruction Fuzzy Hash: 0AA159B290034CAFEB21DFA4CC85FDE3BADAB04745F104026FA15A6151E7B5D584EFA8
                                                                                                            APIs
                                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: lstrcmpi
                                                                                                            • String ID: 06A$46A$86A$smtp_ban$smtp_herr$smtp_retr
                                                                                                            • API String ID: 1586166983-142018493
                                                                                                            • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                                            • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                                            • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                                            • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                                            APIs
                                                                                                            • wsprintfA.USER32 ref: 0040B467
                                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: lstrlen$wsprintf
                                                                                                            • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                                            • API String ID: 1220175532-2340906255
                                                                                                            • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                                            • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                                            • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                                            • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 00402078
                                                                                                            • GetTickCount.KERNEL32 ref: 004020D4
                                                                                                            • GetTickCount.KERNEL32 ref: 004020DB
                                                                                                            • GetTickCount.KERNEL32 ref: 0040212B
                                                                                                            • GetTickCount.KERNEL32 ref: 00402132
                                                                                                            • GetTickCount.KERNEL32 ref: 00402142
                                                                                                              • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000,0040E513,?,?,?,?,000000E4), ref: 0040F089
                                                                                                              • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000,0040E513,?,?,?,?,000000E4,000000C8), ref: 0040F093
                                                                                                              • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                                              • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                                              • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                                            • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                                            • API String ID: 3976553417-1522128867
                                                                                                            • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                                            • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                                            • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                                            • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                                            APIs
                                                                                                            • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                                            • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: closesockethtonssocket
                                                                                                            • String ID: time_cfg
                                                                                                            • API String ID: 311057483-2401304539
                                                                                                            • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                                            • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                                            • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                                            • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                                            APIs
                                                                                                              • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                                              • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                                            • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                                            • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                                            • GetTickCount.KERNEL32 ref: 0040C363
                                                                                                            • GetTickCount.KERNEL32 ref: 0040C378
                                                                                                            • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                                            • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                                            • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                                            • String ID: localcfg
                                                                                                            • API String ID: 1553760989-1857712256
                                                                                                            • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                                            • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                                            • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                                            • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 02073068
                                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 02073078
                                                                                                            • GetProcAddress.KERNEL32(00000000,00410408), ref: 02073095
                                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 020730B6
                                                                                                            • htons.WS2_32(00000035), ref: 020730EF
                                                                                                            • inet_addr.WS2_32(?), ref: 020730FA
                                                                                                            • gethostbyname.WS2_32(?), ref: 0207310D
                                                                                                            • HeapFree.KERNEL32(00000000), ref: 0207314D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                                            • String ID: iphlpapi.dll
                                                                                                            • API String ID: 2869546040-3565520932
                                                                                                            • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                                            • Instruction ID: 5e114eea46cf7960230705d4b39578fa123723e00e107bde2d5481e0bbde4219
                                                                                                            • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                                            • Instruction Fuzzy Hash: 1831B631E00306ABEF529BB89C48BAE77F8EF04764F1441A5E918E7290DB74D581EB5C
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                                            • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                                            • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                                            • String ID: DnsQuery_A$dnsapi.dll
                                                                                                            • API String ID: 3560063639-3847274415
                                                                                                            • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                                            • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                                            • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                                            • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                                            • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                                            • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$PromptOnSecureDesktop$kernel32
                                                                                                            • API String ID: 1082366364-2834986871
                                                                                                            • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                                            • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                                            • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                                            • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                                            APIs
                                                                                                            • CreateProcessA.KERNEL32(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,PromptOnSecureDesktop), ref: 004097B1
                                                                                                            • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097EB
                                                                                                            • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097F9
                                                                                                            • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 00409831
                                                                                                            • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040984E
                                                                                                            • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040985B
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                                            • String ID: D$PromptOnSecureDesktop
                                                                                                            • API String ID: 2981417381-1403908072
                                                                                                            • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                                            • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                                            • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                                            • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8
                                                                                                            APIs
                                                                                                            • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 020767C3
                                                                                                            • htonl.WS2_32(?), ref: 020767DF
                                                                                                            • htonl.WS2_32(?), ref: 020767EE
                                                                                                            • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 020768F1
                                                                                                            • ExitProcess.KERNEL32 ref: 020769BC
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Processhtonl$CurrentExitHugeRead
                                                                                                            • String ID: except_info$localcfg
                                                                                                            • API String ID: 1150517154-3605449297
                                                                                                            • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                                            • Instruction ID: cd256de8890292b145c21dfffe3e6088c88a755ee7720b3f26431e680b8c3dc3
                                                                                                            • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                                            • Instruction Fuzzy Hash: 80617E71A40308AFDB609FB4DC45FEA77E9FB08300F248066FA6DD2161EB7599909F54
                                                                                                            APIs
                                                                                                            • htons.WS2_32(0207CC84), ref: 0207F5B4
                                                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 0207F5CE
                                                                                                            • closesocket.WS2_32(00000000), ref: 0207F5DC
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: closesockethtonssocket
                                                                                                            • String ID: time_cfg
                                                                                                            • API String ID: 311057483-2401304539
                                                                                                            • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                                            • Instruction ID: 0fffa7804130c36a494ede7480f71b168dd1c9d322dc285878d996cd41c31dec
                                                                                                            • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                                            • Instruction Fuzzy Hash: AF315E71900219ABDB11DFA5DC88DEE7BBCEF48350F104566F915D3150E7709A819BA8
                                                                                                            APIs
                                                                                                            • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                                            • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                                            • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                                            • wsprintfA.USER32 ref: 00407036
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                                            • String ID: /%d$|
                                                                                                            • API String ID: 676856371-4124749705
                                                                                                            • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                                            • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                                            • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                                            • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(?), ref: 02072FA1
                                                                                                            • LoadLibraryA.KERNEL32(?), ref: 02072FB1
                                                                                                            • GetProcAddress.KERNEL32(00000000,004103F0), ref: 02072FC8
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02073000
                                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02073007
                                                                                                            • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 02073032
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                                            • String ID: dnsapi.dll
                                                                                                            • API String ID: 1242400761-3175542204
                                                                                                            • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                                            • Instruction ID: 599526452b79f0ba277747df7eea09d3e56959438fee28ea8eb64c58820a4d8b
                                                                                                            • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                                            • Instruction Fuzzy Hash: B2216571D01719BBDB229B65DC48EEEBBB8EF08B50F004461F905E7140D7B49AC1A7E8
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Code
                                                                                                            • String ID: PromptOnSecureDesktop
                                                                                                            • API String ID: 3609698214-2980165447
                                                                                                            • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                                            • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                                            • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                                            • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\bsoavhio,02077043), ref: 02076F4E
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02076F55
                                                                                                            • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02076F7B
                                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02076F92
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                                            • String ID: C:\Windows\SysWOW64\$PromptOnSecureDesktop$\\.\pipe\bsoavhio
                                                                                                            • API String ID: 1082366364-3812585133
                                                                                                            • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                                            • Instruction ID: 0587d84ea8ba0cbf6bb8680101da0f24e50f3803a04683f4152e2fcefe7532c3
                                                                                                            • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                                            • Instruction Fuzzy Hash: 6D21FF21B403407EF76253319C8CFFB2A9C8B52764F1880A5F804A6591DBDA84D692AD
                                                                                                            APIs
                                                                                                            • GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                                            • wsprintfA.USER32 ref: 004090E9
                                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                                            • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                                            • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                                            • String ID: PromptOnSecureDesktop
                                                                                                            • API String ID: 2439722600-2980165447
                                                                                                            • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                                            • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                                            • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                                            • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                                            APIs
                                                                                                            • GetTempPathA.KERNEL32(00000400,?), ref: 020792E2
                                                                                                            • wsprintfA.USER32 ref: 02079350
                                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02079375
                                                                                                            • lstrlen.KERNEL32(?,?,00000000), ref: 02079389
                                                                                                            • WriteFile.KERNEL32(00000000,?,00000000), ref: 02079394
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0207939B
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                                            • String ID: PromptOnSecureDesktop
                                                                                                            • API String ID: 2439722600-2980165447
                                                                                                            • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                                            • Instruction ID: a56942d1ee080be9c5057598acf9d6542b9df657cb21aade84f7e6b6ce6eda4f
                                                                                                            • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                                            • Instruction Fuzzy Hash: 16119AB1B402147FE7206B31DC0DFEF3A6EDBC4B10F00C065BB05E5091EAB44A419A68
                                                                                                            APIs
                                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 02079A18
                                                                                                            • GetThreadContext.KERNEL32(?,?), ref: 02079A52
                                                                                                            • TerminateProcess.KERNEL32(?,00000000), ref: 02079A60
                                                                                                            • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 02079A98
                                                                                                            • SetThreadContext.KERNEL32(?,00010002), ref: 02079AB5
                                                                                                            • ResumeThread.KERNEL32(?), ref: 02079AC2
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                                            • String ID: D
                                                                                                            • API String ID: 2981417381-2746444292
                                                                                                            • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                                            • Instruction ID: 9ac141784667979e3a8579326da6f1a65826aa7bf719734f17ec1f1f3558b983
                                                                                                            • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                                            • Instruction Fuzzy Hash: 88216BB1E02219BBDB11DBA1DC08EEF7BBCEF04750F004061BA19E1050E7719A50DBE8
                                                                                                            APIs
                                                                                                            • inet_addr.WS2_32(004102D8), ref: 02071C18
                                                                                                            • LoadLibraryA.KERNEL32(004102C8), ref: 02071C26
                                                                                                            • GetProcessHeap.KERNEL32 ref: 02071C84
                                                                                                            • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 02071C9D
                                                                                                            • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 02071CC1
                                                                                                            • HeapFree.KERNEL32(?,00000000,00000000), ref: 02071D02
                                                                                                            • FreeLibrary.KERNEL32(?), ref: 02071D0B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                                            • String ID:
                                                                                                            • API String ID: 2324436984-0
                                                                                                            • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                                            • Instruction ID: 0925933b7bf6502911e8265829d449c6c8f18c6f79d58951e37dc4af32aa6965
                                                                                                            • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                                            • Instruction Fuzzy Hash: 44315032D00209BFCB529FE4DC888AEFAB9EB45705B24447AE505A2150D7B54E80EB98
                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,PromptOnSecureDesktop), ref: 0040E3E6
                                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                                            • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: QueryValue$CloseOpen
                                                                                                            • String ID: PromptOnSecureDesktop
                                                                                                            • API String ID: 1586453840-2980165447
                                                                                                            • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                                            • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                                            • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                                            • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                                            APIs
                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404290
                                                                                                            • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                                            • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle$CreateEvent
                                                                                                            • String ID: PromptOnSecureDesktop
                                                                                                            • API String ID: 1371578007-2980165447
                                                                                                            • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                                            • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                                            • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                                            • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                                                            APIs
                                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 02076CE4
                                                                                                            • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02076D22
                                                                                                            • GetLastError.KERNEL32 ref: 02076DA7
                                                                                                            • CloseHandle.KERNEL32(?), ref: 02076DB5
                                                                                                            • GetLastError.KERNEL32 ref: 02076DD6
                                                                                                            • DeleteFileA.KERNEL32(?), ref: 02076DE7
                                                                                                            • GetLastError.KERNEL32 ref: 02076DFD
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                                            • String ID:
                                                                                                            • API String ID: 3873183294-0
                                                                                                            • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                            • Instruction ID: 691c96b65e70300cfa1e89ae7d88474d2649bb8bce9a4a7d2f7646bb2f1bb725
                                                                                                            • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                            • Instruction Fuzzy Hash: E231F072D00649BFCB02DFE4DD48ADE7FBDEB48300F148065E212E3210D7728A85AB69
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,PromptOnSecureDesktop), ref: 0040915F
                                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                                            • CharToOemA.USER32(?,?), ref: 00409174
                                                                                                            • wsprintfA.USER32 ref: 004091A9
                                                                                                              • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                                              • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                                              • Part of subcall function 00409064: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                                              • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                                              • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                                              • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                                            • String ID: PromptOnSecureDesktop
                                                                                                            • API String ID: 3857584221-2980165447
                                                                                                            • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                                            • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                                            • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                                            • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 020793C6
                                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 020793CD
                                                                                                            • CharToOemA.USER32(?,?), ref: 020793DB
                                                                                                            • wsprintfA.USER32 ref: 02079410
                                                                                                              • Part of subcall function 020792CB: GetTempPathA.KERNEL32(00000400,?), ref: 020792E2
                                                                                                              • Part of subcall function 020792CB: wsprintfA.USER32 ref: 02079350
                                                                                                              • Part of subcall function 020792CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02079375
                                                                                                              • Part of subcall function 020792CB: lstrlen.KERNEL32(?,?,00000000), ref: 02079389
                                                                                                              • Part of subcall function 020792CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 02079394
                                                                                                              • Part of subcall function 020792CB: CloseHandle.KERNEL32(00000000), ref: 0207939B
                                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 02079448
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                                            • String ID: PromptOnSecureDesktop
                                                                                                            • API String ID: 3857584221-2980165447
                                                                                                            • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                                            • Instruction ID: 733af7b7c1bcdae3ad69b8b672ae43c6b164fbb725e662450065745f2c55329c
                                                                                                            • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                                            • Instruction Fuzzy Hash: 4A015EF69002587BDB21A7619D8DEDF3B7CDB95701F0040A2BB49E2080EAB496C5CF79
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: lstrlen
                                                                                                            • String ID: $localcfg
                                                                                                            • API String ID: 1659193697-2018645984
                                                                                                            • Opcode ID: 50699324d062f411f204296795e1435c215d76901ce01f8ee411c745418a2661
                                                                                                            • Instruction ID: e4d7536e190615f87601851e1c70b4b2bd3010ca91ec0adff1c030921fdcca1b
                                                                                                            • Opcode Fuzzy Hash: 50699324d062f411f204296795e1435c215d76901ce01f8ee411c745418a2661
                                                                                                            • Instruction Fuzzy Hash: E1713D72F00309BADF728B54DC85FEF37AA9B00719F244066F905A6091DF6199C4AB6D
                                                                                                            APIs
                                                                                                              • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                              • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                              • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                              • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                                            • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                                            • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                                            • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                                            • String ID: flags_upd$localcfg
                                                                                                            • API String ID: 204374128-3505511081
                                                                                                            • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                                            • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                                            • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                                            • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                                            APIs
                                                                                                              • Part of subcall function 0207DF6C: GetCurrentThreadId.KERNEL32 ref: 0207DFBA
                                                                                                            • lstrcmp.KERNEL32(00410178,00000000), ref: 0207E8FA
                                                                                                            • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,02076128), ref: 0207E950
                                                                                                            • lstrcmp.KERNEL32(?,00000008), ref: 0207E989
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                                            • String ID: A$ A$ A
                                                                                                            • API String ID: 2920362961-1846390581
                                                                                                            • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                                            • Instruction ID: 833544597169847f01ee6851c3c50022d98983270a2147d6ccd025548c18b49a
                                                                                                            • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                                            • Instruction Fuzzy Hash: 1231B332E06706DBDFB2CF24C884BAA7BE4FF05724F1089AAE55587551D370E880DB99
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Code
                                                                                                            • String ID:
                                                                                                            • API String ID: 3609698214-0
                                                                                                            • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                                            • Instruction ID: 42ff91fe1dab9ba9a96b759c83f805c0354cf817c8a1eeaa76c38cdca7372350
                                                                                                            • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                                            • Instruction Fuzzy Hash: 71214A72A05719BFDB119BA0EC48EDF3FADEB49264B108465F503D1091EB72DA40AA78
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                                            • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                                            • Sleep.KERNEL32(00000000,?,74DF0F10,?,00000000,0040E538,?,74DF0F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                                            • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                                            • String ID:
                                                                                                            • API String ID: 3819781495-0
                                                                                                            • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                                            • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                                            • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                                            • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 0207C6B4
                                                                                                            • InterlockedIncrement.KERNEL32(0207C74B), ref: 0207C715
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0207C747), ref: 0207C728
                                                                                                            • CloseHandle.KERNEL32(00000000,?,0207C747,00413588,02078A77), ref: 0207C733
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                                            • String ID: localcfg
                                                                                                            • API String ID: 1026198776-1857712256
                                                                                                            • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                                            • Instruction ID: 3cc1711403c5f4eb0675a9270837a3565389340f348b348f41c9da9981bce0cd
                                                                                                            • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                                            • Instruction Fuzzy Hash: B7514BB1A01B418FE7658F29C9D462ABBE9FB48304B50593FE18BC7A90D774F840DB14
                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 0040815F
                                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 00408187
                                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 004081BE
                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 00408210
                                                                                                              • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 0040677E
                                                                                                              • Part of subcall function 0040675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 0040679A
                                                                                                              • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 004067B0
                                                                                                              • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 004067BF
                                                                                                              • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 004067D3
                                                                                                              • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,74DF0F10,00000000), ref: 00406807
                                                                                                              • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040681F
                                                                                                              • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 0040683E
                                                                                                              • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040685C
                                                                                                              • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                                              • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                                            • String ID: PromptOnSecureDesktop
                                                                                                            • API String ID: 124786226-2980165447
                                                                                                            • Opcode ID: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                                            • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                                            • Opcode Fuzzy Hash: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                                            • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                                            APIs
                                                                                                            • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                                            • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                                            • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                                            • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Value$CloseCreateDelete
                                                                                                            • String ID: PromptOnSecureDesktop
                                                                                                            • API String ID: 2667537340-2980165447
                                                                                                            • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                                            • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                                            • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                                            • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                                            APIs
                                                                                                            • RegCreateKeyExA.ADVAPI32(80000001,0207E50A,00000000,00000000,00000000,00020106,00000000,0207E50A,00000000,000000E4), ref: 0207E319
                                                                                                            • RegSetValueExA.ADVAPI32(0207E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0207E38E
                                                                                                            • RegDeleteValueA.ADVAPI32(0207E50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0207E3BF
                                                                                                            • RegCloseKey.ADVAPI32(0207E50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0207E50A), ref: 0207E3C8
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Value$CloseCreateDelete
                                                                                                            • String ID: PromptOnSecureDesktop
                                                                                                            • API String ID: 2667537340-2980165447
                                                                                                            • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                                            • Instruction ID: c3f3b6bd3e12e2fedd29b9f57beecfdab19ef8e7e642eb0a907fddd4e1744ff5
                                                                                                            • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                                            • Instruction Fuzzy Hash: 7A214971E01219BBDB219FA4EC89EEE7FA9EF08750F008061F904A6150E3718A54EBA4
                                                                                                            APIs
                                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 020771E1
                                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02077228
                                                                                                            • LocalFree.KERNEL32(?,?,?), ref: 02077286
                                                                                                            • wsprintfA.USER32 ref: 0207729D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                                            • String ID: |
                                                                                                            • API String ID: 2539190677-2343686810
                                                                                                            • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                                            • Instruction ID: d75e570b68dfca67f848ad9bd78c04537edb2fc7e81e43f960d3275fdb2573b7
                                                                                                            • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                                            • Instruction Fuzzy Hash: 8F311872A00209BFDB41DFA8DC49BDA7BACEF04354F14C066F959DB210EB75D6488B98
                                                                                                            APIs
                                                                                                            • BuildCommDCBW.KERNEL32(00000000,?), ref: 0041A2CD
                                                                                                            • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041A2E5
                                                                                                            • UnhandledExceptionFilter.KERNEL32(00000000), ref: 0041A2ED
                                                                                                            • GetShortPathNameA.KERNEL32(00000000,?,00000000), ref: 0041A334
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128822017.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_415000_RSno9EH0K9.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: BuildCommExceptionFilterNamePathPrivateProfileShortStringUnhandledWrite
                                                                                                            • String ID: -
                                                                                                            • API String ID: 798774265-2547889144
                                                                                                            • Opcode ID: 3d90542581e238cb84295c313c464a692e5095d9864c298ecc9d7ba5e2e74f3b
                                                                                                            • Instruction ID: 4c4e1cc5ddb1a1e37ffca9a859bb480becdedea699cb69c31b0276ffeb757c76
                                                                                                            • Opcode Fuzzy Hash: 3d90542581e238cb84295c313c464a692e5095d9864c298ecc9d7ba5e2e74f3b
                                                                                                            • Instruction Fuzzy Hash: A011EB70B052089AD7209F64DD85BDE77B4EB0C321F5140A9FB19AB2C1CA7519C5CB5E
                                                                                                            APIs
                                                                                                            • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                                            • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                                            • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                                            • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: lstrlen$gethostnamelstrcpy
                                                                                                            • String ID: LocalHost
                                                                                                            • API String ID: 3695455745-3154191806
                                                                                                            • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                                            • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                                            • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                                            • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                                            APIs
                                                                                                            • GetLocalTime.KERNEL32(?), ref: 0207B51A
                                                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0207B529
                                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0207B548
                                                                                                            • GetTimeZoneInformation.KERNEL32(?), ref: 0207B590
                                                                                                            • wsprintfA.USER32 ref: 0207B61E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                                            • String ID:
                                                                                                            • API String ID: 4026320513-0
                                                                                                            • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                            • Instruction ID: 44e45a14cd6b6d5e8f89e5caad3eedaf7da37b5d9348796e5292901003f1c586
                                                                                                            • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                            • Instruction Fuzzy Hash: 035130B1D0021CAACF54CFD5D8885EEBBB9BF48304F10816AF501B6150E7B84AC9DF98
                                                                                                            APIs
                                                                                                            • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 02076303
                                                                                                            • LoadLibraryA.KERNEL32(?), ref: 0207632A
                                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 020763B1
                                                                                                            • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 02076405
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: HugeRead$AddressLibraryLoadProc
                                                                                                            • String ID:
                                                                                                            • API String ID: 3498078134-0
                                                                                                            • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                                            • Instruction ID: b331a388e259fbd6cb72541e3789f927f638323557f592015da4572dc4a973d4
                                                                                                            • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                                            • Instruction Fuzzy Hash: 10415B71E00B09ABDB55CF58C884BADB7F9EF04358F148179E826D7290D772E980EB54
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                                            • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                                            • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                                            • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                                            APIs
                                                                                                              • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                              • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                              • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                            • lstrcmpA.KERNEL32(74DF0F18,00000000,?,74DF0F10,00000000,?,00405EC1), ref: 0040E693
                                                                                                            • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,74DF0F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                                            • lstrcmpA.KERNEL32(?,00000008,?,74DF0F10,00000000,?,00405EC1), ref: 0040E722
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                                            • String ID: A$ A
                                                                                                            • API String ID: 3343386518-686259309
                                                                                                            • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                                            • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                                            • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                                            • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 0040272E
                                                                                                            • htons.WS2_32(00000001), ref: 00402752
                                                                                                            • htons.WS2_32(0000000F), ref: 004027D5
                                                                                                            • htons.WS2_32(00000001), ref: 004027E3
                                                                                                            • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                                              • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                                              • Part of subcall function 0040EBCC: RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                                            • String ID:
                                                                                                            • API String ID: 1128258776-0
                                                                                                            • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                                            • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                                            • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                                            • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                                            APIs
                                                                                                            • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                                            • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: setsockopt
                                                                                                            • String ID:
                                                                                                            • API String ID: 3981526788-0
                                                                                                            • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                                            • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                                            • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                                            • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                                            APIs
                                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                                            • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                                            • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                                            • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: lstrlen$lstrcmpi
                                                                                                            • String ID: localcfg
                                                                                                            • API String ID: 1808961391-1857712256
                                                                                                            • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                                            • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                                            • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                                            • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                                            APIs
                                                                                                              • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                              • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                              • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,74DF0F10,?,00000000,?,0040A445), ref: 0040E558
                                                                                                            • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,74DF0F10,?,00000000,?,0040A445), ref: 0040E583
                                                                                                            • CloseHandle.KERNEL32(00000000,?,74DF0F10,?,00000000,?,0040A445), ref: 0040E5B2
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                                            • String ID: PromptOnSecureDesktop
                                                                                                            • API String ID: 3683885500-2980165447
                                                                                                            • Opcode ID: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                                            • Instruction ID: 336cca8f28a0ae06816d6806ca3c094c6326420f96deeb8fe64773c8e7208e17
                                                                                                            • Opcode Fuzzy Hash: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                                            • Instruction Fuzzy Hash: F321EAB19402047AE2207B639C0AFAB3D1CDF54758F10093EBA09B11E3E9BDD96082BD
                                                                                                            APIs
                                                                                                              • Part of subcall function 0207DF6C: GetCurrentThreadId.KERNEL32 ref: 0207DFBA
                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,00410170,?,00000000,?,0207A6AC), ref: 0207E7BF
                                                                                                            • ReadFile.KERNEL32(00000000,004136C4,00000000,?,00000000,?,00410170,?,00000000,?,0207A6AC), ref: 0207E7EA
                                                                                                            • CloseHandle.KERNEL32(00000000,?,00410170,?,00000000,?,0207A6AC), ref: 0207E819
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$CloseCurrentHandleReadSizeThread
                                                                                                            • String ID: PromptOnSecureDesktop
                                                                                                            • API String ID: 1396056608-2980165447
                                                                                                            • Opcode ID: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                                            • Instruction ID: f0a2e735a47a7c7805fc143cedecb5b95ccb2f4db166e35c63b62dc4a4c00aee
                                                                                                            • Opcode Fuzzy Hash: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                                            • Instruction Fuzzy Hash: F52105B1E003047EE2217B259C09FEB3E5DDF65B60F104068FA0DB55D3EAA59450AAFD
                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                            • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                                            • API String ID: 2574300362-1087626847
                                                                                                            • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                                            • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                                            • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                                            • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 020776D9
                                                                                                            • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0207796D
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 0207797E
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseEnumOpen
                                                                                                            • String ID: PromptOnSecureDesktop
                                                                                                            • API String ID: 1332880857-2980165447
                                                                                                            • Opcode ID: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                                            • Instruction ID: f06d2775452ca6a37053b296e3102f8d5ec083fde0bdc90669c5c299ea2f8039
                                                                                                            • Opcode Fuzzy Hash: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                                            • Instruction Fuzzy Hash: 5E11EE70E00209AFEB128FA9DC44FEFBFB9EB81354F144161F510E62A0E3B08940CBA4
                                                                                                            APIs
                                                                                                              • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                              • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                                            • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                                            • String ID: hi_id$localcfg
                                                                                                            • API String ID: 2777991786-2393279970
                                                                                                            • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                                            • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                                            • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                                            • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,PromptOnSecureDesktop,00000000,?,?,0040A14A), ref: 00409736
                                                                                                            • RegDeleteValueA.ADVAPI32(0040A14A,00000000,?,?,?,?,?,?,?,?,?,0040A14A), ref: 00409756
                                                                                                            • RegCloseKey.ADVAPI32(0040A14A,?,?,?,?,?,?,?,?,?,0040A14A), ref: 0040975F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseDeleteOpenValue
                                                                                                            • String ID: PromptOnSecureDesktop
                                                                                                            • API String ID: 849931509-2980165447
                                                                                                            • Opcode ID: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                                            • Instruction ID: 5e38ed9511aa8cc069582274463af9cddeeab7037fd65aad7bdf8be664a95ff7
                                                                                                            • Opcode Fuzzy Hash: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                                            • Instruction Fuzzy Hash: 5AF0C8B2680118BBF3106B51AC0BFDF3A2CDB44704F100075F605B50D2E6E55E9082BD
                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 0207999D
                                                                                                            • RegDeleteValueA.ADVAPI32(?,00000000), ref: 020799BD
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 020799C6
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseDeleteOpenValue
                                                                                                            • String ID: PromptOnSecureDesktop
                                                                                                            • API String ID: 849931509-2980165447
                                                                                                            • Opcode ID: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                                            • Instruction ID: df62b235e958e467de8cac9eeb24e72607a030d3acf4118c56d04b5603a5ca9c
                                                                                                            • Opcode Fuzzy Hash: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                                            • Instruction Fuzzy Hash: 8BF096B2A80208BFF7116B54EC06FDF3A2DDB95B14F104061FA05B5091F6E59A9096FD
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: gethostbynameinet_addr
                                                                                                            • String ID: time_cfg$u6A
                                                                                                            • API String ID: 1594361348-1940331995
                                                                                                            • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                            • Instruction ID: 55fdb6919317c8d524ead0bec1dd9880bdb6c3174753394ad09a60817b47399b
                                                                                                            • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                            • Instruction Fuzzy Hash: D4E0C230A052118FCB818B2CF848AC537E4EF0A230F048180F840C31A0C734DDC0A748
                                                                                                            APIs
                                                                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 020769E5
                                                                                                            • SetFileAttributesA.KERNEL32(?,00000002), ref: 02076A26
                                                                                                            • GetFileSize.KERNEL32(000000FF,00000000), ref: 02076A3A
                                                                                                            • CloseHandle.KERNEL32(000000FF), ref: 02076BD8
                                                                                                              • Part of subcall function 0207EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,02071DCF,?), ref: 0207EEA8
                                                                                                              • Part of subcall function 0207EE95: HeapFree.KERNEL32(00000000), ref: 0207EEAF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                                            • String ID:
                                                                                                            • API String ID: 3384756699-0
                                                                                                            • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                                            • Instruction ID: 6bb87342ad20bdffdf715f4d6cca6c2ff7ce26bc081de17e3ab80d8b946e253e
                                                                                                            • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                                            • Instruction Fuzzy Hash: AB713671D0061DEFDF11CFA4CC80AEEBBB9FB05314F1045AAE516A6190D7319E92EB64
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: wsprintf
                                                                                                            • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                                            • API String ID: 2111968516-120809033
                                                                                                            • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                                            • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                                            • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                                            • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                                            APIs
                                                                                                            • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                                            • GetLastError.KERNEL32 ref: 00403F4E
                                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 3373104450-0
                                                                                                            • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                            • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                                            • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                            • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                                            APIs
                                                                                                            • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                                            • GetLastError.KERNEL32 ref: 00403FC2
                                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                                            • String ID:
                                                                                                            • API String ID: 888215731-0
                                                                                                            • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                            • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                                            • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                            • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                                            APIs
                                                                                                            • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 020741AB
                                                                                                            • GetLastError.KERNEL32 ref: 020741B5
                                                                                                            • WaitForSingleObject.KERNEL32(?,?), ref: 020741C6
                                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 020741D9
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 3373104450-0
                                                                                                            • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                            • Instruction ID: 31e50f6f126efb2410fb689d8f50c405ea989f4f868fc409d3584cc07e4c28e5
                                                                                                            • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                            • Instruction Fuzzy Hash: 0F010C7691121AAFDF01EF90ED84BEF7BBCEB18256F004061F901E2050D770DA549BB9
                                                                                                            APIs
                                                                                                            • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0207421F
                                                                                                            • GetLastError.KERNEL32 ref: 02074229
                                                                                                            • WaitForSingleObject.KERNEL32(?,?), ref: 0207423A
                                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 0207424D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                                            • String ID:
                                                                                                            • API String ID: 888215731-0
                                                                                                            • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                            • Instruction ID: 874a22fcd9164efa8c9bb9513076bee1c9a25dddb1d7a33b8fe03ee9b090db27
                                                                                                            • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                            • Instruction Fuzzy Hash: E4010872911209AFDF02DF90ED84BEF7BBCEB18255F418061F901E2450D770DA659BBA
                                                                                                            APIs
                                                                                                            • lstrcmp.KERNEL32(?,80000009), ref: 0207E066
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: lstrcmp
                                                                                                            • String ID: A$ A$ A
                                                                                                            • API String ID: 1534048567-1846390581
                                                                                                            • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                                            • Instruction ID: 69d684d1db892979a79731296ed9090ac239c286ebc45e4d4f2e3a145add6f55
                                                                                                            • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                                            • Instruction Fuzzy Hash: 49F06231A017029BCF62CF25D884A82B7E9FB05325B4486AAE554C3060D374B4D8DB99
                                                                                                            APIs
                                                                                                            • QueryDosDeviceW.KERNEL32(00000000,00000000,00000000,00000000,0041B040,0041A731), ref: 0041A38C
                                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000,00000000,0041B040,0041A731), ref: 0041A3A7
                                                                                                            • RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 0041A3CA
                                                                                                            • GetNumaProcessorNode.KERNEL32(00000000,00000000), ref: 0041A3D4
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128822017.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_415000_RSno9EH0K9.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocateDeviceEnvironmentFreeHeapNodeNumaProcessorQueryStrings
                                                                                                            • String ID:
                                                                                                            • API String ID: 2305449109-0
                                                                                                            • Opcode ID: 1b5403d9b597b0220ecab3d9d64d0da133da4582f75a99000351f33451ae7082
                                                                                                            • Instruction ID: cbbff76f5b5b3703d3ea7a2db304a5cfc2eaf9a1075c9c9474a8520c0f451ca1
                                                                                                            • Opcode Fuzzy Hash: 1b5403d9b597b0220ecab3d9d64d0da133da4582f75a99000351f33451ae7082
                                                                                                            • Instruction Fuzzy Hash: 3EF05E31786214FBEA306B64EC4AF863724E708716F508032F719E92E0C6F428918A6E
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                                            • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                                            • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                            • String ID:
                                                                                                            • API String ID: 2207858713-0
                                                                                                            • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                                            • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                                            • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                                            • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                                            • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                                            • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                            • String ID:
                                                                                                            • API String ID: 2207858713-0
                                                                                                            • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                                            • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                                            • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                                            • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                                            • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                                            • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                                            • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                            • String ID:
                                                                                                            • API String ID: 2207858713-0
                                                                                                            • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                                            • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                                            • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                                            • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 00403103
                                                                                                            • GetTickCount.KERNEL32 ref: 0040310F
                                                                                                            • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                            • String ID:
                                                                                                            • API String ID: 2207858713-0
                                                                                                            • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                                            • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                                            • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                                            • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                                            APIs
                                                                                                            • WriteFile.KERNEL32(00000001,0040DAE0,00000000,00000000,00000000), ref: 0040E209
                                                                                                            • CloseHandle.KERNEL32(00000001,00000003), ref: 0040E21D
                                                                                                              • Part of subcall function 0040E095: RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                                              • Part of subcall function 0040E095: RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                                              • Part of subcall function 0040E095: RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                                              • Part of subcall function 0040E095: RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                                            • String ID: PromptOnSecureDesktop
                                                                                                            • API String ID: 4151426672-2980165447
                                                                                                            • Opcode ID: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                                            • Instruction ID: b34283ca0245a4d5345772c7626065eb71a791ff6ac24fd5689ebe733b27dfc9
                                                                                                            • Opcode Fuzzy Hash: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                                            • Instruction Fuzzy Hash: 5D41DB71940214BADB205E938C06FDB3F6CEB44754F1084BEFA09B41D2E6B99A60D6BD
                                                                                                            APIs
                                                                                                            • WriteFile.KERNEL32(00000001,020744E2,00000000,00000000,00000000), ref: 0207E470
                                                                                                            • CloseHandle.KERNEL32(00000001,00000003), ref: 0207E484
                                                                                                              • Part of subcall function 0207E2FC: RegCreateKeyExA.ADVAPI32(80000001,0207E50A,00000000,00000000,00000000,00020106,00000000,0207E50A,00000000,000000E4), ref: 0207E319
                                                                                                              • Part of subcall function 0207E2FC: RegSetValueExA.ADVAPI32(0207E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0207E38E
                                                                                                              • Part of subcall function 0207E2FC: RegDeleteValueA.ADVAPI32(0207E50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0207E3BF
                                                                                                              • Part of subcall function 0207E2FC: RegCloseKey.ADVAPI32(0207E50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0207E50A), ref: 0207E3C8
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                                            • String ID: PromptOnSecureDesktop
                                                                                                            • API String ID: 4151426672-2980165447
                                                                                                            • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                                            • Instruction ID: 87e0981cc25332e81b5887ed8a409015fea9bc2675d7f1d523cde211bed70e72
                                                                                                            • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                                            • Instruction Fuzzy Hash: 5541C5B2D01308BBEB216E55CC45FEB3BADEB14724F1480B5FE0994191E7B58650EAA8
                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 020783C6
                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 02078477
                                                                                                              • Part of subcall function 020769C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 020769E5
                                                                                                              • Part of subcall function 020769C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 02076A26
                                                                                                              • Part of subcall function 020769C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 02076A3A
                                                                                                              • Part of subcall function 0207EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,02071DCF,?), ref: 0207EEA8
                                                                                                              • Part of subcall function 0207EE95: HeapFree.KERNEL32(00000000), ref: 0207EEAF
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                                            • String ID: PromptOnSecureDesktop
                                                                                                            • API String ID: 359188348-2980165447
                                                                                                            • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                                            • Instruction ID: a8a008af9b5bce93cba9fcfca3a49d779969cfcf0faaa8a757151b6667d81f52
                                                                                                            • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                                            • Instruction Fuzzy Hash: 6E4161B2D01309BFDB51EBA49D88EFF77ADEB04354F0484B6E504D6010F7B05A54AB69
                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,0207E859,00000000,00020119,0207E859,PromptOnSecureDesktop), ref: 0207E64D
                                                                                                            • RegCloseKey.ADVAPI32(0207E859,?,?,?,?,000000C8,000000E4), ref: 0207E787
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseOpen
                                                                                                            • String ID: PromptOnSecureDesktop
                                                                                                            • API String ID: 47109696-2980165447
                                                                                                            • Opcode ID: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                                            • Instruction ID: 5d716ad851bda370a533c887140659b04fcea138dc38a0a3cfb71beb4c11687d
                                                                                                            • Opcode Fuzzy Hash: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                                            • Instruction Fuzzy Hash: 184128B2D0021DBFDF12EF94DC85EEEBBBDFB04304F104466EA00A6150E3719A55AB64
                                                                                                            APIs
                                                                                                            • GetLocalTime.KERNEL32(?), ref: 0207AFFF
                                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0207B00D
                                                                                                              • Part of subcall function 0207AF6F: gethostname.WS2_32(?,00000080), ref: 0207AF83
                                                                                                              • Part of subcall function 0207AF6F: lstrcpy.KERNEL32(?,00410B90), ref: 0207AFE6
                                                                                                              • Part of subcall function 0207331C: gethostname.WS2_32(?,00000080), ref: 0207333F
                                                                                                              • Part of subcall function 0207331C: gethostbyname.WS2_32(?), ref: 02073349
                                                                                                              • Part of subcall function 0207AA0A: inet_ntoa.WS2_32(00000000), ref: 0207AA10
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                                            • String ID: %OUTLOOK_BND_
                                                                                                            • API String ID: 1981676241-3684217054
                                                                                                            • Opcode ID: bb8041472755e196babefc9da9900d7748fbc848bd0525b5e1603bb455f94b3f
                                                                                                            • Instruction ID: d4afb70dfa1a800d5b912bb3f71698fada2b8e50a8268ded92ddc6ef5056eea0
                                                                                                            • Opcode Fuzzy Hash: bb8041472755e196babefc9da9900d7748fbc848bd0525b5e1603bb455f94b3f
                                                                                                            • Instruction Fuzzy Hash: 2D410EB290034CABDB25EFA0DC45EEE3BADFF08304F14442AF92992151EA75E6549F58
                                                                                                            APIs
                                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 02079536
                                                                                                            • Sleep.KERNEL32(000001F4), ref: 0207955D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ExecuteShellSleep
                                                                                                            • String ID:
                                                                                                            • API String ID: 4194306370-3916222277
                                                                                                            • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                                            • Instruction ID: d5238e7ac352ec957d252d358e0b49e291d45fa1f63b9cf409e314f81eeb4333
                                                                                                            • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                                            • Instruction Fuzzy Hash: 7B4107B1C043AD6FEBB78B68D88CBEA3BE59B02314F1841E5D482971A2D7744981E719
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 0207B9D9
                                                                                                            • InterlockedIncrement.KERNEL32(00413648), ref: 0207BA3A
                                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 0207BA94
                                                                                                            • GetTickCount.KERNEL32 ref: 0207BB79
                                                                                                            • GetTickCount.KERNEL32 ref: 0207BB99
                                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 0207BE15
                                                                                                            • closesocket.WS2_32(00000000), ref: 0207BEB4
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CountIncrementInterlockedTick$closesocket
                                                                                                            • String ID: %FROM_EMAIL
                                                                                                            • API String ID: 1869671989-2903620461
                                                                                                            • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                                            • Instruction ID: dd7c2d6aa6d114dc6f423072747a1dcf7af9e93e3b7235ff63d1e2697364cfc9
                                                                                                            • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                                            • Instruction Fuzzy Hash: 8D316D71900348DFDF65DFA4DC44AEEB7A9EB44704F204056FA2582250EB70DA85DF18
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CountTickwsprintf
                                                                                                            • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                                            • API String ID: 2424974917-1012700906
                                                                                                            • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                                            • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                                            • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                                            • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                                            APIs
                                                                                                              • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                                              • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                                            • String ID: %FROM_EMAIL
                                                                                                            • API String ID: 3716169038-2903620461
                                                                                                            • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                                            • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                                            • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                                            • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                                            APIs
                                                                                                            • GetUserNameW.ADVAPI32(?,?), ref: 020770BC
                                                                                                            • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 020770F4
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Name$AccountLookupUser
                                                                                                            • String ID: |
                                                                                                            • API String ID: 2370142434-2343686810
                                                                                                            • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                            • Instruction ID: 2065e839cd0dfd2155625f715dc1e370de5d7f171986321b16eb0622198e00d8
                                                                                                            • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                            • Instruction Fuzzy Hash: 81112A72E0021CEBDB51CBD8DC84ADEB7BCBB04345F1441A6E501E60A4D7709B88DBA4
                                                                                                            APIs
                                                                                                              • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                              • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                                            • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                                            • String ID: localcfg
                                                                                                            • API String ID: 2777991786-1857712256
                                                                                                            • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                                            • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                                            • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                                            • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                                            APIs
                                                                                                            • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                                            • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: IncrementInterlockedlstrcpyn
                                                                                                            • String ID: %FROM_EMAIL
                                                                                                            • API String ID: 224340156-2903620461
                                                                                                            • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                                            • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                                            • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                                            • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                                            APIs
                                                                                                            • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                                            • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: gethostbyaddrinet_ntoa
                                                                                                            • String ID: localcfg
                                                                                                            • API String ID: 2112563974-1857712256
                                                                                                            • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                                            • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                                            • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                                            • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: gethostbynameinet_addr
                                                                                                            • String ID: time_cfg
                                                                                                            • API String ID: 1594361348-2401304539
                                                                                                            • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                            • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                                            • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                            • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000), ref: 0040EAF2
                                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 0040EB07
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                            • String ID: ntdll.dll
                                                                                                            • API String ID: 2574300362-2227199552
                                                                                                            • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                                            • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                                            • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                                            • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                                            APIs
                                                                                                              • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                                              • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                                            • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4128768770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4128768770.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 1017166417-0
                                                                                                            • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                                            • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                                            • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                                            • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88
                                                                                                            APIs
                                                                                                              • Part of subcall function 02072F88: GetModuleHandleA.KERNEL32(?), ref: 02072FA1
                                                                                                              • Part of subcall function 02072F88: LoadLibraryA.KERNEL32(?), ref: 02072FB1
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 020731DA
                                                                                                            • HeapFree.KERNEL32(00000000), ref: 020731E1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4129264943.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Offset: 02070000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_2070000_RSno9EH0K9.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 1017166417-0
                                                                                                            • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                                            • Instruction ID: 8c4c84ded5174df05430f48832d7a9486d0b3b775f89e2775f6a5ee7c5e9928c
                                                                                                            • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                                            • Instruction Fuzzy Hash: 87519F7190034AAFDB029F64D888AF9B7B5FF15305F1441A9EC96C7210E732DA19EB98

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:3.3%
                                                                                                            Dynamic/Decrypted Code Coverage:2.1%
                                                                                                            Signature Coverage:0%
                                                                                                            Total number of Nodes:1614
                                                                                                            Total number of Limit Nodes:16
                                                                                                            execution_graph 18103 533750 18104 53377b 18103->18104 18105 5344ae 2 API calls 18104->18105 18106 533d26 18105->18106 14860 409961 RegisterServiceCtrlHandlerA 14861 40997d 14860->14861 14862 4099cb 14860->14862 14870 409892 14861->14870 14864 40999a 14865 4099ba 14864->14865 14866 409892 SetServiceStatus 14864->14866 14865->14862 14867 409892 SetServiceStatus 14865->14867 14868 4099aa 14866->14868 14867->14862 14868->14865 14873 4098f2 14868->14873 14871 4098c2 SetServiceStatus 14870->14871 14871->14864 14874 4098f6 14873->14874 14876 409904 Sleep 14874->14876 14878 409917 14874->14878 14881 404280 CreateEventA 14874->14881 14876->14874 14877 409915 14876->14877 14877->14878 14880 409947 14878->14880 14908 40977c 14878->14908 14880->14865 14882 4042a5 14881->14882 14888 40429d 14881->14888 14922 403ecd 14882->14922 14884 4042b0 14926 404000 14884->14926 14887 4043c1 CloseHandle 14887->14888 14888->14874 14889 4042ce 14932 403f18 WriteFile 14889->14932 14894 4043ba CloseHandle 14894->14887 14895 404318 14896 403f18 4 API calls 14895->14896 14897 404331 14896->14897 14898 403f18 4 API calls 14897->14898 14899 40434a 14898->14899 14940 40ebcc GetProcessHeap HeapAlloc 14899->14940 14902 403f18 4 API calls 14903 404389 14902->14903 14943 40ec2e 14903->14943 14906 403f8c 4 API calls 14907 40439f CloseHandle CloseHandle 14906->14907 14907->14888 14972 40ee2a 14908->14972 14911 4097c2 14913 4097d4 Wow64GetThreadContext 14911->14913 14912 4097bb 14912->14880 14914 409801 14913->14914 14915 4097f5 14913->14915 14974 40637c 14914->14974 14916 4097f6 TerminateProcess 14915->14916 14916->14912 14918 409816 14918->14916 14919 40981e WriteProcessMemory 14918->14919 14919->14915 14920 40983b Wow64SetThreadContext 14919->14920 14920->14915 14921 409858 ResumeThread 14920->14921 14921->14912 14923 403ee2 14922->14923 14924 403edc 14922->14924 14923->14884 14948 406dc2 14924->14948 14927 40400b CreateFileA 14926->14927 14928 40402c GetLastError 14927->14928 14930 404052 14927->14930 14929 404037 14928->14929 14928->14930 14929->14930 14931 404041 Sleep 14929->14931 14930->14887 14930->14888 14930->14889 14931->14927 14931->14930 14933 403f7c 14932->14933 14934 403f4e GetLastError 14932->14934 14936 403f8c ReadFile 14933->14936 14934->14933 14935 403f5b WaitForSingleObject GetOverlappedResult 14934->14935 14935->14933 14937 403ff0 14936->14937 14938 403fc2 GetLastError 14936->14938 14937->14894 14937->14895 14938->14937 14939 403fcf WaitForSingleObject GetOverlappedResult 14938->14939 14939->14937 14966 40eb74 14940->14966 14944 40ec37 14943->14944 14945 40438f 14943->14945 14969 40eba0 14944->14969 14945->14906 14949 406e24 14948->14949 14950 406dd7 14948->14950 14949->14923 14954 406cc9 14950->14954 14952 406ddc 14952->14949 14952->14952 14953 406e02 GetVolumeInformationA 14952->14953 14953->14949 14955 406cdc GetModuleHandleA GetProcAddress 14954->14955 14956 406dbe 14954->14956 14957 406d12 GetSystemDirectoryA 14955->14957 14960 406cfd 14955->14960 14956->14952 14958 406d27 GetWindowsDirectoryA 14957->14958 14959 406d1e 14957->14959 14961 406d42 14958->14961 14959->14958 14963 406d8b 14959->14963 14960->14957 14960->14963 14964 40ef1e lstrlenA 14961->14964 14963->14956 14965 40ef32 14964->14965 14965->14963 14967 40eb7b GetProcessHeap HeapSize 14966->14967 14968 404350 14966->14968 14967->14968 14968->14902 14970 40eba7 GetProcessHeap HeapSize 14969->14970 14971 40ebbf GetProcessHeap HeapFree 14969->14971 14970->14971 14971->14945 14973 409794 CreateProcessA 14972->14973 14973->14911 14973->14912 14975 406386 14974->14975 14976 40638a GetModuleHandleA VirtualAlloc 14974->14976 14975->14918 14977 4063f5 14976->14977 14978 4063b6 14976->14978 14977->14918 14979 4063be VirtualAllocEx 14978->14979 14979->14977 14980 4063d6 14979->14980 14981 4063df WriteProcessMemory 14980->14981 14981->14977 15069 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 15186 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15069->15186 15071 409a95 15072 409aa3 GetModuleHandleA GetModuleFileNameA 15071->15072 15077 40a3c7 15071->15077 15084 409ac4 15072->15084 15073 40a41c CreateThread WSAStartup 15297 40e52e 15073->15297 16124 40405e CreateEventA 15073->16124 15074 40a406 DeleteFileA 15074->15077 15078 40a40d 15074->15078 15076 409afd GetCommandLineA 15085 409b22 15076->15085 15077->15073 15077->15074 15077->15078 15080 40a3ed GetLastError 15077->15080 15078->15073 15079 40a445 15316 40eaaf 15079->15316 15080->15078 15082 40a3f8 Sleep 15080->15082 15082->15074 15083 40a44d 15320 401d96 15083->15320 15084->15076 15090 409c0c 15085->15090 15096 409b47 15085->15096 15087 40a457 15368 4080c9 15087->15368 15187 4096aa 15090->15187 15100 409b96 lstrlenA 15096->15100 15102 409b58 15096->15102 15097 40a1d2 15103 40a1e3 GetCommandLineA 15097->15103 15098 409c39 15101 40a167 GetModuleHandleA GetModuleFileNameA 15098->15101 15107 409c4b 15098->15107 15100->15102 15105 409c05 ExitProcess 15101->15105 15106 40a189 15101->15106 15102->15105 15110 409bd2 15102->15110 15131 40a205 15103->15131 15106->15105 15115 40a1b2 GetDriveTypeA 15106->15115 15107->15101 15109 404280 30 API calls 15107->15109 15112 409c5b 15109->15112 15199 40675c 15110->15199 15112->15101 15118 40675c 21 API calls 15112->15118 15115->15105 15117 40a1c5 15115->15117 15289 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 15117->15289 15119 409c79 15118->15119 15119->15101 15125 409ca0 GetTempPathA 15119->15125 15126 409e3e 15119->15126 15122 409bff 15122->15105 15123 40a491 15124 40a49f GetTickCount 15123->15124 15127 40a4be Sleep 15123->15127 15130 40a4b7 GetTickCount 15123->15130 15414 40c913 15123->15414 15124->15123 15124->15127 15125->15126 15129 409cba 15125->15129 15137 409e6b GetEnvironmentVariableA 15126->15137 15138 409e04 15126->15138 15127->15123 15237 4099d2 lstrcpyA 15129->15237 15130->15127 15134 40a285 lstrlenA 15131->15134 15148 40a239 15131->15148 15133 40ec2e codecvt 4 API calls 15136 40a15d 15133->15136 15134->15148 15136->15101 15136->15105 15137->15138 15139 409e7d 15137->15139 15138->15133 15140 4099d2 16 API calls 15139->15140 15141 409e9d 15140->15141 15141->15138 15147 409eb0 lstrcpyA lstrlenA 15141->15147 15142 406dc2 6 API calls 15144 409d5f 15142->15144 15151 406cc9 5 API calls 15144->15151 15145 40a35f 15146 40a3c2 15145->15146 15154 40a39d StartServiceCtrlDispatcherA 15145->15154 15152 4098f2 41 API calls 15146->15152 15150 409ef4 15147->15150 15195 406ec3 15148->15195 15149 409cf6 15244 409326 15149->15244 15153 406dc2 6 API calls 15150->15153 15156 409f03 15150->15156 15155 409d72 lstrcpyA lstrcatA lstrcatA 15151->15155 15152->15077 15153->15156 15154->15146 15155->15149 15157 409f32 RegOpenKeyExA 15156->15157 15158 409f48 RegSetValueExA RegCloseKey 15157->15158 15161 409f70 15157->15161 15158->15161 15166 409f9d GetModuleHandleA GetModuleFileNameA 15161->15166 15162 409e0c DeleteFileA 15162->15126 15163 409dde GetFileAttributesExA 15163->15162 15164 409df7 15163->15164 15164->15138 15281 4096ff 15164->15281 15168 409fc2 15166->15168 15169 40a093 15166->15169 15168->15169 15175 409ff1 GetDriveTypeA 15168->15175 15170 40a103 CreateProcessA 15169->15170 15171 40a0a4 wsprintfA 15169->15171 15172 40a13a 15170->15172 15173 40a12a DeleteFileA 15170->15173 15287 402544 15171->15287 15172->15138 15178 4096ff 3 API calls 15172->15178 15173->15172 15175->15169 15177 40a00d 15175->15177 15176 40a0d3 lstrcatA 15179 40ee2a 15176->15179 15181 40a02d lstrcatA 15177->15181 15178->15138 15180 40a0ec lstrcatA 15179->15180 15180->15170 15182 40a046 15181->15182 15183 40a052 lstrcatA 15182->15183 15184 40a064 lstrcatA 15182->15184 15183->15184 15184->15169 15185 40a081 lstrcatA 15184->15185 15185->15169 15186->15071 15188 4096b9 15187->15188 15517 4073ff 15188->15517 15190 4096e2 15191 4096e9 15190->15191 15192 4096fa 15190->15192 15537 40704c 15191->15537 15192->15097 15192->15098 15194 4096f7 15194->15192 15196 406ed5 15195->15196 15197 406ecc 15195->15197 15196->15145 15562 406e36 GetUserNameW 15197->15562 15200 406784 CreateFileA 15199->15200 15201 40677a SetFileAttributesA 15199->15201 15202 4067a4 CreateFileA 15200->15202 15203 4067b5 15200->15203 15201->15200 15202->15203 15204 4067c5 15203->15204 15205 4067ba SetFileAttributesA 15203->15205 15206 406977 15204->15206 15207 4067cf GetFileSize 15204->15207 15205->15204 15206->15105 15224 406a60 CreateFileA 15206->15224 15208 4067e5 15207->15208 15223 406922 15207->15223 15210 4067ed ReadFile 15208->15210 15208->15223 15209 40696e CloseHandle 15209->15206 15211 406811 SetFilePointer 15210->15211 15210->15223 15212 40682a ReadFile 15211->15212 15211->15223 15213 406848 SetFilePointer 15212->15213 15212->15223 15216 406867 15213->15216 15213->15223 15214 4068d0 15214->15209 15217 40ebcc 4 API calls 15214->15217 15215 406878 ReadFile 15215->15214 15215->15216 15216->15214 15216->15215 15218 4068f8 15217->15218 15219 406900 SetFilePointer 15218->15219 15218->15223 15220 40695a 15219->15220 15221 40690d ReadFile 15219->15221 15222 40ec2e codecvt 4 API calls 15220->15222 15221->15220 15221->15223 15222->15223 15223->15209 15225 406b8c GetLastError 15224->15225 15226 406a8f GetDiskFreeSpaceA 15224->15226 15227 406b86 15225->15227 15228 406ac5 15226->15228 15234 406ad7 15226->15234 15227->15122 15565 40eb0e 15228->15565 15232 406b56 CloseHandle 15232->15227 15236 406b65 GetLastError CloseHandle 15232->15236 15233 406b36 GetLastError CloseHandle 15235 406b7f DeleteFileA 15233->15235 15569 406987 15234->15569 15235->15227 15236->15235 15238 4099eb 15237->15238 15239 409a2f lstrcatA 15238->15239 15240 40ee2a 15239->15240 15241 409a4b lstrcatA 15240->15241 15242 406a60 13 API calls 15241->15242 15243 409a60 15242->15243 15243->15126 15243->15142 15243->15149 15579 401910 15244->15579 15247 40934a GetModuleHandleA GetModuleFileNameA 15249 40937f 15247->15249 15250 4093a4 15249->15250 15251 4093d9 15249->15251 15252 4093c3 wsprintfA 15250->15252 15253 409401 wsprintfA 15251->15253 15255 409415 15252->15255 15253->15255 15254 4094a0 15581 406edd 15254->15581 15255->15254 15258 406cc9 5 API calls 15255->15258 15257 4094ac 15259 40962f 15257->15259 15260 4094e8 RegOpenKeyExA 15257->15260 15264 409439 15258->15264 15266 409646 15259->15266 15602 401820 15259->15602 15262 409502 15260->15262 15263 4094fb 15260->15263 15267 40951f RegQueryValueExA 15262->15267 15263->15259 15269 40958a 15263->15269 15268 40ef1e lstrlenA 15264->15268 15275 4095d6 15266->15275 15608 4091eb 15266->15608 15270 409530 15267->15270 15271 409539 15267->15271 15272 409462 15268->15272 15269->15266 15273 409593 15269->15273 15274 40956e RegCloseKey 15270->15274 15276 409556 RegQueryValueExA 15271->15276 15277 40947e wsprintfA 15272->15277 15273->15275 15589 40f0e4 15273->15589 15274->15263 15275->15162 15275->15163 15276->15270 15276->15274 15277->15254 15279 4095bb 15279->15275 15596 4018e0 15279->15596 15282 402544 15281->15282 15283 40972d RegOpenKeyExA 15282->15283 15284 409740 15283->15284 15285 409765 15283->15285 15286 40974f RegDeleteValueA RegCloseKey 15284->15286 15285->15138 15286->15285 15288 402554 15287->15288 15288->15176 15288->15288 15290 402544 15289->15290 15291 40919e wsprintfA 15290->15291 15292 4091bb 15291->15292 15646 409064 GetTempPathA 15292->15646 15295 4091d5 ShellExecuteA 15296 4091e7 15295->15296 15296->15122 15653 40dd05 GetTickCount 15297->15653 15299 40e538 15660 40dbcf 15299->15660 15301 40e544 15302 40e555 GetFileSize 15301->15302 15306 40e5b8 15301->15306 15303 40e5b1 CloseHandle 15302->15303 15304 40e566 15302->15304 15303->15306 15670 40db2e 15304->15670 15679 40e3ca RegOpenKeyExA 15306->15679 15308 40e576 ReadFile 15308->15303 15310 40e58d 15308->15310 15674 40e332 15310->15674 15313 40e5f2 15314 40e3ca 19 API calls 15313->15314 15315 40e629 15313->15315 15314->15315 15315->15079 15317 40eabe 15316->15317 15319 40eaba 15316->15319 15318 40dd05 6 API calls 15317->15318 15317->15319 15318->15319 15319->15083 15321 40ee2a 15320->15321 15322 401db4 GetVersionExA 15321->15322 15323 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 15322->15323 15325 401e24 15323->15325 15326 401e16 GetCurrentProcess 15323->15326 15732 40e819 15325->15732 15326->15325 15328 401e3d 15329 40e819 11 API calls 15328->15329 15330 401e4e 15329->15330 15338 401e77 15330->15338 15739 40df70 15330->15739 15333 401e6c 15335 40df70 12 API calls 15333->15335 15335->15338 15336 40e819 11 API calls 15337 401e93 15336->15337 15752 40199c inet_addr LoadLibraryA 15337->15752 15748 40ea84 15338->15748 15341 40e819 11 API calls 15342 401eb9 15341->15342 15343 401ed8 15342->15343 15344 40f04e 4 API calls 15342->15344 15345 40e819 11 API calls 15343->15345 15346 401ec9 15344->15346 15347 401eee 15345->15347 15349 40ea84 30 API calls 15346->15349 15348 401f0a 15347->15348 15765 401b71 15347->15765 15351 40e819 11 API calls 15348->15351 15349->15343 15353 401f23 15351->15353 15352 401efd 15354 40ea84 30 API calls 15352->15354 15355 401f3f 15353->15355 15769 401bdf 15353->15769 15354->15348 15357 40e819 11 API calls 15355->15357 15359 401f5e 15357->15359 15360 401f77 15359->15360 15362 40ea84 30 API calls 15359->15362 15776 4030b5 15360->15776 15361 40ea84 30 API calls 15361->15355 15362->15360 15365 406ec3 2 API calls 15367 401f8e GetTickCount 15365->15367 15367->15087 15369 406ec3 2 API calls 15368->15369 15370 4080eb 15369->15370 15371 4080f9 15370->15371 15372 4080ef 15370->15372 15373 40704c 16 API calls 15371->15373 15824 407ee6 15372->15824 15375 408110 15373->15375 15376 4080f4 15375->15376 15378 408156 RegOpenKeyExA 15375->15378 15377 40675c 21 API calls 15376->15377 15386 408269 CreateThread 15376->15386 15382 408244 15377->15382 15378->15376 15379 40816d RegQueryValueExA 15378->15379 15380 4081f7 15379->15380 15381 40818d 15379->15381 15383 40820d RegCloseKey 15380->15383 15385 40ec2e codecvt 4 API calls 15380->15385 15381->15380 15387 40ebcc 4 API calls 15381->15387 15384 40ec2e codecvt 4 API calls 15382->15384 15382->15386 15383->15376 15384->15386 15392 4081dd 15385->15392 15393 405e6c 15386->15393 16154 40877e 15386->16154 15388 4081a0 15387->15388 15388->15383 15389 4081aa RegQueryValueExA 15388->15389 15389->15380 15390 4081c4 15389->15390 15391 40ebcc 4 API calls 15390->15391 15391->15392 15392->15383 15892 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15393->15892 15395 405e71 15893 40e654 15395->15893 15397 405ec1 15398 403132 15397->15398 15399 40df70 12 API calls 15398->15399 15400 40313b 15399->15400 15401 40c125 15400->15401 15904 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15401->15904 15403 40c12d 15404 40e654 13 API calls 15403->15404 15405 40c2bd 15404->15405 15406 40e654 13 API calls 15405->15406 15407 40c2c9 15406->15407 15408 40e654 13 API calls 15407->15408 15409 40a47a 15408->15409 15410 408db1 15409->15410 15411 408dbc 15410->15411 15412 40e654 13 API calls 15411->15412 15413 408dec Sleep 15412->15413 15413->15123 15415 40c92f 15414->15415 15416 40c93c 15415->15416 15905 40c517 15415->15905 15418 40e819 11 API calls 15416->15418 15433 40ca2b 15416->15433 15419 40c96a 15418->15419 15420 40e819 11 API calls 15419->15420 15421 40c97d 15420->15421 15422 40e819 11 API calls 15421->15422 15423 40c990 15422->15423 15424 40ebcc 4 API calls 15423->15424 15425 40c9aa 15423->15425 15424->15425 15425->15433 15922 402684 15425->15922 15430 40ca26 15929 40c8aa 15430->15929 15433->15123 15434 40ca44 15435 40ca4b closesocket 15434->15435 15436 40ca83 15434->15436 15435->15430 15437 40ea84 30 API calls 15436->15437 15438 40caac 15437->15438 15439 40f04e 4 API calls 15438->15439 15440 40cab2 15439->15440 15441 40ea84 30 API calls 15440->15441 15442 40caca 15441->15442 15443 40ea84 30 API calls 15442->15443 15444 40cad9 15443->15444 15937 40c65c 15444->15937 15447 40cb60 closesocket 15447->15433 15449 40dad2 closesocket 15450 40e318 23 API calls 15449->15450 15450->15433 15451 40df4c 20 API calls 15510 40cb70 15451->15510 15456 40e654 13 API calls 15456->15510 15460 40c65c send GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15460->15510 15461 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15461->15510 15464 40ea84 30 API calls 15464->15510 15465 40d569 closesocket Sleep 15984 40e318 15465->15984 15466 40d815 wsprintfA 15466->15510 15467 40cc1c GetTempPathA 15467->15510 15468 40c517 23 API calls 15468->15510 15470 407ead 6 API calls 15470->15510 15471 40d582 ExitProcess 15472 40e8a1 30 API calls 15472->15510 15473 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15473->15510 15474 40cfe3 GetSystemDirectoryA 15474->15510 15475 40cfad GetEnvironmentVariableA 15475->15510 15476 40675c 21 API calls 15476->15510 15477 40d027 GetSystemDirectoryA 15477->15510 15478 40d105 lstrcatA 15478->15510 15479 40ef1e lstrlenA 15479->15510 15480 40cc9f CreateFileA 15481 40ccc6 WriteFile 15480->15481 15480->15510 15483 40cdcc CloseHandle 15481->15483 15484 40cced CloseHandle 15481->15484 15482 40d15b CreateFileA 15485 40d182 WriteFile CloseHandle 15482->15485 15482->15510 15483->15510 15491 40cd2f 15484->15491 15485->15510 15486 40cd16 wsprintfA 15486->15491 15487 40d149 SetFileAttributesA 15487->15482 15488 40d36e GetEnvironmentVariableA 15488->15510 15489 40d1bf SetFileAttributesA 15489->15510 15490 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15490->15510 15491->15486 15966 407fcf 15491->15966 15492 40d22d GetEnvironmentVariableA 15492->15510 15494 40d3af lstrcatA 15495 40d3f2 CreateFileA 15494->15495 15494->15510 15498 40d415 WriteFile CloseHandle 15495->15498 15495->15510 15497 407fcf 64 API calls 15497->15510 15498->15510 15499 40cd81 WaitForSingleObject CloseHandle CloseHandle 15501 40f04e 4 API calls 15499->15501 15500 40cda5 15502 407ee6 64 API calls 15500->15502 15501->15500 15505 40cdbd DeleteFileA 15502->15505 15503 40d3e0 SetFileAttributesA 15503->15495 15504 40d26e lstrcatA 15507 40d2b1 CreateFileA 15504->15507 15504->15510 15505->15510 15506 40d4b1 CreateProcessA 15508 40d4e8 CloseHandle CloseHandle 15506->15508 15506->15510 15507->15510 15511 40d2d8 WriteFile CloseHandle 15507->15511 15508->15510 15509 40d452 SetFileAttributesA 15509->15510 15510->15449 15510->15451 15510->15456 15510->15460 15510->15461 15510->15464 15510->15465 15510->15466 15510->15467 15510->15468 15510->15470 15510->15472 15510->15473 15510->15474 15510->15475 15510->15476 15510->15477 15510->15478 15510->15479 15510->15480 15510->15482 15510->15487 15510->15488 15510->15489 15510->15490 15510->15492 15510->15494 15510->15495 15510->15497 15510->15503 15510->15504 15510->15506 15510->15507 15510->15509 15512 407ee6 64 API calls 15510->15512 15513 40d29f SetFileAttributesA 15510->15513 15516 40d31d SetFileAttributesA 15510->15516 15945 40c75d 15510->15945 15957 407e2f 15510->15957 15979 407ead 15510->15979 15989 4031d0 15510->15989 16006 403c09 15510->16006 16016 403a00 15510->16016 16020 40e7b4 15510->16020 16023 40c06c 15510->16023 16029 406f5f GetUserNameA 15510->16029 16040 40e854 15510->16040 16050 407dd6 15510->16050 15511->15510 15512->15510 15513->15507 15516->15510 15518 40741b 15517->15518 15519 406dc2 6 API calls 15518->15519 15520 40743f 15519->15520 15521 407469 RegOpenKeyExA 15520->15521 15522 4077f9 15521->15522 15533 407487 ___ascii_stricmp 15521->15533 15522->15190 15523 407703 RegEnumKeyA 15524 407714 RegCloseKey 15523->15524 15523->15533 15524->15522 15525 40f1a5 lstrlenA 15525->15533 15526 4074d2 RegOpenKeyExA 15526->15533 15527 40772c 15529 407742 RegCloseKey 15527->15529 15530 40774b 15527->15530 15528 407521 RegQueryValueExA 15528->15533 15529->15530 15532 4077ec RegCloseKey 15530->15532 15531 4076e4 RegCloseKey 15531->15533 15532->15522 15533->15523 15533->15525 15533->15526 15533->15527 15533->15528 15533->15531 15535 40777e GetFileAttributesExA 15533->15535 15536 407769 15533->15536 15534 4077e3 RegCloseKey 15534->15532 15535->15536 15536->15534 15538 407073 15537->15538 15539 4070b9 RegOpenKeyExA 15538->15539 15540 4070d0 15539->15540 15554 4071b8 15539->15554 15541 406dc2 6 API calls 15540->15541 15544 4070d5 15541->15544 15542 40719b RegEnumValueA 15543 4071af RegCloseKey 15542->15543 15542->15544 15543->15554 15544->15542 15546 4071d0 15544->15546 15560 40f1a5 lstrlenA 15544->15560 15547 407205 RegCloseKey 15546->15547 15548 407227 15546->15548 15547->15554 15549 4072b8 ___ascii_stricmp 15548->15549 15550 40728e RegCloseKey 15548->15550 15551 4072cd RegCloseKey 15549->15551 15552 4072dd 15549->15552 15550->15554 15551->15554 15553 407311 RegCloseKey 15552->15553 15556 407335 15552->15556 15553->15554 15554->15194 15555 4073d5 RegCloseKey 15557 4073e4 15555->15557 15556->15555 15558 40737e GetFileAttributesExA 15556->15558 15559 407397 15556->15559 15558->15559 15559->15555 15561 40f1c3 15560->15561 15561->15544 15563 406e5f LookupAccountNameW 15562->15563 15564 406e97 15562->15564 15563->15564 15564->15196 15566 40eb17 15565->15566 15568 40eb21 15565->15568 15575 40eae4 15566->15575 15568->15234 15571 4069b9 WriteFile 15569->15571 15572 406a3c 15571->15572 15574 4069ff 15571->15574 15572->15232 15572->15233 15573 406a10 WriteFile 15573->15572 15573->15574 15574->15572 15574->15573 15576 40eb02 GetProcAddress 15575->15576 15577 40eaed LoadLibraryA 15575->15577 15576->15568 15577->15576 15578 40eb01 15577->15578 15578->15568 15580 401924 GetVersionExA 15579->15580 15580->15247 15582 406eef AllocateAndInitializeSid 15581->15582 15588 406f55 15581->15588 15583 406f44 15582->15583 15584 406f1c CheckTokenMembership 15582->15584 15587 406e36 2 API calls 15583->15587 15583->15588 15585 406f3b FreeSid 15584->15585 15586 406f2e 15584->15586 15585->15583 15586->15585 15587->15588 15588->15257 15590 40f0f1 15589->15590 15591 40f0ed 15589->15591 15592 40f119 15590->15592 15593 40f0fa lstrlenA SysAllocStringByteLen 15590->15593 15591->15279 15595 40f11c MultiByteToWideChar 15592->15595 15594 40f117 15593->15594 15593->15595 15594->15279 15595->15594 15597 401820 17 API calls 15596->15597 15599 4018f2 15597->15599 15598 4018f9 15598->15275 15599->15598 15613 401280 15599->15613 15601 401908 15601->15275 15625 401000 15602->15625 15604 401839 15605 401851 GetCurrentProcess 15604->15605 15606 40183d 15604->15606 15607 401864 15605->15607 15606->15266 15607->15266 15609 409308 15608->15609 15611 40920e 15608->15611 15609->15275 15610 4092f1 Sleep 15610->15611 15611->15609 15611->15610 15611->15611 15612 4092bf ShellExecuteA 15611->15612 15612->15609 15612->15611 15614 4012e1 15613->15614 15615 4016f9 GetLastError 15614->15615 15619 4013a8 15614->15619 15616 401699 15615->15616 15616->15601 15617 401570 lstrlenW 15617->15619 15618 4015be GetStartupInfoW 15618->15619 15619->15616 15619->15617 15619->15618 15619->15619 15620 4015ff CreateProcessWithLogonW 15619->15620 15624 401668 CloseHandle 15619->15624 15621 4016bf GetLastError 15620->15621 15622 40163f WaitForSingleObject 15620->15622 15621->15616 15622->15619 15623 401659 CloseHandle 15622->15623 15623->15619 15624->15619 15626 40100d LoadLibraryA 15625->15626 15634 401023 15625->15634 15627 401021 15626->15627 15626->15634 15627->15604 15628 4010b5 GetProcAddress 15629 4010d1 GetProcAddress 15628->15629 15630 40127b 15628->15630 15629->15630 15631 4010f0 GetProcAddress 15629->15631 15630->15604 15631->15630 15632 401110 GetProcAddress 15631->15632 15632->15630 15633 401130 GetProcAddress 15632->15633 15633->15630 15635 40114f GetProcAddress 15633->15635 15634->15628 15645 4010ae 15634->15645 15635->15630 15636 40116f GetProcAddress 15635->15636 15636->15630 15637 40118f GetProcAddress 15636->15637 15637->15630 15638 4011ae GetProcAddress 15637->15638 15638->15630 15639 4011ce GetProcAddress 15638->15639 15639->15630 15640 4011ee GetProcAddress 15639->15640 15640->15630 15641 401209 GetProcAddress 15640->15641 15641->15630 15642 401225 GetProcAddress 15641->15642 15642->15630 15643 401241 GetProcAddress 15642->15643 15643->15630 15644 40125c GetProcAddress 15643->15644 15644->15630 15645->15604 15647 40908d 15646->15647 15648 4090e2 wsprintfA 15647->15648 15649 40ee2a 15648->15649 15650 4090fd CreateFileA 15649->15650 15651 40911a lstrlenA WriteFile CloseHandle 15650->15651 15652 40913f 15650->15652 15651->15652 15652->15295 15652->15296 15654 40dd41 InterlockedExchange 15653->15654 15655 40dd20 GetCurrentThreadId 15654->15655 15659 40dd4a 15654->15659 15656 40dd53 GetCurrentThreadId 15655->15656 15657 40dd2e GetTickCount 15655->15657 15656->15299 15658 40dd39 Sleep 15657->15658 15657->15659 15658->15654 15659->15656 15661 40dbf0 15660->15661 15693 40db67 GetEnvironmentVariableA 15661->15693 15663 40dc19 15664 40dcda 15663->15664 15665 40db67 3 API calls 15663->15665 15664->15301 15666 40dc5c 15665->15666 15666->15664 15667 40db67 3 API calls 15666->15667 15668 40dc9b 15667->15668 15668->15664 15669 40db67 3 API calls 15668->15669 15669->15664 15671 40db55 15670->15671 15672 40db3a 15670->15672 15671->15303 15671->15308 15697 40ebed 15672->15697 15706 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15674->15706 15676 40e3be 15676->15303 15677 40e342 15677->15676 15709 40de24 15677->15709 15680 40e528 15679->15680 15681 40e3f4 15679->15681 15680->15313 15682 40e434 RegQueryValueExA 15681->15682 15683 40e51d RegCloseKey 15682->15683 15684 40e458 15682->15684 15683->15680 15685 40e46e RegQueryValueExA 15684->15685 15685->15684 15686 40e488 15685->15686 15686->15683 15687 40db2e 8 API calls 15686->15687 15688 40e499 15687->15688 15688->15683 15689 40e4b9 RegQueryValueExA 15688->15689 15690 40e4e8 15688->15690 15689->15688 15689->15690 15690->15683 15691 40e332 14 API calls 15690->15691 15692 40e513 15691->15692 15692->15683 15694 40db89 lstrcpyA CreateFileA 15693->15694 15695 40dbca 15693->15695 15694->15663 15695->15663 15698 40ec01 15697->15698 15699 40ebf6 15697->15699 15701 40eba0 codecvt 2 API calls 15698->15701 15700 40ebcc 4 API calls 15699->15700 15702 40ebfe 15700->15702 15703 40ec0a GetProcessHeap HeapReAlloc 15701->15703 15702->15671 15704 40eb74 2 API calls 15703->15704 15705 40ec28 15704->15705 15705->15671 15720 40eb41 15706->15720 15710 40de3a 15709->15710 15716 40de4e 15710->15716 15724 40dd84 15710->15724 15713 40de9e 15714 40ebed 8 API calls 15713->15714 15713->15716 15715 40def6 15714->15715 15715->15716 15719 40ddcf lstrcmpA 15715->15719 15716->15677 15717 40de76 15728 40ddcf 15717->15728 15719->15716 15721 40eb54 15720->15721 15722 40eb4a 15720->15722 15721->15677 15723 40eae4 2 API calls 15722->15723 15723->15721 15725 40dd96 15724->15725 15726 40ddc5 15724->15726 15725->15726 15727 40ddad lstrcmpiA 15725->15727 15726->15713 15726->15717 15727->15725 15727->15726 15729 40dddd 15728->15729 15731 40de20 15728->15731 15730 40ddfa lstrcmpA 15729->15730 15729->15731 15730->15729 15731->15716 15733 40dd05 6 API calls 15732->15733 15734 40e821 15733->15734 15735 40dd84 lstrcmpiA 15734->15735 15736 40e82c 15735->15736 15738 40e844 15736->15738 15780 402480 15736->15780 15738->15328 15740 40dd05 6 API calls 15739->15740 15741 40df7c 15740->15741 15742 40dd84 lstrcmpiA 15741->15742 15743 40df89 15742->15743 15744 40dfc4 15743->15744 15745 40ddcf lstrcmpA 15743->15745 15746 40ec2e codecvt 4 API calls 15743->15746 15747 40dd84 lstrcmpiA 15743->15747 15744->15333 15745->15743 15746->15743 15747->15743 15749 40ea98 15748->15749 15789 40e8a1 15749->15789 15751 401e84 15751->15336 15753 4019d5 GetProcAddress GetProcAddress GetProcAddress 15752->15753 15754 4019ce 15752->15754 15755 401ab3 FreeLibrary 15753->15755 15756 401a04 15753->15756 15754->15341 15755->15754 15756->15755 15757 401a14 GetProcessHeap 15756->15757 15757->15754 15759 401a2e HeapAlloc 15757->15759 15759->15754 15760 401a42 15759->15760 15761 401a52 HeapReAlloc 15760->15761 15763 401a62 15760->15763 15761->15763 15762 401aa1 FreeLibrary 15762->15754 15763->15762 15764 401a96 HeapFree 15763->15764 15764->15762 15817 401ac3 LoadLibraryA 15765->15817 15768 401bcf 15768->15352 15770 401ac3 12 API calls 15769->15770 15771 401c09 15770->15771 15772 401c41 15771->15772 15773 401c0d GetComputerNameA 15771->15773 15772->15361 15774 401c45 GetVolumeInformationA 15773->15774 15775 401c1f 15773->15775 15774->15772 15775->15772 15775->15774 15777 40ee2a 15776->15777 15778 4030d0 gethostname gethostbyname 15777->15778 15779 401f82 15778->15779 15779->15365 15779->15367 15783 402419 lstrlenA 15780->15783 15782 402491 15782->15738 15784 402474 15783->15784 15785 40243d lstrlenA 15783->15785 15784->15782 15786 402464 lstrlenA 15785->15786 15787 40244e lstrcmpiA 15785->15787 15786->15784 15786->15785 15787->15786 15788 40245c 15787->15788 15788->15784 15788->15786 15790 40dd05 6 API calls 15789->15790 15791 40e8b4 15790->15791 15792 40dd84 lstrcmpiA 15791->15792 15793 40e8c0 15792->15793 15794 40e90a 15793->15794 15795 40e8c8 lstrcpynA 15793->15795 15797 402419 4 API calls 15794->15797 15805 40ea27 15794->15805 15796 40e8f5 15795->15796 15810 40df4c 15796->15810 15798 40e926 lstrlenA lstrlenA 15797->15798 15800 40e96a 15798->15800 15801 40e94c lstrlenA 15798->15801 15804 40ebcc 4 API calls 15800->15804 15800->15805 15801->15800 15802 40e901 15803 40dd84 lstrcmpiA 15802->15803 15803->15794 15806 40e98f 15804->15806 15805->15751 15806->15805 15807 40df4c 20 API calls 15806->15807 15808 40ea1e 15807->15808 15809 40ec2e codecvt 4 API calls 15808->15809 15809->15805 15811 40dd05 6 API calls 15810->15811 15812 40df51 15811->15812 15813 40f04e 4 API calls 15812->15813 15814 40df58 15813->15814 15815 40de24 10 API calls 15814->15815 15816 40df63 15815->15816 15816->15802 15818 401ae2 GetProcAddress 15817->15818 15821 401b68 GetComputerNameA GetVolumeInformationA 15817->15821 15819 401af5 15818->15819 15818->15821 15820 40ebed 8 API calls 15819->15820 15822 401b29 15819->15822 15820->15819 15821->15768 15822->15821 15823 40ec2e codecvt 4 API calls 15822->15823 15823->15821 15825 406ec3 2 API calls 15824->15825 15826 407ef4 15825->15826 15827 4073ff 17 API calls 15826->15827 15836 407fc9 15826->15836 15828 407f16 15827->15828 15828->15836 15837 407809 GetUserNameA 15828->15837 15830 407f63 15831 40ef1e lstrlenA 15830->15831 15830->15836 15832 407fa6 15831->15832 15833 40ef1e lstrlenA 15832->15833 15834 407fb7 15833->15834 15861 407a95 RegOpenKeyExA 15834->15861 15836->15376 15838 40783d LookupAccountNameA 15837->15838 15844 407a8d 15837->15844 15839 407874 GetLengthSid GetFileSecurityA 15838->15839 15838->15844 15840 4078a8 GetSecurityDescriptorOwner 15839->15840 15839->15844 15841 4078c5 EqualSid 15840->15841 15842 40791d GetSecurityDescriptorDacl 15840->15842 15841->15842 15843 4078dc LocalAlloc 15841->15843 15842->15844 15855 407941 15842->15855 15843->15842 15845 4078ef InitializeSecurityDescriptor 15843->15845 15844->15830 15846 407916 LocalFree 15845->15846 15847 4078fb SetSecurityDescriptorOwner 15845->15847 15846->15842 15847->15846 15849 40790b SetFileSecurityA 15847->15849 15848 40795b GetAce 15848->15855 15849->15846 15850 407980 EqualSid 15850->15855 15851 407a3d 15851->15844 15854 407a43 LocalAlloc 15851->15854 15852 4079be EqualSid 15852->15855 15853 40799d DeleteAce 15853->15855 15854->15844 15856 407a56 InitializeSecurityDescriptor 15854->15856 15855->15844 15855->15848 15855->15850 15855->15851 15855->15852 15855->15853 15857 407a62 SetSecurityDescriptorDacl 15856->15857 15858 407a86 LocalFree 15856->15858 15857->15858 15859 407a73 SetFileSecurityA 15857->15859 15858->15844 15859->15858 15860 407a83 15859->15860 15860->15858 15862 407ac4 15861->15862 15863 407acb GetUserNameA 15861->15863 15862->15836 15864 407da7 RegCloseKey 15863->15864 15865 407aed LookupAccountNameA 15863->15865 15864->15862 15865->15864 15866 407b24 RegGetKeySecurity 15865->15866 15866->15864 15867 407b49 GetSecurityDescriptorOwner 15866->15867 15868 407b63 EqualSid 15867->15868 15869 407bb8 GetSecurityDescriptorDacl 15867->15869 15868->15869 15870 407b74 LocalAlloc 15868->15870 15871 407da6 15869->15871 15878 407bdc 15869->15878 15870->15869 15872 407b8a InitializeSecurityDescriptor 15870->15872 15871->15864 15874 407bb1 LocalFree 15872->15874 15875 407b96 SetSecurityDescriptorOwner 15872->15875 15873 407bf8 GetAce 15873->15878 15874->15869 15875->15874 15876 407ba6 RegSetKeySecurity 15875->15876 15876->15874 15877 407c1d EqualSid 15877->15878 15878->15871 15878->15873 15878->15877 15879 407cd9 15878->15879 15880 407c5f EqualSid 15878->15880 15881 407c3a DeleteAce 15878->15881 15879->15871 15882 407d5a LocalAlloc 15879->15882 15883 407cf2 RegOpenKeyExA 15879->15883 15880->15878 15881->15878 15882->15871 15884 407d70 InitializeSecurityDescriptor 15882->15884 15883->15882 15889 407d0f 15883->15889 15885 407d7c SetSecurityDescriptorDacl 15884->15885 15886 407d9f LocalFree 15884->15886 15885->15886 15887 407d8c RegSetKeySecurity 15885->15887 15886->15871 15887->15886 15888 407d9c 15887->15888 15888->15886 15890 407d43 RegSetValueExA 15889->15890 15890->15882 15891 407d54 15890->15891 15891->15882 15892->15395 15894 40dd05 6 API calls 15893->15894 15897 40e65f 15894->15897 15895 40e6a5 15896 40ebcc 4 API calls 15895->15896 15901 40e6f5 15895->15901 15899 40e6b0 15896->15899 15897->15895 15898 40e68c lstrcmpA 15897->15898 15898->15897 15900 40e6e0 lstrcpynA 15899->15900 15899->15901 15903 40e6b7 15899->15903 15900->15901 15902 40e71d lstrcmpA 15901->15902 15901->15903 15902->15901 15903->15397 15904->15403 15906 40c525 15905->15906 15911 40c532 15905->15911 15909 40ec2e codecvt 4 API calls 15906->15909 15906->15911 15907 40c548 15910 40e7ff lstrcmpiA 15907->15910 15916 40c54f 15907->15916 15909->15911 15912 40c615 15910->15912 15911->15907 16057 40e7ff 15911->16057 15914 40ebcc 4 API calls 15912->15914 15912->15916 15914->15916 15915 40c5d1 15918 40ebcc 4 API calls 15915->15918 15916->15416 15917 40e819 11 API calls 15919 40c5b7 15917->15919 15918->15916 15920 40f04e 4 API calls 15919->15920 15921 40c5bf 15920->15921 15921->15907 15921->15915 15923 402692 inet_addr 15922->15923 15924 40268e 15922->15924 15923->15924 15925 40269e gethostbyname 15923->15925 15926 40f428 15924->15926 15925->15924 16060 40f315 15926->16060 15931 40c8d2 15929->15931 15930 40c907 15930->15433 15931->15930 15932 40c517 23 API calls 15931->15932 15932->15930 15933 40f43e 15934 40f473 recv 15933->15934 15935 40f458 15934->15935 15936 40f47c 15934->15936 15935->15934 15935->15936 15936->15434 15938 40c670 15937->15938 15939 40c67d 15937->15939 15940 40ebcc 4 API calls 15938->15940 15941 40ebcc 4 API calls 15939->15941 15943 40c699 15939->15943 15940->15939 15941->15943 15942 40c6f3 15942->15447 15942->15510 15943->15942 15944 40c73c send 15943->15944 15944->15942 15946 40c770 15945->15946 15947 40c77d 15945->15947 15948 40ebcc 4 API calls 15946->15948 15949 40c799 15947->15949 15950 40ebcc 4 API calls 15947->15950 15948->15947 15951 40c7b5 15949->15951 15952 40ebcc 4 API calls 15949->15952 15950->15949 15953 40f43e recv 15951->15953 15952->15951 15954 40c7cb 15953->15954 15955 40f43e recv 15954->15955 15956 40c7d3 15954->15956 15955->15956 15956->15510 16073 407db7 15957->16073 15960 407e70 15962 40f04e 4 API calls 15960->15962 15964 407e96 15960->15964 15961 40f04e 4 API calls 15963 407e4c 15961->15963 15962->15964 15963->15960 15965 40f04e 4 API calls 15963->15965 15964->15510 15965->15960 15967 406ec3 2 API calls 15966->15967 15968 407fdd 15967->15968 15969 4073ff 17 API calls 15968->15969 15978 4080c2 CreateProcessA 15968->15978 15970 407fff 15969->15970 15971 407809 21 API calls 15970->15971 15970->15978 15972 40804d 15971->15972 15973 40ef1e lstrlenA 15972->15973 15972->15978 15974 40809e 15973->15974 15975 40ef1e lstrlenA 15974->15975 15976 4080af 15975->15976 15977 407a95 24 API calls 15976->15977 15977->15978 15978->15499 15978->15500 15980 407db7 2 API calls 15979->15980 15981 407eb8 15980->15981 15982 40f04e 4 API calls 15981->15982 15983 407ece DeleteFileA 15982->15983 15983->15510 15985 40dd05 6 API calls 15984->15985 15986 40e31d 15985->15986 16077 40e177 15986->16077 15988 40e326 15988->15471 15990 4031f3 15989->15990 16000 4031ec 15989->16000 15991 40ebcc 4 API calls 15990->15991 15999 4031fc 15991->15999 15992 403459 15995 40f04e 4 API calls 15992->15995 15993 40349d 15994 40ec2e codecvt 4 API calls 15993->15994 15994->16000 15996 40345f 15995->15996 15998 4030fa 4 API calls 15996->15998 15997 40ebcc GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15997->15999 15998->16000 15999->15997 15999->16000 16001 40344d 15999->16001 16003 40344b 15999->16003 16005 403141 lstrcmpiA 15999->16005 16103 4030fa GetTickCount 15999->16103 16000->15510 16002 40ec2e codecvt 4 API calls 16001->16002 16002->16003 16003->15992 16003->15993 16005->15999 16007 4030fa 4 API calls 16006->16007 16008 403c1a 16007->16008 16009 403ce6 16008->16009 16108 403a72 16008->16108 16009->15510 16012 403a72 9 API calls 16013 403c5e 16012->16013 16013->16009 16014 403a72 9 API calls 16013->16014 16015 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 16013->16015 16014->16013 16015->16013 16017 403a10 16016->16017 16018 4030fa 4 API calls 16017->16018 16019 403a1a 16018->16019 16019->15510 16021 40dd05 6 API calls 16020->16021 16022 40e7be 16021->16022 16022->15510 16024 40c105 16023->16024 16025 40c07e wsprintfA 16023->16025 16024->15510 16117 40bfce GetTickCount wsprintfA 16025->16117 16027 40c0ef 16118 40bfce GetTickCount wsprintfA 16027->16118 16030 407047 16029->16030 16031 406f88 LookupAccountNameA 16029->16031 16030->15510 16033 407025 16031->16033 16034 406fcb 16031->16034 16035 406edd 5 API calls 16033->16035 16036 406fdb ConvertSidToStringSidA 16034->16036 16037 40702a wsprintfA 16035->16037 16036->16033 16038 406ff1 16036->16038 16037->16030 16039 407013 LocalFree 16038->16039 16039->16033 16041 40dd05 6 API calls 16040->16041 16042 40e85c 16041->16042 16043 40dd84 lstrcmpiA 16042->16043 16045 40e867 16043->16045 16044 40e885 lstrcpyA 16122 40dd69 16044->16122 16045->16044 16119 4024a5 16045->16119 16051 407db7 2 API calls 16050->16051 16052 407de1 16051->16052 16053 40f04e 4 API calls 16052->16053 16056 407e16 16052->16056 16054 407df2 16053->16054 16055 40f04e 4 API calls 16054->16055 16054->16056 16055->16056 16056->15510 16058 40dd84 lstrcmpiA 16057->16058 16059 40c58e 16058->16059 16059->15907 16059->15915 16059->15917 16061 40ca1d 16060->16061 16062 40f33b 16060->16062 16061->15430 16061->15933 16063 40f347 htons socket 16062->16063 16064 40f382 ioctlsocket 16063->16064 16065 40f374 closesocket 16063->16065 16066 40f3aa connect select 16064->16066 16067 40f39d 16064->16067 16065->16061 16066->16061 16069 40f3f2 __WSAFDIsSet 16066->16069 16068 40f39f closesocket 16067->16068 16068->16061 16069->16068 16070 40f403 ioctlsocket 16069->16070 16072 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 16070->16072 16072->16061 16074 407dc8 InterlockedExchange 16073->16074 16075 407dc0 Sleep 16074->16075 16076 407dd4 16074->16076 16075->16074 16076->15960 16076->15961 16078 40e184 16077->16078 16079 40e2e4 16078->16079 16080 40e223 16078->16080 16093 40dfe2 16078->16093 16079->15988 16080->16079 16083 40dfe2 8 API calls 16080->16083 16082 40e1be 16082->16080 16084 40dbcf 3 API calls 16082->16084 16086 40e23c 16083->16086 16087 40e1d6 16084->16087 16085 40e21a CloseHandle 16085->16080 16086->16079 16097 40e095 RegCreateKeyExA 16086->16097 16087->16080 16087->16085 16088 40e1f9 WriteFile 16087->16088 16088->16085 16090 40e213 16088->16090 16090->16085 16091 40e2a3 16091->16079 16092 40e095 4 API calls 16091->16092 16092->16079 16094 40dffc 16093->16094 16096 40e024 16093->16096 16095 40db2e 8 API calls 16094->16095 16094->16096 16095->16096 16096->16082 16098 40e172 16097->16098 16101 40e0c0 16097->16101 16098->16091 16099 40e13d 16100 40e14e RegDeleteValueA RegCloseKey 16099->16100 16100->16098 16101->16099 16102 40e115 RegSetValueExA 16101->16102 16102->16099 16102->16101 16104 403122 InterlockedExchange 16103->16104 16105 40312e 16104->16105 16106 40310f GetTickCount 16104->16106 16105->15999 16106->16105 16107 40311a Sleep 16106->16107 16107->16104 16109 40f04e 4 API calls 16108->16109 16116 403a83 16109->16116 16110 403ac1 16110->16009 16110->16012 16111 403be6 16114 40ec2e codecvt 4 API calls 16111->16114 16112 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 16113 403bc0 16112->16113 16113->16111 16113->16112 16114->16110 16115 403b66 lstrlenA 16115->16110 16115->16116 16116->16110 16116->16113 16116->16115 16117->16027 16118->16024 16120 402419 4 API calls 16119->16120 16121 4024b6 16120->16121 16121->16044 16123 40dd79 lstrlenA 16122->16123 16123->15510 16125 404084 16124->16125 16126 40407d 16124->16126 16127 403ecd 6 API calls 16125->16127 16128 40408f 16127->16128 16129 404000 3 API calls 16128->16129 16130 404095 16129->16130 16131 404130 16130->16131 16132 4040c0 16130->16132 16133 403ecd 6 API calls 16131->16133 16137 403f18 4 API calls 16132->16137 16134 404159 CreateNamedPipeA 16133->16134 16135 404167 Sleep 16134->16135 16136 404188 ConnectNamedPipe 16134->16136 16135->16131 16139 404176 CloseHandle 16135->16139 16138 404195 GetLastError 16136->16138 16150 4041ab 16136->16150 16140 4040da 16137->16140 16141 40425e DisconnectNamedPipe 16138->16141 16138->16150 16139->16136 16142 403f8c 4 API calls 16140->16142 16141->16136 16143 4040ec 16142->16143 16144 404127 CloseHandle 16143->16144 16145 404101 16143->16145 16144->16131 16146 403f18 4 API calls 16145->16146 16147 40411c ExitProcess 16146->16147 16148 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 16148->16150 16149 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 16149->16150 16150->16136 16150->16141 16150->16148 16150->16149 16151 40426a CloseHandle CloseHandle 16150->16151 16152 40e318 23 API calls 16151->16152 16153 40427b 16152->16153 16153->16153 16155 408791 16154->16155 16156 40879f 16154->16156 16158 40f04e 4 API calls 16155->16158 16157 4087bc 16156->16157 16159 40f04e 4 API calls 16156->16159 16160 40e819 11 API calls 16157->16160 16158->16156 16159->16157 16161 4087d7 16160->16161 16173 408803 16161->16173 16175 4026b2 gethostbyaddr 16161->16175 16163 4087eb 16165 40e8a1 30 API calls 16163->16165 16163->16173 16165->16173 16168 40e819 11 API calls 16168->16173 16169 4088a0 Sleep 16169->16173 16170 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 16170->16173 16172 4026b2 2 API calls 16172->16173 16173->16168 16173->16169 16173->16170 16173->16172 16174 40e8a1 30 API calls 16173->16174 16180 40c4d6 16173->16180 16183 40c4e2 16173->16183 16186 402011 16173->16186 16221 408328 16173->16221 16174->16173 16176 4026fb 16175->16176 16177 4026cd 16175->16177 16176->16163 16178 4026e1 inet_ntoa 16177->16178 16179 4026de 16177->16179 16178->16179 16179->16163 16273 40c2dc 16180->16273 16184 40c2dc 141 API calls 16183->16184 16185 40c4ec 16184->16185 16185->16173 16187 402020 16186->16187 16188 40202e 16186->16188 16189 40f04e 4 API calls 16187->16189 16190 40204b 16188->16190 16191 40f04e 4 API calls 16188->16191 16189->16188 16192 40206e GetTickCount 16190->16192 16193 40f04e 4 API calls 16190->16193 16191->16190 16194 402090 16192->16194 16195 4020db GetTickCount 16192->16195 16197 402068 16193->16197 16198 4020d4 GetTickCount 16194->16198 16201 402684 2 API calls 16194->16201 16209 4020ce 16194->16209 16608 401978 16194->16608 16196 402132 GetTickCount GetTickCount 16195->16196 16211 4020e7 16195->16211 16199 40f04e 4 API calls 16196->16199 16197->16192 16198->16195 16202 402159 16199->16202 16200 40212b GetTickCount 16200->16196 16201->16194 16203 4021b4 16202->16203 16206 40e854 13 API calls 16202->16206 16205 40f04e 4 API calls 16203->16205 16208 4021d1 16205->16208 16210 40218e 16206->16210 16214 4021f2 16208->16214 16216 40ea84 30 API calls 16208->16216 16209->16198 16215 40e819 11 API calls 16210->16215 16211->16200 16212 401978 15 API calls 16211->16212 16213 402125 16211->16213 16613 402ef8 16211->16613 16212->16211 16213->16200 16214->16173 16217 40219c 16215->16217 16218 4021ec 16216->16218 16217->16203 16621 401c5f 16217->16621 16219 40f04e 4 API calls 16218->16219 16219->16214 16222 407dd6 6 API calls 16221->16222 16223 40833c 16222->16223 16224 406ec3 2 API calls 16223->16224 16229 408340 16223->16229 16225 40834f 16224->16225 16226 40835c 16225->16226 16231 40846b 16225->16231 16227 4073ff 17 API calls 16226->16227 16228 408373 16227->16228 16228->16229 16252 4083ea RegOpenKeyExA 16228->16252 16258 408450 16228->16258 16229->16173 16230 40675c 21 API calls 16233 4085df 16230->16233 16234 4084a7 RegOpenKeyExA 16231->16234 16231->16258 16232 408626 GetTempPathA 16265 408638 16232->16265 16233->16232 16242 408762 16233->16242 16233->16265 16236 4084c0 RegQueryValueExA 16234->16236 16238 40852f 16234->16238 16239 408521 RegCloseKey 16236->16239 16244 4084dd 16236->16244 16237 4086ad 16240 407e2f 6 API calls 16237->16240 16237->16242 16241 408564 RegOpenKeyExA 16238->16241 16251 4085a5 16238->16251 16239->16238 16255 4086bb 16240->16255 16243 408573 RegSetValueExA RegCloseKey 16241->16243 16241->16251 16242->16229 16246 40ec2e codecvt 4 API calls 16242->16246 16243->16251 16244->16239 16247 40ebcc 4 API calls 16244->16247 16245 40875b DeleteFileA 16245->16242 16246->16229 16249 4084f0 16247->16249 16249->16239 16250 4084f8 RegQueryValueExA 16249->16250 16250->16239 16253 408515 16250->16253 16254 40ec2e codecvt 4 API calls 16251->16254 16251->16258 16256 4083fd RegQueryValueExA 16252->16256 16252->16258 16257 40ec2e codecvt 4 API calls 16253->16257 16254->16258 16255->16245 16259 4086e0 lstrcpyA lstrlenA 16255->16259 16260 40842d RegSetValueExA 16256->16260 16261 40841e 16256->16261 16263 40851d 16257->16263 16258->16230 16258->16233 16264 407fcf 64 API calls 16259->16264 16262 408447 RegCloseKey 16260->16262 16261->16260 16261->16262 16262->16258 16263->16239 16266 408719 CreateProcessA 16264->16266 16693 406ba7 IsBadCodePtr 16265->16693 16267 40873d CloseHandle CloseHandle 16266->16267 16268 40874f 16266->16268 16267->16242 16269 407ee6 64 API calls 16268->16269 16270 408754 16269->16270 16271 407ead 6 API calls 16270->16271 16272 40875a 16271->16272 16272->16245 16289 40a4c7 GetTickCount 16273->16289 16276 40c300 GetTickCount 16278 40c337 16276->16278 16277 40c326 16277->16278 16279 40c32b GetTickCount 16277->16279 16283 40c363 GetTickCount 16278->16283 16288 40c45e 16278->16288 16279->16278 16280 40c4d2 16280->16173 16281 40c4ab InterlockedIncrement CreateThread 16281->16280 16282 40c4cb CloseHandle 16281->16282 16294 40b535 16281->16294 16282->16280 16284 40c373 16283->16284 16283->16288 16285 40c378 GetTickCount 16284->16285 16286 40c37f 16284->16286 16285->16286 16287 40c43b GetTickCount 16286->16287 16287->16288 16288->16280 16288->16281 16290 40a4f7 InterlockedExchange 16289->16290 16291 40a500 16290->16291 16292 40a4e4 GetTickCount 16290->16292 16291->16276 16291->16277 16291->16288 16292->16291 16293 40a4ef Sleep 16292->16293 16293->16290 16295 40b566 16294->16295 16296 40ebcc 4 API calls 16295->16296 16297 40b587 16296->16297 16298 40ebcc 4 API calls 16297->16298 16348 40b590 16298->16348 16299 40bdcd InterlockedDecrement 16300 40bde2 16299->16300 16302 40ec2e codecvt 4 API calls 16300->16302 16303 40bdea 16302->16303 16305 40ec2e codecvt 4 API calls 16303->16305 16304 40bdb7 Sleep 16304->16348 16306 40bdf2 16305->16306 16307 40be05 16306->16307 16309 40ec2e codecvt 4 API calls 16306->16309 16308 40bdcc 16308->16299 16309->16307 16310 40ebed 8 API calls 16310->16348 16313 40b6b6 lstrlenA 16313->16348 16314 4030b5 2 API calls 16314->16348 16315 40e819 11 API calls 16315->16348 16316 40b6ed lstrcpyA 16369 405ce1 16316->16369 16319 40b731 lstrlenA 16319->16348 16320 40b71f lstrcmpA 16320->16319 16320->16348 16321 40b772 GetTickCount 16321->16348 16322 40bd49 InterlockedIncrement 16466 40a628 16322->16466 16325 40b7ce InterlockedIncrement 16379 40acd7 16325->16379 16326 4038f0 6 API calls 16326->16348 16327 40bc5b InterlockedIncrement 16327->16348 16330 40b912 GetTickCount 16330->16348 16331 40b932 GetTickCount 16334 40bc6d InterlockedIncrement 16331->16334 16331->16348 16332 40bcdc closesocket 16332->16348 16333 40b826 InterlockedIncrement 16333->16321 16334->16348 16335 405ce1 22 API calls 16335->16348 16338 40bba6 InterlockedIncrement 16338->16348 16340 40bc4c closesocket 16340->16348 16343 40ba71 wsprintfA 16400 40a7c1 16343->16400 16344 40a7c1 22 API calls 16344->16348 16346 40ab81 lstrcpynA InterlockedIncrement 16346->16348 16347 40ef1e lstrlenA 16347->16348 16348->16299 16348->16304 16348->16308 16348->16310 16348->16313 16348->16314 16348->16315 16348->16316 16348->16319 16348->16320 16348->16321 16348->16322 16348->16325 16348->16326 16348->16327 16348->16330 16348->16331 16348->16332 16348->16333 16348->16335 16348->16338 16348->16340 16348->16343 16348->16344 16348->16346 16348->16347 16349 405ded 12 API calls 16348->16349 16351 403e10 16348->16351 16354 403e4f 16348->16354 16357 40384f 16348->16357 16377 40a7a3 inet_ntoa 16348->16377 16384 40abee 16348->16384 16396 401feb GetTickCount 16348->16396 16397 40a688 16348->16397 16420 403cfb 16348->16420 16423 40b3c5 16348->16423 16454 40ab81 16348->16454 16349->16348 16352 4030fa 4 API calls 16351->16352 16353 403e1d 16352->16353 16353->16348 16355 4030fa 4 API calls 16354->16355 16356 403e5c 16355->16356 16356->16348 16358 4030fa 4 API calls 16357->16358 16359 403863 16358->16359 16360 4038b9 16359->16360 16361 403889 16359->16361 16368 4038b2 16359->16368 16475 4035f9 16360->16475 16469 403718 16361->16469 16366 403718 6 API calls 16366->16368 16367 4035f9 6 API calls 16367->16368 16368->16348 16370 405cf4 16369->16370 16371 405cec 16369->16371 16373 404bd1 4 API calls 16370->16373 16481 404bd1 GetTickCount 16371->16481 16374 405d02 16373->16374 16486 405472 16374->16486 16378 40a7b9 16377->16378 16378->16348 16380 40f315 14 API calls 16379->16380 16381 40aceb 16380->16381 16382 40acff 16381->16382 16383 40f315 14 API calls 16381->16383 16382->16348 16383->16382 16385 40abfb 16384->16385 16388 40ac65 16385->16388 16549 402f22 16385->16549 16387 40f315 14 API calls 16387->16388 16388->16387 16389 40ac8a 16388->16389 16390 40ac6f 16388->16390 16389->16348 16392 40ab81 2 API calls 16390->16392 16391 40ac23 16391->16388 16393 402684 2 API calls 16391->16393 16394 40ac81 16392->16394 16393->16391 16557 4038f0 16394->16557 16396->16348 16571 40a63d 16397->16571 16399 40a696 16399->16348 16401 40a87d lstrlenA send 16400->16401 16405 40a7df 16400->16405 16402 40a899 16401->16402 16403 40a8bf 16401->16403 16406 40a8a5 wsprintfA 16402->16406 16419 40a89e 16402->16419 16407 40a8c4 send 16403->16407 16412 40a8f2 16403->16412 16404 40a80a 16404->16401 16405->16401 16405->16404 16410 40a7fa wsprintfA 16405->16410 16405->16412 16406->16419 16409 40a8d8 wsprintfA 16407->16409 16407->16412 16408 40a978 recv 16408->16412 16413 40a982 16408->16413 16409->16419 16410->16404 16411 40a9b0 wsprintfA 16411->16419 16412->16408 16412->16411 16412->16413 16414 4030b5 2 API calls 16413->16414 16413->16419 16415 40ab05 16414->16415 16416 40e819 11 API calls 16415->16416 16417 40ab17 16416->16417 16418 40a7a3 inet_ntoa 16417->16418 16418->16419 16419->16348 16421 4030fa 4 API calls 16420->16421 16422 403d0b 16421->16422 16422->16348 16424 405ce1 22 API calls 16423->16424 16425 40b3e6 16424->16425 16426 405ce1 22 API calls 16425->16426 16428 40b404 16426->16428 16427 40b440 16430 40ef7c 3 API calls 16427->16430 16428->16427 16429 40ef7c 3 API calls 16428->16429 16431 40b42b 16429->16431 16432 40b458 wsprintfA 16430->16432 16433 40ef7c 3 API calls 16431->16433 16434 40ef7c 3 API calls 16432->16434 16433->16427 16435 40b480 16434->16435 16436 40ef7c 3 API calls 16435->16436 16437 40b493 16436->16437 16438 40ef7c 3 API calls 16437->16438 16439 40b4bb 16438->16439 16576 40ad89 GetLocalTime SystemTimeToFileTime 16439->16576 16443 40b4cc 16444 40ef7c 3 API calls 16443->16444 16445 40b4dd 16444->16445 16446 40b211 7 API calls 16445->16446 16447 40b4ec 16446->16447 16448 40ef7c 3 API calls 16447->16448 16449 40b4fd 16448->16449 16450 40b211 7 API calls 16449->16450 16451 40b509 16450->16451 16452 40ef7c 3 API calls 16451->16452 16453 40b51a 16452->16453 16453->16348 16455 40abe9 GetTickCount 16454->16455 16457 40ab8c 16454->16457 16459 40a51d 16455->16459 16456 40aba8 lstrcpynA 16456->16457 16457->16455 16457->16456 16458 40abe1 InterlockedIncrement 16457->16458 16458->16457 16460 40a4c7 4 API calls 16459->16460 16461 40a52c 16460->16461 16462 40a542 GetTickCount 16461->16462 16464 40a539 GetTickCount 16461->16464 16462->16464 16465 40a56c 16464->16465 16465->16348 16467 40a4c7 4 API calls 16466->16467 16468 40a633 16467->16468 16468->16348 16470 40f04e 4 API calls 16469->16470 16472 40372a 16470->16472 16471 403847 16471->16366 16471->16368 16472->16471 16473 4037b3 GetCurrentThreadId 16472->16473 16473->16472 16474 4037c8 GetCurrentThreadId 16473->16474 16474->16472 16476 40f04e 4 API calls 16475->16476 16480 40360c 16476->16480 16477 4036f1 16477->16367 16477->16368 16478 4036da GetCurrentThreadId 16478->16477 16479 4036e5 GetCurrentThreadId 16478->16479 16479->16477 16480->16477 16480->16478 16482 404bff InterlockedExchange 16481->16482 16483 404c08 16482->16483 16484 404bec GetTickCount 16482->16484 16483->16370 16484->16483 16485 404bf7 Sleep 16484->16485 16485->16482 16505 404763 16486->16505 16488 405b58 16515 404699 16488->16515 16491 404763 lstrlenA 16492 405b6e 16491->16492 16536 404f9f 16492->16536 16494 405b79 16494->16348 16495 404ae6 8 API calls 16503 40548a 16495->16503 16497 405549 lstrlenA 16497->16503 16499 40558d lstrcpynA 16499->16503 16500 405a9f lstrcpyA 16500->16503 16501 405935 lstrcpynA 16501->16503 16502 405472 13 API calls 16502->16503 16503->16488 16503->16495 16503->16499 16503->16500 16503->16501 16503->16502 16504 4058e7 lstrcpyA 16503->16504 16509 404ae6 16503->16509 16513 40ef7c lstrlenA lstrlenA lstrlenA 16503->16513 16504->16503 16507 40477a 16505->16507 16506 404859 16506->16503 16507->16506 16508 40480d lstrlenA 16507->16508 16508->16507 16510 404af3 16509->16510 16512 404b03 16509->16512 16511 40ebed 8 API calls 16510->16511 16511->16512 16512->16497 16514 40efb4 16513->16514 16514->16503 16541 4045b3 16515->16541 16518 4045b3 7 API calls 16519 4046c6 16518->16519 16520 4045b3 7 API calls 16519->16520 16521 4046d8 16520->16521 16522 4045b3 7 API calls 16521->16522 16523 4046ea 16522->16523 16524 4045b3 7 API calls 16523->16524 16525 4046ff 16524->16525 16526 4045b3 7 API calls 16525->16526 16527 404711 16526->16527 16528 4045b3 7 API calls 16527->16528 16529 404723 16528->16529 16530 40ef7c 3 API calls 16529->16530 16531 404735 16530->16531 16532 40ef7c 3 API calls 16531->16532 16533 40474a 16532->16533 16534 40ef7c 3 API calls 16533->16534 16535 40475c 16534->16535 16535->16491 16537 404fac 16536->16537 16540 404fb0 16536->16540 16537->16494 16538 404ffd 16538->16494 16539 404fd5 IsBadCodePtr 16539->16540 16540->16538 16540->16539 16542 4045c1 16541->16542 16543 4045c8 16541->16543 16544 40ebcc 4 API calls 16542->16544 16545 40ebcc 4 API calls 16543->16545 16547 4045e1 16543->16547 16544->16543 16545->16547 16546 404691 16546->16518 16547->16546 16548 40ef7c 3 API calls 16547->16548 16548->16547 16564 402d21 GetModuleHandleA 16549->16564 16552 402fcf GetProcessHeap HeapFree 16556 402f44 16552->16556 16553 402f4f 16555 402f6b GetProcessHeap HeapFree 16553->16555 16554 402f85 16554->16552 16554->16554 16555->16556 16556->16391 16558 403900 16557->16558 16563 403980 16557->16563 16559 4030fa 4 API calls 16558->16559 16561 40390a 16559->16561 16560 40391b GetCurrentThreadId 16560->16561 16561->16560 16562 403939 GetCurrentThreadId 16561->16562 16561->16563 16562->16561 16563->16389 16565 402d46 LoadLibraryA 16564->16565 16566 402d5b GetProcAddress 16564->16566 16565->16566 16568 402d54 16565->16568 16566->16568 16570 402d6b 16566->16570 16567 402d97 GetProcessHeap HeapAlloc 16567->16568 16567->16570 16568->16553 16568->16554 16568->16556 16569 402db5 lstrcpynA 16569->16570 16570->16567 16570->16568 16570->16569 16572 40a645 16571->16572 16573 40a64d 16571->16573 16572->16399 16574 40a66e 16573->16574 16575 40a65e GetTickCount 16573->16575 16574->16399 16575->16574 16577 40adbf 16576->16577 16601 40ad08 gethostname 16577->16601 16580 4030b5 2 API calls 16581 40add3 16580->16581 16582 40a7a3 inet_ntoa 16581->16582 16589 40ade4 16581->16589 16582->16589 16583 40ae85 wsprintfA 16584 40ef7c 3 API calls 16583->16584 16586 40aebb 16584->16586 16585 40ae36 wsprintfA wsprintfA 16587 40ef7c 3 API calls 16585->16587 16588 40ef7c 3 API calls 16586->16588 16587->16589 16590 40aed2 16588->16590 16589->16583 16589->16585 16591 40b211 16590->16591 16592 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16591->16592 16593 40b2af GetLocalTime 16591->16593 16594 40b2d2 16592->16594 16593->16594 16595 40b2d9 SystemTimeToFileTime 16594->16595 16596 40b31c GetTimeZoneInformation 16594->16596 16597 40b2ec 16595->16597 16598 40b33a wsprintfA 16596->16598 16599 40b312 FileTimeToSystemTime 16597->16599 16598->16443 16599->16596 16602 40ad71 16601->16602 16603 40ad26 lstrlenA 16601->16603 16605 40ad85 16602->16605 16606 40ad79 lstrcpyA 16602->16606 16603->16602 16607 40ad68 lstrlenA 16603->16607 16605->16580 16606->16605 16607->16602 16609 40f428 14 API calls 16608->16609 16610 40198a 16609->16610 16611 401990 closesocket 16610->16611 16612 401998 16610->16612 16611->16612 16612->16194 16614 402d21 6 API calls 16613->16614 16615 402f01 16614->16615 16618 402f0f 16615->16618 16629 402df2 GetModuleHandleA 16615->16629 16617 402684 2 API calls 16619 402f1d 16617->16619 16618->16617 16620 402f1f 16618->16620 16619->16211 16620->16211 16625 401c80 16621->16625 16622 401d1c 16622->16622 16626 401d47 wsprintfA 16622->16626 16623 401cc2 wsprintfA 16624 402684 2 API calls 16623->16624 16624->16625 16625->16622 16625->16623 16627 401d79 16625->16627 16628 402684 2 API calls 16626->16628 16627->16203 16628->16627 16630 402e10 LoadLibraryA 16629->16630 16631 402e0b 16629->16631 16632 402e17 16630->16632 16631->16630 16631->16632 16633 402ef1 16632->16633 16634 402e28 GetProcAddress 16632->16634 16633->16618 16634->16633 16635 402e3e GetProcessHeap HeapAlloc 16634->16635 16636 402e62 16635->16636 16636->16633 16637 402ede GetProcessHeap HeapFree 16636->16637 16638 402e7f htons inet_addr 16636->16638 16639 402ea5 gethostbyname 16636->16639 16641 402ceb 16636->16641 16637->16633 16638->16636 16638->16639 16639->16636 16642 402cf2 16641->16642 16644 402d1c 16642->16644 16645 402d0e Sleep 16642->16645 16646 402a62 GetProcessHeap HeapAlloc 16642->16646 16644->16636 16645->16642 16645->16644 16647 402a92 16646->16647 16648 402a99 socket 16646->16648 16647->16642 16649 402cd3 GetProcessHeap HeapFree 16648->16649 16650 402ab4 16648->16650 16649->16647 16650->16649 16654 402abd 16650->16654 16651 402adb htons 16666 4026ff 16651->16666 16653 402b04 select 16653->16654 16654->16651 16654->16653 16655 402ca4 16654->16655 16656 402cb3 GetProcessHeap HeapFree closesocket 16654->16656 16657 402b3f recv 16654->16657 16658 402b66 htons 16654->16658 16659 402b87 htons 16654->16659 16662 402bf3 GetProcessHeap HeapAlloc 16654->16662 16663 402c17 htons 16654->16663 16665 402c4d GetProcessHeap HeapFree 16654->16665 16673 402923 16654->16673 16685 402904 16654->16685 16655->16656 16656->16647 16657->16654 16658->16654 16658->16655 16659->16654 16659->16655 16662->16654 16681 402871 16663->16681 16665->16654 16667 40271d 16666->16667 16668 402717 16666->16668 16670 40272b GetTickCount htons 16667->16670 16669 40ebcc 4 API calls 16668->16669 16669->16667 16671 4027cc htons htons sendto 16670->16671 16672 40278a 16670->16672 16671->16654 16672->16671 16674 402944 16673->16674 16676 40293d 16673->16676 16689 402816 htons 16674->16689 16676->16654 16677 402871 htons 16680 402950 16677->16680 16678 4029bd htons htons htons 16678->16676 16679 4029f6 GetProcessHeap HeapAlloc 16678->16679 16679->16676 16679->16680 16680->16676 16680->16677 16680->16678 16682 4028e3 16681->16682 16684 402889 16681->16684 16682->16654 16683 4028c3 htons 16683->16682 16683->16684 16684->16682 16684->16683 16686 402921 16685->16686 16687 402908 16685->16687 16686->16654 16688 402909 GetProcessHeap HeapFree 16687->16688 16688->16686 16688->16688 16690 40286b 16689->16690 16691 402836 16689->16691 16690->16680 16691->16690 16692 40285c htons 16691->16692 16692->16690 16692->16691 16694 406bc0 16693->16694 16695 406bbc 16693->16695 16696 40ebcc 4 API calls 16694->16696 16698 406bd4 16694->16698 16695->16237 16697 406be4 16696->16697 16697->16698 16699 406c07 CreateFileA 16697->16699 16700 406bfc 16697->16700 16698->16237 16702 406c34 WriteFile 16699->16702 16703 406c2a 16699->16703 16701 40ec2e codecvt 4 API calls 16700->16701 16701->16698 16705 406c49 CloseHandle DeleteFileA 16702->16705 16706 406c5a CloseHandle 16702->16706 16704 40ec2e codecvt 4 API calls 16703->16704 16704->16698 16705->16703 16707 40ec2e codecvt 4 API calls 16706->16707 16707->16698 15041 500005 15046 50092b GetPEB 15041->15046 15043 500030 15048 50003c 15043->15048 15047 500972 15046->15047 15047->15043 15049 500049 15048->15049 15063 500e0f SetErrorMode SetErrorMode 15049->15063 15054 500265 15055 5002ce VirtualProtect 15054->15055 15057 50030b 15055->15057 15056 500439 VirtualFree 15061 5004be 15056->15061 15062 5005f4 LoadLibraryA 15056->15062 15057->15056 15058 5004e3 LoadLibraryA 15058->15061 15060 5008c7 15061->15058 15061->15062 15062->15060 15064 500223 15063->15064 15065 500d90 15064->15065 15066 500dad 15065->15066 15067 500dbb GetPEB 15066->15067 15068 500238 VirtualAlloc 15066->15068 15067->15068 15068->15054 16708 533d0e 16709 533d1d 16708->16709 16712 5344ae 16709->16712 16713 5344c9 Module32First 16712->16713 16715 533d26 16713->16715 16716 5344fd 16713->16716 16718 53416d 16716->16718 16719 534198 16718->16719 16720 5341e1 16719->16720 16721 5341a9 VirtualAlloc 16719->16721 16720->16720 16721->16720 14982 41a7d0 14985 41a3e0 14982->14985 14984 41a7d5 14986 41a408 14985->14986 14987 41a498 6 API calls 14986->14987 14995 41a5a8 14986->14995 14988 41a4ff 6 API calls 14987->14988 14989 41a575 GetSystemDefaultLCID 14988->14989 14992 41a584 RtlEnterCriticalSection 14989->14992 14993 41a58f 14989->14993 14990 41a5f2 GetSystemTimes 14994 41a616 14990->14994 14990->14995 14991 41a5e2 GetUserObjectInformationW 14991->14990 14992->14993 14993->14995 14996 41a598 LoadLibraryA 14993->14996 14997 41a614 14994->14997 14998 41a61f FoldStringW 14994->14998 14995->14990 14995->14991 14995->14997 14996->14995 14999 41a63d 8 API calls 14997->14999 15000 41a6cc GlobalAlloc 14997->15000 14998->14997 15008 41a69c 14999->15008 15002 41a6e9 15000->15002 15003 41a71c LoadLibraryW 15000->15003 15002->15003 15012 41a110 GetModuleHandleW GetProcAddress VirtualProtect 15003->15012 15005 41a72c 15013 41a370 15005->15013 15007 41a749 GlobalSize 15009 41a731 15007->15009 15008->15000 15009->15007 15010 41a773 InterlockedExchange 15009->15010 15011 41a789 15009->15011 15010->15009 15011->14984 15012->15005 15014 41a392 15013->15014 15015 41a386 QueryDosDeviceW 15013->15015 15024 41a260 15014->15024 15015->15014 15018 41a3a5 FreeEnvironmentStringsW 15019 41a3ad 15018->15019 15027 41a2a0 15019->15027 15022 41a3c4 RtlAllocateHeap GetNumaProcessorNode 15023 41a3da 15022->15023 15023->15009 15025 41a277 GetStartupInfoW LoadLibraryA 15024->15025 15026 41a289 15024->15026 15025->15026 15026->15018 15026->15019 15028 41a2d5 15027->15028 15029 41a2c4 BuildCommDCBW 15027->15029 15030 41a2f3 15028->15030 15031 41a2dd WritePrivateProfileStringA UnhandledExceptionFilter 15028->15031 15029->15030 15033 41a33f 15030->15033 15034 41a329 GetShortPathNameA 15030->15034 15035 41a290 15030->15035 15031->15030 15033->15022 15033->15023 15034->15030 15038 41a210 15035->15038 15039 41a23b 15038->15039 15040 41a22c VirtualLock 15038->15040 15039->15030 15040->15039
                                                                                                            APIs
                                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                                              • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                                              • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                                              • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                                            • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                                            • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                                            • ExitProcess.KERNEL32 ref: 00409C06
                                                                                                            • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                                            • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                                            • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                                            • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                                            • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                                            • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                                            • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                                            • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                                            • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                                            • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                                            • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                                            • wsprintfA.USER32 ref: 0040A0B6
                                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                                            • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                                            • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                                            • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                                            • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                                            • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                                              • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,004122F8,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                                              • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                                              • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                                            • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                                            • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                                            • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                                            • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                                            • DeleteFileA.KERNEL32(C:\Users\user\Desktop\RSno9EH0K9.exe), ref: 0040A407
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                                            • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                                            • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                                            • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                                            • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                                            • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                                            • String ID: "$"$"$%X%08X$C:\Users\user\Desktop\RSno9EH0K9.exe$C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exe$D$P$\$gxtfamnt
                                                                                                            • API String ID: 2089075347-809268377
                                                                                                            • Opcode ID: 69071e7f72711d21cff6056459b1329949a0fa875525a2a87badba31d3a6a59d
                                                                                                            • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                                            • Opcode Fuzzy Hash: 69071e7f72711d21cff6056459b1329949a0fa875525a2a87badba31d3a6a59d
                                                                                                            • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 264 41a3e0-41a405 265 41a408-41a40e 264->265 266 41a410-41a41a 265->266 267 41a41f-41a429 265->267 266->267 268 41a42b-41a446 267->268 269 41a44c-41a453 267->269 268->269 269->265 270 41a455-41a45d 269->270 272 41a460-41a466 270->272 273 41a474-41a47e 272->273 274 41a468-41a46e 272->274 275 41a480 273->275 276 41a482-41a489 273->276 274->273 275->276 276->272 277 41a48b-41a492 276->277 278 41a498-41a582 InterlockedDecrement SetConsoleTitleA GlobalSize FindAtomW SearchPathA SetConsoleMode GetDefaultCommConfigW CopyFileExA GetEnvironmentStringsW WriteConsoleOutputW GetNumaHighestNodeNumber DebugActiveProcessStop GetSystemDefaultLCID 277->278 279 41a5ca-41a5d6 277->279 286 41a584-41a589 RtlEnterCriticalSection 278->286 287 41a58f-41a596 278->287 280 41a5d8-41a5e0 279->280 284 41a5f2-41a609 GetSystemTimes 280->284 285 41a5e2-41a5ec GetUserObjectInformationW 280->285 288 41a616-41a61d 284->288 289 41a60b-41a612 284->289 285->284 286->287 290 41a5a8-41a5c7 287->290 291 41a598-41a5a2 LoadLibraryA 287->291 293 41a62f-41a637 288->293 294 41a61f-41a629 FoldStringW 288->294 289->280 292 41a614 289->292 290->279 291->290 292->293 295 41a63d-41a6c6 GetConsoleAliasesLengthW CallNamedPipeA GetComputerNameW CopyFileA GetFileAttributesW GetConsoleAliasExesLengthW OpenWaitableTimerA GetBinaryType 293->295 296 41a6cc-41a6e7 GlobalAlloc 293->296 294->293 295->296 298 41a6e9-41a6f4 296->298 299 41a71c-41a727 LoadLibraryW call 41a110 296->299 301 41a700-41a710 298->301 304 41a72c-41a73f call 41a370 299->304 305 41a712 301->305 306 41a717-41a71a 301->306 313 41a740-41a747 304->313 305->306 306->299 306->301 314 41a749-41a759 GlobalSize 313->314 315 41a75d-41a763 313->315 314->315 317 41a765 call 41a100 315->317 318 41a76a-41a771 315->318 317->318 321 41a780-41a787 318->321 322 41a773-41a77a InterlockedExchange 318->322 321->313 324 41a789-41a799 321->324 322->321 325 41a7a0-41a7a5 324->325 326 41a7a7-41a7ad 325->326 327 41a7af-41a7b5 325->327 326->327 329 41a7b7-41a7cb 326->329 327->325 327->329
                                                                                                            APIs
                                                                                                            • InterlockedDecrement.KERNEL32(?), ref: 0041A49D
                                                                                                            • SetConsoleTitleA.KERNEL32(00000000), ref: 0041A4A5
                                                                                                            • GlobalSize.KERNEL32(00000000), ref: 0041A4AD
                                                                                                            • FindAtomW.KERNEL32(00000000), ref: 0041A4B5
                                                                                                            • SearchPathA.KERNEL32(0041C9BC,0041C9A0,0041C980,00000000,?,?), ref: 0041A4D9
                                                                                                            • SetConsoleMode.KERNEL32(00000000,00000000), ref: 0041A4E3
                                                                                                            • GetDefaultCommConfigW.KERNEL32(00000000,?,00000000), ref: 0041A50B
                                                                                                            • CopyFileExA.KERNEL32(0041C9E8,0041C9DC,00000000,00000000,00000000,00000000), ref: 0041A523
                                                                                                            • GetEnvironmentStringsW.KERNEL32 ref: 0041A529
                                                                                                            • WriteConsoleOutputW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0041A548
                                                                                                            • GetNumaHighestNodeNumber.KERNEL32(?), ref: 0041A553
                                                                                                            • DebugActiveProcessStop.KERNEL32(00000000), ref: 0041A55B
                                                                                                            • GetSystemDefaultLCID.KERNEL32 ref: 0041A575
                                                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 0041A589
                                                                                                            • LoadLibraryA.KERNEL32(00000000), ref: 0041A5A2
                                                                                                            • GetUserObjectInformationW.USER32(00000000,00000000,00000000,00000000,00000000), ref: 0041A5EC
                                                                                                            • GetSystemTimes.KERNELBASE(?,?,?), ref: 0041A601
                                                                                                            • FoldStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0041A629
                                                                                                            • GetConsoleAliasesLengthW.KERNEL32(00000000), ref: 0041A64C
                                                                                                            • CallNamedPipeA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041A659
                                                                                                            • GetComputerNameW.KERNEL32(00000000,00000000), ref: 0041A661
                                                                                                            • CopyFileA.KERNEL32(0041CA6C,0041CA44,00000000), ref: 0041A672
                                                                                                            • GetFileAttributesW.KERNEL32(00000000), ref: 0041A679
                                                                                                            • GetConsoleAliasExesLengthW.KERNEL32 ref: 0041A67F
                                                                                                            • OpenWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 0041A688
                                                                                                            • GetBinaryType.KERNEL32(00000000,00000000), ref: 0041A690
                                                                                                            • GlobalAlloc.KERNELBASE(00000000,004220DC), ref: 0041A6CF
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248486712.0000000000415000.00000020.00000001.01000000.00000005.sdmp, Offset: 00415000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_415000_nutgoowa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Console$File$CopyDefaultGlobalLengthSystem$ActiveAliasAliasesAllocAtomAttributesBinaryCallCommComputerConfigCriticalDebugDecrementEnterEnvironmentExesFindFoldHighestInformationInterlockedLibraryLoadModeNameNamedNodeNumaNumberObjectOpenOutputPathPipeProcessSearchSectionSizeStopStringStringsTimerTimesTitleTypeUserWaitableWrite
                                                                                                            • String ID: k`$}$
                                                                                                            • API String ID: 1387190455-956986773
                                                                                                            • Opcode ID: 912131365e5db89625fd3543ccbcbedf9a45265c402bb1bea6a2fe20e74cab5a
                                                                                                            • Instruction ID: 0557cc61fcd4be446cea29f0adcb16bc1319e3bbd06375e612c880dc7daf55e9
                                                                                                            • Opcode Fuzzy Hash: 912131365e5db89625fd3543ccbcbedf9a45265c402bb1bea6a2fe20e74cab5a
                                                                                                            • Instruction Fuzzy Hash: 41A11771A45310AFD320AB61DC49BDB7BA4EB4C715F00803AF659A61E0D7789981CBEF

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 636 40637c-406384 637 406386-406389 636->637 638 40638a-4063b4 GetModuleHandleA VirtualAlloc 636->638 639 4063f5-4063f7 638->639 640 4063b6-4063d4 call 40ee08 VirtualAllocEx 638->640 641 40640b-40640f 639->641 640->639 644 4063d6-4063f3 call 4062b7 WriteProcessMemory 640->644 644->639 647 4063f9-40640a 644->647 647->641
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                                            • VirtualAllocEx.KERNELBASE(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                                            • WriteProcessMemory.KERNELBASE(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 1965334864-0
                                                                                                            • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                                            • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                                            • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                                            • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 331 4073ff-407419 332 40741b 331->332 333 40741d-407422 331->333 332->333 334 407424 333->334 335 407426-40742b 333->335 334->335 336 407430-407435 335->336 337 40742d 335->337 338 407437 336->338 339 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 336->339 337->336 338->339 344 407487-40749d call 40ee2a 339->344 345 4077f9-4077fe call 40ee2a 339->345 351 407703-40770e RegEnumKeyA 344->351 350 407801 345->350 354 407804-407808 350->354 352 4074a2-4074b1 call 406cad 351->352 353 407714-40771d RegCloseKey 351->353 357 4074b7-4074cc call 40f1a5 352->357 358 4076ed-407700 352->358 353->350 357->358 361 4074d2-4074f8 RegOpenKeyExA 357->361 358->351 362 407727-40772a 361->362 363 4074fe-407530 call 402544 RegQueryValueExA 361->363 364 407755-407764 call 40ee2a 362->364 365 40772c-407740 call 40ef00 362->365 363->362 371 407536-40753c 363->371 376 4076df-4076e2 364->376 373 407742-407745 RegCloseKey 365->373 374 40774b-40774e 365->374 375 40753f-407544 371->375 373->374 379 4077ec-4077f7 RegCloseKey 374->379 375->375 378 407546-40754b 375->378 376->358 377 4076e4-4076e7 RegCloseKey 376->377 377->358 378->364 380 407551-40756b call 40ee95 378->380 379->354 380->364 383 407571-407593 call 402544 call 40ee95 380->383 388 407753 383->388 389 407599-4075a0 383->389 388->364 390 4075a2-4075c6 call 40ef00 call 40ed03 389->390 391 4075c8-4075d7 call 40ed03 389->391 397 4075d8-4075da 390->397 391->397 399 4075dc 397->399 400 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 397->400 399->400 409 407626-40762b 400->409 409->409 410 40762d-407634 409->410 411 407637-40763c 410->411 411->411 412 40763e-407642 411->412 413 407644-407656 call 40ed77 412->413 414 40765c-407673 call 40ed23 412->414 413->414 421 407769-40777c call 40ef00 413->421 419 407680 414->419 420 407675-40767e 414->420 423 407683-40768e call 406cad 419->423 420->423 426 4077e3-4077e6 RegCloseKey 421->426 428 407722-407725 423->428 429 407694-4076bf call 40f1a5 call 406c96 423->429 426->379 430 4076dd 428->430 435 4076c1-4076c7 429->435 436 4076d8 429->436 430->376 435->436 437 4076c9-4076d2 435->437 436->430 437->436 438 40777e-407797 GetFileAttributesExA 437->438 439 407799 438->439 440 40779a-40779f 438->440 439->440 441 4077a1 440->441 442 4077a3-4077a8 440->442 441->442 443 4077c4-4077c8 442->443 444 4077aa-4077c0 call 40ee08 442->444 446 4077d7-4077dc 443->446 447 4077ca-4077d6 call 40ef00 443->447 444->443 450 4077e0-4077e2 446->450 451 4077de 446->451 447->446 450->426 451->450
                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,74DF0F10,00000000), ref: 00407472
                                                                                                            • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 004074F0
                                                                                                            • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407528
                                                                                                            • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 004076E7
                                                                                                            • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407717
                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407745
                                                                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 004077EF
                                                                                                              • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                                            • RegCloseKey.KERNELBASE(?), ref: 004077E6
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                                            • String ID: "
                                                                                                            • API String ID: 3433985886-123907689
                                                                                                            • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                                            • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                                            • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                                            • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 453 40405e-40407b CreateEventA 454 404084-4040a8 call 403ecd call 404000 453->454 455 40407d-404081 453->455 460 404130-40413e call 40ee2a 454->460 461 4040ae-4040be call 40ee2a 454->461 466 40413f-404165 call 403ecd CreateNamedPipeA 460->466 461->460 467 4040c0-4040f1 call 40eca5 call 403f18 call 403f8c 461->467 472 404167-404174 Sleep 466->472 473 404188-404193 ConnectNamedPipe 466->473 484 4040f3-4040ff 467->484 485 404127-40412a CloseHandle 467->485 472->466 477 404176-404182 CloseHandle 472->477 475 404195-4041a5 GetLastError 473->475 476 4041ab-4041c0 call 403f8c 473->476 475->476 479 40425e-404265 DisconnectNamedPipe 475->479 476->473 486 4041c2-4041f2 call 403f18 call 403f8c 476->486 477->473 479->473 484->485 487 404101-404121 call 403f18 ExitProcess 484->487 485->460 486->479 494 4041f4-404200 486->494 494->479 495 404202-404215 call 403f8c 494->495 495->479 498 404217-40421b 495->498 498->479 499 40421d-404230 call 403f8c 498->499 499->479 502 404232-404236 499->502 502->473 503 40423c-404251 call 403f18 502->503 506 404253-404259 503->506 507 40426a-404276 CloseHandle * 2 call 40e318 503->507 506->473 509 40427b 507->509 509->509
                                                                                                            APIs
                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                                            • ExitProcess.KERNEL32 ref: 00404121
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CreateEventExitProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 2404124870-0
                                                                                                            • Opcode ID: 7de862f9e9b35a1df311cf9a4407cf261d5ef3a80a072fcdc92d6b04e029e81b
                                                                                                            • Instruction ID: a90c6c4c2b7f8b8208d93dc1fe438bcf4b3bc6ab1fe170e3c7599fd426c471ab
                                                                                                            • Opcode Fuzzy Hash: 7de862f9e9b35a1df311cf9a4407cf261d5ef3a80a072fcdc92d6b04e029e81b
                                                                                                            • Instruction Fuzzy Hash: 3851A3B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 510 50003c-500047 511 500049 510->511 512 50004c-500263 call 500a3f call 500e0f call 500d90 VirtualAlloc 510->512 511->512 527 500265-500289 call 500a69 512->527 528 50028b-500292 512->528 533 5002ce-5003c2 VirtualProtect call 500cce call 500ce7 527->533 530 5002a1-5002b0 528->530 532 5002b2-5002cc 530->532 530->533 532->530 539 5003d1-5003e0 533->539 540 5003e2-500437 call 500ce7 539->540 541 500439-5004b8 VirtualFree 539->541 540->539 543 5005f4-5005fe 541->543 544 5004be-5004cd 541->544 547 500604-50060d 543->547 548 50077f-500789 543->548 546 5004d3-5004dd 544->546 546->543 552 5004e3-500505 LoadLibraryA 546->552 547->548 553 500613-500637 547->553 550 5007a6-5007b0 548->550 551 50078b-5007a3 548->551 554 5007b6-5007cb 550->554 555 50086e-5008be LoadLibraryA 550->555 551->550 556 500517-500520 552->556 557 500507-500515 552->557 558 50063e-500648 553->558 559 5007d2-5007d5 554->559 562 5008c7-5008f9 555->562 560 500526-500547 556->560 557->560 558->548 561 50064e-50065a 558->561 563 500824-500833 559->563 564 5007d7-5007e0 559->564 565 50054d-500550 560->565 561->548 566 500660-50066a 561->566 567 500902-50091d 562->567 568 5008fb-500901 562->568 574 500839-50083c 563->574 569 5007e2 564->569 570 5007e4-500822 564->570 571 5005e0-5005ef 565->571 572 500556-50056b 565->572 573 50067a-500689 566->573 568->567 569->563 570->559 571->546 578 50056d 572->578 579 50056f-50057a 572->579 575 500750-50077a 573->575 576 50068f-5006b2 573->576 574->555 577 50083e-500847 574->577 575->558 582 5006b4-5006ed 576->582 583 5006ef-5006fc 576->583 584 500849 577->584 585 50084b-50086c 577->585 578->571 580 50059b-5005bb 579->580 581 50057c-500599 579->581 593 5005bd-5005db 580->593 581->593 582->583 587 50074b 583->587 588 5006fe-500748 583->588 584->555 585->574 587->573 588->587 593->565
                                                                                                            APIs
                                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0050024D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_500000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual
                                                                                                            • String ID: cess$kernel32.dll
                                                                                                            • API String ID: 4275171209-1230238691
                                                                                                            • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                            • Instruction ID: 2a9954c425b5c615df3655688d6329589181e04494bf30fe7994701720054a9d
                                                                                                            • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                            • Instruction Fuzzy Hash: 2E526974A01229DFDB64CF58C985BACBBB1BF09304F1480D9E94DAB291DB30AE95DF14

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 594 40977c-4097b9 call 40ee2a CreateProcessA 597 4097c2-4097f3 call 40ee2a Wow64GetThreadContext 594->597 598 4097bb-4097bd 594->598 602 409801-40981c call 40637c 597->602 603 4097f5 597->603 599 409864-409866 598->599 604 4097f6-4097ff TerminateProcess 602->604 607 40981e-409839 WriteProcessMemory 602->607 603->604 604->598 607->603 608 40983b-409856 Wow64SetThreadContext 607->608 608->603 609 409858-409863 ResumeThread 608->609 609->599
                                                                                                            APIs
                                                                                                            • CreateProcessA.KERNELBASE(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,004122F8), ref: 004097B1
                                                                                                            • Wow64GetThreadContext.KERNEL32(?,?,?,?,?,?,?,004122F8), ref: 004097EB
                                                                                                            • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 004097F9
                                                                                                            • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 00409831
                                                                                                            • Wow64SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040984E
                                                                                                            • ResumeThread.KERNELBASE(?,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040985B
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ProcessThread$ContextWow64$CreateMemoryResumeTerminateWrite
                                                                                                            • String ID: D
                                                                                                            • API String ID: 2098669666-2746444292
                                                                                                            • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                                            • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                                            • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                                            • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 610 41a6f6-41a6fd 611 41a700-41a710 610->611 612 41a712 611->612 613 41a717-41a71a 611->613 612->613 613->611 614 41a71c-41a73f LoadLibraryW call 41a110 call 41a370 613->614 619 41a740-41a747 614->619 620 41a749-41a759 GlobalSize 619->620 621 41a75d-41a763 619->621 620->621 622 41a765 call 41a100 621->622 623 41a76a-41a771 621->623 622->623 626 41a780-41a787 623->626 627 41a773-41a77a InterlockedExchange 623->627 626->619 628 41a789-41a799 626->628 627->626 629 41a7a0-41a7a5 628->629 630 41a7a7-41a7ad 629->630 631 41a7af-41a7b5 629->631 630->631 632 41a7b7-41a7cb 630->632 631->629 631->632
                                                                                                            APIs
                                                                                                            • LoadLibraryW.KERNELBASE(0041CAA4), ref: 0041A721
                                                                                                            • GlobalSize.KERNEL32(00000000), ref: 0041A74B
                                                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 0041A77A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248486712.0000000000415000.00000020.00000001.01000000.00000005.sdmp, Offset: 00415000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_415000_nutgoowa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ExchangeGlobalInterlockedLibraryLoadSize
                                                                                                            • String ID: k`$}$
                                                                                                            • API String ID: 1230614907-956986773
                                                                                                            • Opcode ID: b196a47d2894aa0dcdf6a77986d9a740ccb2e35e64265e3ef150c0d4e0576575
                                                                                                            • Instruction ID: 3d00e1cb30f40c3e3da36ac5a5c5ee68e1b26f71aacc13917bf9e631e8b9cb0e
                                                                                                            • Opcode Fuzzy Hash: b196a47d2894aa0dcdf6a77986d9a740ccb2e35e64265e3ef150c0d4e0576575
                                                                                                            • Instruction Fuzzy Hash: E11138306452409BC720A720DC867EBB760EB49315F14443EE66A961E1CB7898A2CBDF

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 634 41a110-41a205 GetModuleHandleW GetProcAddress VirtualProtect
                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNEL32(00421FB0), ref: 0041A1AE
                                                                                                            • GetProcAddress.KERNEL32(00000000,00420720), ref: 0041A1E1
                                                                                                            • VirtualProtect.KERNELBASE(00421DFC,004220DC,00000040,?), ref: 0041A200
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248486712.0000000000415000.00000020.00000001.01000000.00000005.sdmp, Offset: 00415000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_415000_nutgoowa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 2099061454-3916222277
                                                                                                            • Opcode ID: 0b67f6005c2e5e9acb061c7fc40d55ff61bcf7b67a2c75165a0cd6f5a2922ed5
                                                                                                            • Instruction ID: 620725763d30a95ae7b3b8aff8441e0f00cd701f24deb9c65bf4b569524bed01
                                                                                                            • Opcode Fuzzy Hash: 0b67f6005c2e5e9acb061c7fc40d55ff61bcf7b67a2c75165a0cd6f5a2922ed5
                                                                                                            • Instruction Fuzzy Hash: C6112964718240DED720CF64FE05B067AF1FBAC784F815278D1548B2B2EBB526468B5D

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                                            • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                                            • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Time$CountFileInformationSystemTickVolume
                                                                                                            • String ID: z}-
                                                                                                            • API String ID: 1209300637-1318309817
                                                                                                            • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                                            • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                                            • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                                            • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 648 404000-404008 649 40400b-40402a CreateFileA 648->649 650 404057 649->650 651 40402c-404035 GetLastError 649->651 654 404059-40405c 650->654 652 404052 651->652 653 404037-40403a 651->653 656 404054-404056 652->656 653->652 655 40403c-40403f 653->655 654->656 655->654 657 404041-404050 Sleep 655->657 657->649 657->652
                                                                                                            APIs
                                                                                                            • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,004122F8,004042B6,00000000,00000001,004122F8,00000000,?,004098FD), ref: 00404021
                                                                                                            • GetLastError.KERNEL32(?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 0040402C
                                                                                                            • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404046
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CreateErrorFileLastSleep
                                                                                                            • String ID:
                                                                                                            • API String ID: 408151869-0
                                                                                                            • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                                            • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                                            • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                                            • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 658 406e36-406e5d GetUserNameW 659 406ebe-406ec2 658->659 660 406e5f-406e95 LookupAccountNameW 658->660 660->659 661 406e97-406e9b 660->661 662 406ebb-406ebd 661->662 663 406e9d-406ea3 661->663 662->659 663->662 664 406ea5-406eaa 663->664 665 406eb7-406eb9 664->665 666 406eac-406eb0 664->666 665->659 666->662 667 406eb2-406eb5 666->667 667->662 667->665
                                                                                                            APIs
                                                                                                            • GetUserNameW.ADVAPI32(?,00401FA1), ref: 00406E55
                                                                                                            • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,00000000,00000012), ref: 00406E8D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Name$AccountLookupUser
                                                                                                            • String ID:
                                                                                                            • API String ID: 2370142434-0
                                                                                                            • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                            • Instruction ID: d69833bf2c7126fc9b7bd4b1d5117f4fe90a033eeaed535c4400ab00b2689cfd
                                                                                                            • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                            • Instruction Fuzzy Hash: 0211F776900218EBDF21CFD4C884ADFB7BCAB04741F1542B6E502F6290DB749B989BE4

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 668 500e0f-500e24 SetErrorMode * 2 669 500e26 668->669 670 500e2b-500e2c 668->670 669->670
                                                                                                            APIs
                                                                                                            • SetErrorMode.KERNELBASE(00000400,?,?,00500223,?,?), ref: 00500E19
                                                                                                            • SetErrorMode.KERNELBASE(00000000,?,?,00500223,?,?), ref: 00500E1E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_500000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorMode
                                                                                                            • String ID:
                                                                                                            • API String ID: 2340568224-0
                                                                                                            • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                            • Instruction ID: 0d446c16eae7c208faf0d57bd6344f7191849366e1e2b515b91accd1c8e4ec86
                                                                                                            • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                            • Instruction Fuzzy Hash: C6D0123114512877D7002A94DC09BCD7F1CDF05B62F008411FB0DE90C0C770994046E5

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 671 406dc2-406dd5 672 406e33-406e35 671->672 673 406dd7-406df1 call 406cc9 call 40ef00 671->673 678 406df4-406df9 673->678 678->678 679 406dfb-406e00 678->679 680 406e02-406e22 GetVolumeInformationA 679->680 681 406e24 679->681 680->681 682 406e2e 680->682 681->682 682->672
                                                                                                            APIs
                                                                                                              • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                                              • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                                              • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                                              • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                                            • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                                            • String ID:
                                                                                                            • API String ID: 1823874839-0
                                                                                                            • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                                            • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                                            • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                                            • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 683 5344ae-5344c7 684 5344c9-5344cb 683->684 685 5344d2-5344de 684->685 686 5344cd 684->686 688 5344e0-5344e6 685->688 689 5344ee-5344fb Module32First 685->689 686->685 688->689 694 5344e8-5344ec 688->694 690 534504-53450c 689->690 691 5344fd-5344fe call 53416d 689->691 695 534503 691->695 694->684 694->689 695->690
                                                                                                            APIs
                                                                                                            • Module32First.KERNEL32(00000000,00000224), ref: 005344F6
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2249215134.0000000000533000.00000040.00000020.00020000.00000000.sdmp, Offset: 00533000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_533000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FirstModule32
                                                                                                            • String ID:
                                                                                                            • API String ID: 3757679902-0
                                                                                                            • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                            • Instruction ID: cfc4c3444e4a5bf4098baf3943a13d0f062bbb2d0a156de87b4bae2bebc642c5
                                                                                                            • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                            • Instruction Fuzzy Hash: FFF062355007117BDB202AB5988DB6E7BE8BF49725F104528E646D24C0DA74FC458E61

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 697 409892-4098c0 698 4098c2-4098c5 697->698 699 4098d9 697->699 698->699 701 4098c7-4098d7 698->701 700 4098e0-4098f1 SetServiceStatus 699->700 701->700
                                                                                                            APIs
                                                                                                            • SetServiceStatus.SECHOST(00413394), ref: 004098EB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ServiceStatus
                                                                                                            • String ID:
                                                                                                            • API String ID: 3969395364-0
                                                                                                            • Opcode ID: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                                            • Instruction ID: dd676a4af3dd8f9e000b524091363a81fd6157f1888c947a943bd607f736cbf1
                                                                                                            • Opcode Fuzzy Hash: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                                            • Instruction Fuzzy Hash: 02F0F271514208EFCB18CF14E89869A7BA0F348706B20C83EE82AD2371CB749A80DF0D
                                                                                                            APIs
                                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 005341BE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2249215134.0000000000533000.00000040.00000020.00020000.00000000.sdmp, Offset: 00533000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_533000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 4275171209-0
                                                                                                            • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                            • Instruction ID: 963eefe326701aad287621d9ca8b74fefde09f2e5b5a4d9f14c9b103b98229d3
                                                                                                            • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                            • Instruction Fuzzy Hash: 20112D79A00208EFDB01DF98C985E98BFF5AF08750F058094F9489B362D771EA90DF90
                                                                                                            APIs
                                                                                                              • Part of subcall function 00404280: CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                                            • Sleep.KERNEL32(000003E8,00000100,004122F8,0040A3C7), ref: 00409909
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CreateEventSleep
                                                                                                            • String ID:
                                                                                                            • API String ID: 3100162736-0
                                                                                                            • Opcode ID: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                                            • Instruction ID: e56085e6bf9507d1b9c0d1fa6774ae3e34a200a1ca8b69066151cd7271dcc025
                                                                                                            • Opcode Fuzzy Hash: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                                            • Instruction Fuzzy Hash: 58F05472A81360A6E62226566C07F8F19040B95B24F05417EF744BA2C395E8495141ED
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(00000000), ref: 005065F6
                                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00506610
                                                                                                            • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 00506631
                                                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 00506652
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_500000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 1965334864-0
                                                                                                            • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                                            • Instruction ID: edd6c50ccd64d227ffb114ec677d2b423737a1e55a6b996117662e7b021e8b4b
                                                                                                            • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                                            • Instruction Fuzzy Hash: C0115171600219BFDB219F65DC4AF9B3FA8FB457A5F104024F909A7291D7B2DD1086A4
                                                                                                            APIs
                                                                                                            • ExitProcess.KERNEL32 ref: 00509E6D
                                                                                                            • lstrcpy.KERNEL32(?,00000000), ref: 00509FE1
                                                                                                            • lstrcat.KERNEL32(?,?), ref: 00509FF2
                                                                                                            • lstrcat.KERNEL32(?,0041070C), ref: 0050A004
                                                                                                            • GetFileAttributesExA.KERNEL32(?,?,?), ref: 0050A054
                                                                                                            • DeleteFileA.KERNEL32(?), ref: 0050A09F
                                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 0050A0D6
                                                                                                            • lstrcpy.KERNEL32 ref: 0050A12F
                                                                                                            • lstrlen.KERNEL32(00000022), ref: 0050A13C
                                                                                                            • GetTempPathA.KERNEL32(000001F4,?), ref: 00509F13
                                                                                                              • Part of subcall function 00507029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 00507081
                                                                                                              • Part of subcall function 00506F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\bsoavhio,00507043), ref: 00506F4E
                                                                                                              • Part of subcall function 00506F30: GetProcAddress.KERNEL32(00000000), ref: 00506F55
                                                                                                              • Part of subcall function 00506F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00506F7B
                                                                                                              • Part of subcall function 00506F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00506F92
                                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 0050A1A2
                                                                                                            • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0050A1C5
                                                                                                            • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 0050A214
                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 0050A21B
                                                                                                            • GetDriveTypeA.KERNEL32(?), ref: 0050A265
                                                                                                            • lstrcat.KERNEL32(?,00000000), ref: 0050A29F
                                                                                                            • lstrcat.KERNEL32(?,00410A34), ref: 0050A2C5
                                                                                                            • lstrcat.KERNEL32(?,00000022), ref: 0050A2D9
                                                                                                            • lstrcat.KERNEL32(?,00410A34), ref: 0050A2F4
                                                                                                            • wsprintfA.USER32 ref: 0050A31D
                                                                                                            • lstrcat.KERNEL32(?,00000000), ref: 0050A345
                                                                                                            • lstrcat.KERNEL32(?,?), ref: 0050A364
                                                                                                            • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 0050A387
                                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 0050A398
                                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0050A1D1
                                                                                                              • Part of subcall function 00509966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 0050999D
                                                                                                              • Part of subcall function 00509966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 005099BD
                                                                                                              • Part of subcall function 00509966: RegCloseKey.ADVAPI32(?), ref: 005099C6
                                                                                                            • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 0050A3DB
                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 0050A3E2
                                                                                                            • GetDriveTypeA.KERNEL32(00000022), ref: 0050A41D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_500000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                                            • String ID: "$"$"$D$P$\
                                                                                                            • API String ID: 1653845638-2605685093
                                                                                                            • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                                            • Instruction ID: f254c77869ceda010806dc5a00e788bbde77d4a9900ffc9e67c9a5ea3d228352
                                                                                                            • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                                            • Instruction Fuzzy Hash: 73F121B1D4025EAFDF21DBA0CC49EEF7BBCBB48300F1444A5E605E2181E7759A858F65
                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                                            • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                                            • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 004010E1
                                                                                                            • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 00401101
                                                                                                            • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 00401121
                                                                                                            • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00401140
                                                                                                            • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 00401160
                                                                                                            • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 00401180
                                                                                                            • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040119F
                                                                                                            • GetProcAddress.KERNEL32(00000000,NtClose), ref: 004011BF
                                                                                                            • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 004011DF
                                                                                                            • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 004011FE
                                                                                                            • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$LibraryLoad
                                                                                                            • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                                            • API String ID: 2238633743-3228201535
                                                                                                            • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                                            • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                                            • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                                            • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                                            APIs
                                                                                                            • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                                            • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                                            • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                                            • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                                            • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                                            • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                                            • wsprintfA.USER32 ref: 0040B3B7
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                                            • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                                            • API String ID: 766114626-2976066047
                                                                                                            • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                            • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                                            • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                            • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 00507D21
                                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 00507D46
                                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00507D7D
                                                                                                            • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 00507DA2
                                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 00507DC0
                                                                                                            • EqualSid.ADVAPI32(?,?), ref: 00507DD1
                                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00507DE5
                                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00507DF3
                                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00507E03
                                                                                                            • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 00507E12
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00507E19
                                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00507E35
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_500000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                                            • String ID: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exe$D
                                                                                                            • API String ID: 2976863881-4068003161
                                                                                                            • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                                            • Instruction ID: 1b5907062def0965a0dbd9dbf3c8197238350d5b61971a1027e4f1a205b0518b
                                                                                                            • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                                            • Instruction Fuzzy Hash: C2A12A71D0121DAFDB218FA0DD88EEEBFB9FB48300F148069E545E6190EB759A85CB64
                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,?,?), ref: 00407B16
                                                                                                            • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                                            • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                                            • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                                            • String ID: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exe$D
                                                                                                            • API String ID: 2976863881-4068003161
                                                                                                            • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                                            • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                                            • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                                            • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                                            • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                                            • API String ID: 2400214276-165278494
                                                                                                            • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                                            • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                                            • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                                            • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                                            APIs
                                                                                                            • wsprintfA.USER32 ref: 0040A7FB
                                                                                                            • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                                            • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                                            • wsprintfA.USER32 ref: 0040A8AF
                                                                                                            • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                                            • wsprintfA.USER32 ref: 0040A8E2
                                                                                                            • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                                            • wsprintfA.USER32 ref: 0040A9B9
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: wsprintf$send$lstrlenrecv
                                                                                                            • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                                            • API String ID: 3650048968-2394369944
                                                                                                            • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                                            • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                                            • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                                            • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                                            APIs
                                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 00507A96
                                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00507ACD
                                                                                                            • GetLengthSid.ADVAPI32(?), ref: 00507ADF
                                                                                                            • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 00507B01
                                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 00507B1F
                                                                                                            • EqualSid.ADVAPI32(?,?), ref: 00507B39
                                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00507B4A
                                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00507B58
                                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00507B68
                                                                                                            • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00507B77
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00507B7E
                                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00507B9A
                                                                                                            • GetAce.ADVAPI32(?,?,?), ref: 00507BCA
                                                                                                            • EqualSid.ADVAPI32(?,?), ref: 00507BF1
                                                                                                            • DeleteAce.ADVAPI32(?,?), ref: 00507C0A
                                                                                                            • EqualSid.ADVAPI32(?,?), ref: 00507C2C
                                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00507CB1
                                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00507CBF
                                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00507CD0
                                                                                                            • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00507CE0
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00507CEE
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_500000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                                            • String ID: D
                                                                                                            • API String ID: 3722657555-2746444292
                                                                                                            • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                            • Instruction ID: 9088aaed66ce532df55541eb84833410c55251ba543b6e62aa7dd8a34c2f057b
                                                                                                            • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                            • Instruction Fuzzy Hash: 64812B71D0421EABDB11CFA4DD48BEEBFB8BF0C300F14806AE515E6190D775AA45CB64
                                                                                                            APIs
                                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                                            • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                                            • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                                            • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                                            • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                                            • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                                            • String ID: D
                                                                                                            • API String ID: 3722657555-2746444292
                                                                                                            • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                            • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                                            • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                            • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                                            • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                                            • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                                            • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Value$CloseOpenQuery
                                                                                                            • String ID: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exe$localcfg
                                                                                                            • API String ID: 237177642-3319097516
                                                                                                            • Opcode ID: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                                            • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                                            • Opcode Fuzzy Hash: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                                            • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                                            APIs
                                                                                                            • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                                            • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ExecuteShelllstrlen
                                                                                                            • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDu$uac$useless$wusa.exe
                                                                                                            • API String ID: 1628651668-179334549
                                                                                                            • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                                            • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                                            • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                                            • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                                            APIs
                                                                                                            • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                                            • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                                            • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                                            • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                                              • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                                            • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                                            • API String ID: 4207808166-1381319158
                                                                                                            • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                                            • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                                            • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                                            • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                                            APIs
                                                                                                            • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                                            • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                                            • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                                            • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                                            • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                                            • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                                            • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                                            • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                                            • API String ID: 835516345-270533642
                                                                                                            • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                                            • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                                            • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                                            • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 0050865A
                                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 0050867B
                                                                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 005086A8
                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 005086B1
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_500000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Value$CloseOpenQuery
                                                                                                            • String ID: "$C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exe
                                                                                                            • API String ID: 237177642-710539192
                                                                                                            • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                                            • Instruction ID: 32e156c941ebfc07f00339c0a214bc5b84d40058e8f6c5d68ec32cf878433315
                                                                                                            • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                                            • Instruction Fuzzy Hash: 16C1A071900209BEEB21ABA4DD89EFF7FBCFB54300F148475F681E2091EB714A948B65
                                                                                                            APIs
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,74DEF380), ref: 00402A83
                                                                                                            • HeapAlloc.KERNEL32(00000000,?,74DEF380), ref: 00402A86
                                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                                            • htons.WS2_32(00000000), ref: 00402ADB
                                                                                                            • select.WS2_32 ref: 00402B28
                                                                                                            • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                                            • htons.WS2_32(?), ref: 00402B71
                                                                                                            • htons.WS2_32(?), ref: 00402B8C
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                                            • String ID:
                                                                                                            • API String ID: 1639031587-0
                                                                                                            • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                                            • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                                            • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                                            • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                                            APIs
                                                                                                            • ShellExecuteExW.SHELL32(?), ref: 00501601
                                                                                                            • lstrlenW.KERNEL32(-00000003), ref: 005017D8
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_500000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ExecuteShelllstrlen
                                                                                                            • String ID: $<$@$D
                                                                                                            • API String ID: 1628651668-1974347203
                                                                                                            • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                                            • Instruction ID: 9b3a6cc5407c18480178207361373f23d3c01553aae34eabf44c1db95f88e3c1
                                                                                                            • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                                            • Instruction Fuzzy Hash: 28F16AB15087419FD720DF64C888BAEBBE5FB88304F108D2DF696972A0D7B49944CB5B
                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 005076D9
                                                                                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 00507757
                                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 0050778F
                                                                                                            • ___ascii_stricmp.LIBCMT ref: 005078B4
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 0050794E
                                                                                                            • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0050796D
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 0050797E
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 005079AC
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00507A56
                                                                                                              • Part of subcall function 0050F40C: lstrlen.KERNEL32(000000E4,00000000,004122F8,000000E4,0050772A,?), ref: 0050F414
                                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 005079F6
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00507A4D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_500000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                                            • String ID: "
                                                                                                            • API String ID: 3433985886-123907689
                                                                                                            • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                                            • Instruction ID: 31a3a1217d64a69e2ce80ffdccfc7198e27ef9a9cd825b990d9623c10f50283d
                                                                                                            • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                                            • Instruction Fuzzy Hash: D2C18271D0420EABDB219BA4DC49FEE7FB9FF49310F1444A5F504E61D1EB71AA848B60
                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,74DF0F10,?,74DF0F10,00000000), ref: 004070C2
                                                                                                            • RegEnumValueA.ADVAPI32(74DF0F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,74DF0F10,00000000), ref: 0040719E
                                                                                                            • RegCloseKey.ADVAPI32(74DF0F10,?,74DF0F10,00000000), ref: 004071B2
                                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407208
                                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407291
                                                                                                            • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 004072D0
                                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407314
                                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 004073D8
                                                                                                              • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                                            • String ID: $"
                                                                                                            • API String ID: 4293430545-3817095088
                                                                                                            • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                                            • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                                            • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                                            • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69
                                                                                                            APIs
                                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 00502CED
                                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 00502D07
                                                                                                            • htons.WS2_32(00000000), ref: 00502D42
                                                                                                            • select.WS2_32 ref: 00502D8F
                                                                                                            • recv.WS2_32(?,00000000,00001000,00000000), ref: 00502DB1
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00502E62
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_500000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                                            • String ID:
                                                                                                            • API String ID: 127016686-0
                                                                                                            • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                                            • Instruction ID: e8754c4b0bfe80e2cbc1d264e4cab5546ee8d0af9124145fc28e374f7d1be753
                                                                                                            • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                                            • Instruction Fuzzy Hash: 7061DF7150830AABC720AF60DC4DB6FBFF8FB88341F144819F98597291D7B4D8808BA6
                                                                                                            APIs
                                                                                                            • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                                              • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                                              • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                                              • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                                              • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                                              • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                                              • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                                            • wsprintfA.USER32 ref: 0040AEA5
                                                                                                              • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                                            • wsprintfA.USER32 ref: 0040AE4F
                                                                                                            • wsprintfA.USER32 ref: 0040AE5E
                                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                                            • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                                            • API String ID: 3631595830-1816598006
                                                                                                            • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                                            • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                                            • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                                            • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(iphlpapi.dll,74DF23A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                                            • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                                            • htons.WS2_32(00000035), ref: 00402E88
                                                                                                            • inet_addr.WS2_32(?), ref: 00402E93
                                                                                                            • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                                            • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                                            • String ID: GetNetworkParams$iphlpapi.dll
                                                                                                            • API String ID: 929413710-2099955842
                                                                                                            • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                                            • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                                            • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                                            • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                                            APIs
                                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 0040677E
                                                                                                            • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 0040679A
                                                                                                            • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 004067B0
                                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 004067BF
                                                                                                            • GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 004067D3
                                                                                                            • ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,74DF0F10,00000000), ref: 00406807
                                                                                                            • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040681F
                                                                                                            • ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 0040683E
                                                                                                            • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040685C
                                                                                                            • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,74DF0F10,00000000), ref: 0040688B
                                                                                                            • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000,?,74DF0F10,00000000), ref: 00406906
                                                                                                            • ReadFile.KERNEL32(000000FF,?,00000000,00408244,00000000,?,74DF0F10,00000000), ref: 0040691C
                                                                                                            • CloseHandle.KERNEL32(000000FF,?,74DF0F10,00000000), ref: 00406971
                                                                                                              • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                                              • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                                                            • String ID:
                                                                                                            • API String ID: 2622201749-0
                                                                                                            • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                                            • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                                            • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                                            • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54
                                                                                                            APIs
                                                                                                            • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                                            • wsprintfA.USER32 ref: 004093CE
                                                                                                            • wsprintfA.USER32 ref: 0040940C
                                                                                                            • wsprintfA.USER32 ref: 0040948D
                                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                                            • String ID: runas
                                                                                                            • API String ID: 3696105349-4000483414
                                                                                                            • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                                            • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                                            • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                                            • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9
                                                                                                            APIs
                                                                                                            • wsprintfA.USER32 ref: 0040B467
                                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: lstrlen$wsprintf
                                                                                                            • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                                            • API String ID: 1220175532-2340906255
                                                                                                            • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                                            • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                                            • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                                            • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 00402078
                                                                                                            • GetTickCount.KERNEL32 ref: 004020D4
                                                                                                            • GetTickCount.KERNEL32 ref: 004020DB
                                                                                                            • GetTickCount.KERNEL32 ref: 0040212B
                                                                                                            • GetTickCount.KERNEL32 ref: 00402132
                                                                                                            • GetTickCount.KERNEL32 ref: 00402142
                                                                                                              • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4), ref: 0040F089
                                                                                                              • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0040F093
                                                                                                              • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                                              • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                                              • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                                            • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                                            • API String ID: 3976553417-1522128867
                                                                                                            • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                                            • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                                            • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                                            • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                                            APIs
                                                                                                            • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                                            • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: closesockethtonssocket
                                                                                                            • String ID: time_cfg
                                                                                                            • API String ID: 311057483-2401304539
                                                                                                            • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                                            • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                                            • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                                            • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                                            APIs
                                                                                                              • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                                              • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                                            • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                                            • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                                            • GetTickCount.KERNEL32 ref: 0040C363
                                                                                                            • GetTickCount.KERNEL32 ref: 0040C378
                                                                                                            • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                                            • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                                            • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                                            • String ID: localcfg
                                                                                                            • API String ID: 1553760989-1857712256
                                                                                                            • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                                            • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                                            • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                                            • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 00503068
                                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 00503078
                                                                                                            • GetProcAddress.KERNEL32(00000000,00410408), ref: 00503095
                                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 005030B6
                                                                                                            • htons.WS2_32(00000035), ref: 005030EF
                                                                                                            • inet_addr.WS2_32(?), ref: 005030FA
                                                                                                            • gethostbyname.WS2_32(?), ref: 0050310D
                                                                                                            • HeapFree.KERNEL32(00000000), ref: 0050314D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_500000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                                            • String ID: iphlpapi.dll
                                                                                                            • API String ID: 2869546040-3565520932
                                                                                                            • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                                            • Instruction ID: a57444af89ecff0ca05e08e6b2e2a615995d335bbbda8318872bf56b32e02803
                                                                                                            • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                                            • Instruction Fuzzy Hash: 35315431E00606ABDB119BB89C48AAE7FBCBF09761F144265E918E72D0DB74DE41CB58
                                                                                                            APIs
                                                                                                            • GetVersionExA.KERNEL32(?), ref: 005095A7
                                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 005095D5
                                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 005095DC
                                                                                                            • wsprintfA.USER32 ref: 00509635
                                                                                                            • wsprintfA.USER32 ref: 00509673
                                                                                                            • wsprintfA.USER32 ref: 005096F4
                                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 00509758
                                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 0050978D
                                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 005097D8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_500000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                                            • String ID:
                                                                                                            • API String ID: 3696105349-0
                                                                                                            • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                                            • Instruction ID: fcc9789048404b577290669ee20c604cb37839be3499ea7fcc8fcc46fc69fe22
                                                                                                            • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                                            • Instruction Fuzzy Hash: 39A16BB2900209AFEB21DFA0DC49FDE3BACFB45740F104026FA1596192E7B5D9848BA5
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                                            • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                                            • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                                            • String ID: DnsQuery_A$dnsapi.dll
                                                                                                            • API String ID: 3560063639-3847274415
                                                                                                            • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                                            • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                                            • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                                            • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                                            APIs
                                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: lstrcmpi
                                                                                                            • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                                            • API String ID: 1586166983-1625972887
                                                                                                            • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                                            • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                                            • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                                            • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                                            APIs
                                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,74DE8A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                                            • GetDiskFreeSpaceA.KERNEL32(00409E9D,00409A60,?,?,?,004122F8,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                                            • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                                            • String ID:
                                                                                                            • API String ID: 3188212458-0
                                                                                                            • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                            • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                                            • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                            • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69
                                                                                                            APIs
                                                                                                            • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 005067C3
                                                                                                            • htonl.WS2_32(?), ref: 005067DF
                                                                                                            • htonl.WS2_32(?), ref: 005067EE
                                                                                                            • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 005068F1
                                                                                                            • ExitProcess.KERNEL32 ref: 005069BC
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_500000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Processhtonl$CurrentExitHugeRead
                                                                                                            • String ID: except_info$localcfg
                                                                                                            • API String ID: 1150517154-3605449297
                                                                                                            • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                                            • Instruction ID: 2ca80ee0204ff0a2125bba6b4180c348afa09c58e4350e1e3538498f886d14eb
                                                                                                            • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                                            • Instruction Fuzzy Hash: 8A617F71A40208AFDB609FB4DC45FEA7BE9FF48300F248466F96DD2161DA759990CF14
                                                                                                            APIs
                                                                                                            • htons.WS2_32(0050CC84), ref: 0050F5B4
                                                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 0050F5CE
                                                                                                            • closesocket.WS2_32(00000000), ref: 0050F5DC
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_500000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: closesockethtonssocket
                                                                                                            • String ID: time_cfg
                                                                                                            • API String ID: 311057483-2401304539
                                                                                                            • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                                            • Instruction ID: 5d80b83503de06ee30661aec7d93eed035036b35e7110777f8d4b016f4c20a66
                                                                                                            • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                                            • Instruction Fuzzy Hash: 63315A72900119ABDB20DFA5EC89DEF7BBCFF89310F104566F915E3190E7709A818BA4
                                                                                                            APIs
                                                                                                            • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                                            • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                                            • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                                            • wsprintfA.USER32 ref: 00407036
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                                            • String ID: /%d$|
                                                                                                            • API String ID: 676856371-4124749705
                                                                                                            • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                                            • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                                            • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                                            • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(?), ref: 00502FA1
                                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00502FB1
                                                                                                            • GetProcAddress.KERNEL32(00000000,004103F0), ref: 00502FC8
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00503000
                                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 00503007
                                                                                                            • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 00503032
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_500000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                                            • String ID: dnsapi.dll
                                                                                                            • API String ID: 1242400761-3175542204
                                                                                                            • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                                            • Instruction ID: 7e2c9f00423042eaed1cf754d36dbc9e802afc0499257d4291d172f496effe44
                                                                                                            • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                                            • Instruction Fuzzy Hash: 5621307194162ABBCB229B55DC49AAFBFBCFF08B50F104421F905E7180D7B49E8187E4
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                                            • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                                            • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                                            • API String ID: 1082366364-3395550214
                                                                                                            • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                                            • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                                            • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                                            • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                                            APIs
                                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00509A18
                                                                                                            • GetThreadContext.KERNEL32(?,?), ref: 00509A52
                                                                                                            • TerminateProcess.KERNEL32(?,00000000), ref: 00509A60
                                                                                                            • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00509A98
                                                                                                            • SetThreadContext.KERNEL32(?,00010002), ref: 00509AB5
                                                                                                            • ResumeThread.KERNEL32(?), ref: 00509AC2
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_500000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                                            • String ID: D
                                                                                                            • API String ID: 2981417381-2746444292
                                                                                                            • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                                            • Instruction ID: ea63c3cbd7d75b65810e0197cff3d2616efe2e84802cc9510c2be082278eebbe
                                                                                                            • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                                            • Instruction Fuzzy Hash: 40213BB1A01219BBDB219BA1DC09EEFBFBCFF04750F404061BA19E1095E7758A84CBA4
                                                                                                            APIs
                                                                                                            • inet_addr.WS2_32(004102D8), ref: 00501C18
                                                                                                            • LoadLibraryA.KERNEL32(004102C8), ref: 00501C26
                                                                                                            • GetProcessHeap.KERNEL32 ref: 00501C84
                                                                                                            • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 00501C9D
                                                                                                            • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 00501CC1
                                                                                                            • HeapFree.KERNEL32(?,00000000,00000000), ref: 00501D02
                                                                                                            • FreeLibrary.KERNEL32(?), ref: 00501D0B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_500000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                                            • String ID:
                                                                                                            • API String ID: 2324436984-0
                                                                                                            • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                                            • Instruction ID: 2833530644370ecba03bbe8fb2f0045ddba91da9e4cdc6920dbd86f4963a736f
                                                                                                            • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                                            • Instruction Fuzzy Hash: BC315A32E00609BFCB119FE4DC898AEBFB9FB45301B24447AE501A7150D7B58E80DB9A
                                                                                                            APIs
                                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00506CE4
                                                                                                            • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 00506D22
                                                                                                            • GetLastError.KERNEL32 ref: 00506DA7
                                                                                                            • CloseHandle.KERNEL32(?), ref: 00506DB5
                                                                                                            • GetLastError.KERNEL32 ref: 00506DD6
                                                                                                            • DeleteFileA.KERNEL32(?), ref: 00506DE7
                                                                                                            • GetLastError.KERNEL32 ref: 00506DFD
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_500000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                                            • String ID:
                                                                                                            • API String ID: 3873183294-0
                                                                                                            • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                            • Instruction ID: 0baa1195176ce12a1305c350d06d84dc6662ed8af1b6eb3338b18a35cc6295d3
                                                                                                            • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                            • Instruction Fuzzy Hash: 3031F376A0024ABFCB01DFA4DD49ADE7FB9FF48300F148565E251E3291D77089658B61
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\bsoavhio,00507043), ref: 00506F4E
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00506F55
                                                                                                            • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00506F7B
                                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00506F92
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_500000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                                            • String ID: C:\Windows\SysWOW64\$\\.\pipe\bsoavhio
                                                                                                            • API String ID: 1082366364-3665216759
                                                                                                            • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                                            • Instruction ID: 2c942f8bd02546b5fbd0d429c9bdb87c4e1babeb0f543f509deba25fec857ac2
                                                                                                            • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                                            • Instruction Fuzzy Hash: 14212321B443467EF7325331AC8DFFF2E4CAB96720F1840A5F404E64C1DAD998E682AD
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_500000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: lstrlen
                                                                                                            • String ID: $localcfg
                                                                                                            • API String ID: 1659193697-2018645984
                                                                                                            • Opcode ID: 50699324d062f411f204296795e1435c215d76901ce01f8ee411c745418a2661
                                                                                                            • Instruction ID: 059c65a5002b6ebf62f38e0176bd808462412615692c1b2220a51117cc8b3f6f
                                                                                                            • Opcode Fuzzy Hash: 50699324d062f411f204296795e1435c215d76901ce01f8ee411c745418a2661
                                                                                                            • Instruction Fuzzy Hash: 8A713873A40309AAEF319B58DC8AFEE3F69BB40705F244426F905A60D1DA729DC48757
                                                                                                            APIs
                                                                                                              • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                              • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                              • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                              • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                                            • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                                            • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                                            • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                                            • String ID: flags_upd$localcfg
                                                                                                            • API String ID: 204374128-3505511081
                                                                                                            • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                                            • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                                            • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                                            • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                                            APIs
                                                                                                              • Part of subcall function 0050DF6C: GetCurrentThreadId.KERNEL32 ref: 0050DFBA
                                                                                                            • lstrcmp.KERNEL32(00410178,00000000), ref: 0050E8FA
                                                                                                            • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,00506128), ref: 0050E950
                                                                                                            • lstrcmp.KERNEL32(?,00000008), ref: 0050E989
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_500000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                                            • String ID: A$ A$ A
                                                                                                            • API String ID: 2920362961-1846390581
                                                                                                            • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                                            • Instruction ID: bd64af11558232a552c74417b043e23b388a9685f5432efeabc6828d8c8652dc
                                                                                                            • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                                            • Instruction Fuzzy Hash: 89318B316007069BDB71CF24C88ABAE7FE4FB05720F208D2AE69687591D370E880CB91
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_500000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Code
                                                                                                            • String ID:
                                                                                                            • API String ID: 3609698214-0
                                                                                                            • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                                            • Instruction ID: d26fc4fa00ca4fa3206597952fd086b76d1f46e2aafb1add8ecf42ebaf84daa0
                                                                                                            • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                                            • Instruction Fuzzy Hash: 73212E7610421ABFDB119B70FC49EDF7FADFB49761B208825F502D10D1EB709A509674
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Code
                                                                                                            • String ID:
                                                                                                            • API String ID: 3609698214-0
                                                                                                            • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                                            • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                                            • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                                            • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                                            APIs
                                                                                                            • GetTempPathA.KERNEL32(00000400,?), ref: 005092E2
                                                                                                            • wsprintfA.USER32 ref: 00509350
                                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00509375
                                                                                                            • lstrlen.KERNEL32(?,?,00000000), ref: 00509389
                                                                                                            • WriteFile.KERNEL32(00000000,?,00000000), ref: 00509394
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0050939B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_500000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                                            • String ID:
                                                                                                            • API String ID: 2439722600-0
                                                                                                            • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                                            • Instruction ID: aaaf721cbd99d80b55a4c2479cc0cbd6cfc18c22cdb9244f7af46d3cd1051450
                                                                                                            • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                                            • Instruction Fuzzy Hash: 771181B27401157BE7216B32EC0EFEF7E6DEBC8B10F108565BB09E50D1EAB44A4186A4
                                                                                                            APIs
                                                                                                            • GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                                            • wsprintfA.USER32 ref: 004090E9
                                                                                                            • CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                                            • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                                            • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                                            • String ID:
                                                                                                            • API String ID: 2439722600-0
                                                                                                            • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                                            • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                                            • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                                            • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                                            • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                                            • Sleep.KERNEL32(00000000,?,74DF0F10,?,00000000,0040E538,?,74DF0F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                                            • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                                            • String ID:
                                                                                                            • API String ID: 3819781495-0
                                                                                                            • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                                            • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                                            • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                                            • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 0050C6B4
                                                                                                            • InterlockedIncrement.KERNEL32(0050C74B), ref: 0050C715
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0050C747), ref: 0050C728
                                                                                                            • CloseHandle.KERNEL32(00000000,?,0050C747,00413588,00508A77), ref: 0050C733
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_500000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                                            • String ID: localcfg
                                                                                                            • API String ID: 1026198776-1857712256
                                                                                                            • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                                            • Instruction ID: fb097c7471bfcc9ad2ae0457a5e007f5f9340153d08c6edcf59caf5da0d264a8
                                                                                                            • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                                            • Instruction Fuzzy Hash: 30512AB5A01B418FD7348F69C98552ABFE9FB49300B505A3EE18BC7AE1D775F8448B10
                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 0040815F
                                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 00408187
                                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 004081BE
                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 00408210
                                                                                                              • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 0040677E
                                                                                                              • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 0040679A
                                                                                                              • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 004067B0
                                                                                                              • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 004067BF
                                                                                                              • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 004067D3
                                                                                                              • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,74DF0F10,00000000), ref: 00406807
                                                                                                              • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040681F
                                                                                                              • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 0040683E
                                                                                                              • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040685C
                                                                                                              • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                                              • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                                            • String ID: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exe
                                                                                                            • API String ID: 124786226-1914701919
                                                                                                            • Opcode ID: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                                            • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                                            • Opcode Fuzzy Hash: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                                            • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                                            APIs
                                                                                                            • RegCreateKeyExA.ADVAPI32(80000001,0050E50A,00000000,00000000,00000000,00020106,00000000,0050E50A,00000000,000000E4), ref: 0050E319
                                                                                                            • RegSetValueExA.ADVAPI32(0050E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0050E38E
                                                                                                            • RegDeleteValueA.ADVAPI32(0050E50A,?,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,DP), ref: 0050E3BF
                                                                                                            • RegCloseKey.ADVAPI32(0050E50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,DP,0050E50A), ref: 0050E3C8
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_500000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Value$CloseCreateDelete
                                                                                                            • String ID: DP
                                                                                                            • API String ID: 2667537340-458182505
                                                                                                            • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                                            • Instruction ID: a25b1e36076fa1895038ecfc9dfe53c2a1bc83924f07edf69fcac0480876de93
                                                                                                            • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                                            • Instruction Fuzzy Hash: CE218E71A0021DBBDF209FA4EC8AEDE7F78EF08750F148421F904E6091E2719A54D7A0
                                                                                                            APIs
                                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 005071E1
                                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00507228
                                                                                                            • LocalFree.KERNEL32(?,?,?), ref: 00507286
                                                                                                            • wsprintfA.USER32 ref: 0050729D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_500000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                                            • String ID: |
                                                                                                            • API String ID: 2539190677-2343686810
                                                                                                            • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                                            • Instruction ID: 0ad2edc65f487bfbe63c4745f435d9f60115a6f8c364adc77d22bfcc52eb32e3
                                                                                                            • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                                            • Instruction Fuzzy Hash: 2C312B76904109BBCB11DFA8DC49ADE3FACFF08314F148066F959DB141EB75E6488BA4
                                                                                                            APIs
                                                                                                            • BuildCommDCBW.KERNEL32(00000000,?), ref: 0041A2CD
                                                                                                            • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041A2E5
                                                                                                            • UnhandledExceptionFilter.KERNEL32(00000000), ref: 0041A2ED
                                                                                                            • GetShortPathNameA.KERNEL32(00000000,?,00000000), ref: 0041A334
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248486712.0000000000415000.00000020.00000001.01000000.00000005.sdmp, Offset: 00415000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_415000_nutgoowa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: BuildCommExceptionFilterNamePathPrivateProfileShortStringUnhandledWrite
                                                                                                            • String ID: -
                                                                                                            • API String ID: 798774265-2547889144
                                                                                                            • Opcode ID: 3d90542581e238cb84295c313c464a692e5095d9864c298ecc9d7ba5e2e74f3b
                                                                                                            • Instruction ID: 4c4e1cc5ddb1a1e37ffca9a859bb480becdedea699cb69c31b0276ffeb757c76
                                                                                                            • Opcode Fuzzy Hash: 3d90542581e238cb84295c313c464a692e5095d9864c298ecc9d7ba5e2e74f3b
                                                                                                            • Instruction Fuzzy Hash: A011EB70B052089AD7209F64DD85BDE77B4EB0C321F5140A9FB19AB2C1CA7519C5CB5E
                                                                                                            APIs
                                                                                                            • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                                            • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                                            • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                                            • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: lstrlen$gethostnamelstrcpy
                                                                                                            • String ID: LocalHost
                                                                                                            • API String ID: 3695455745-3154191806
                                                                                                            • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                                            • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                                            • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                                            • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,004122F8), ref: 0040E3E6
                                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                                            • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: QueryValue$CloseOpen
                                                                                                            • String ID:
                                                                                                            • API String ID: 1586453840-0
                                                                                                            • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                                            • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                                            • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                                            • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                                            APIs
                                                                                                            • GetLocalTime.KERNEL32(?), ref: 0050B51A
                                                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0050B529
                                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0050B548
                                                                                                            • GetTimeZoneInformation.KERNEL32(?), ref: 0050B590
                                                                                                            • wsprintfA.USER32 ref: 0050B61E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_500000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                                            • String ID:
                                                                                                            • API String ID: 4026320513-0
                                                                                                            • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                            • Instruction ID: 80a2751c1e1f9a53dcfaa8aa2e016a0e0f54cfa1e907237323ecab6cb7d09540
                                                                                                            • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                            • Instruction Fuzzy Hash: 615120B1D0021DAADF14DFD5D8895EEBBB9BF48304F10856AF501A6150E7B84AC9CF98
                                                                                                            APIs
                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                                            • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                                            • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle$CreateEvent
                                                                                                            • String ID:
                                                                                                            • API String ID: 1371578007-0
                                                                                                            • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                                            • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                                            • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                                            • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                                                            APIs
                                                                                                            • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 00506303
                                                                                                            • LoadLibraryA.KERNEL32(?), ref: 0050632A
                                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 005063B1
                                                                                                            • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 00506405
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_500000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: HugeRead$AddressLibraryLoadProc
                                                                                                            • String ID:
                                                                                                            • API String ID: 3498078134-0
                                                                                                            • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                                            • Instruction ID: 28f1cdd44ca16b37dc3fc4ba56fdc7b2d0013c55c2a99d49c6016df52a5b5a60
                                                                                                            • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                                            • Instruction Fuzzy Hash: 34415C71A0020AAFDB14CF58D894AADBBB8FF04354F288969E815DB2D0D771ED50CB90
                                                                                                            APIs
                                                                                                            • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                                                            • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                                            • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                                            • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Read$AddressLibraryLoadProc
                                                                                                            • String ID:
                                                                                                            • API String ID: 2438460464-0
                                                                                                            • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                                            • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                                            • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                                            • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                                            • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                                            • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                                            • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                                            APIs
                                                                                                              • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                              • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                              • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                            • lstrcmpA.KERNEL32(74DF0F18,00000000,?,74DF0F10,00000000,?,00405EC1), ref: 0040E693
                                                                                                            • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,74DF0F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                                            • lstrcmpA.KERNEL32(?,00000008,?,74DF0F10,00000000,?,00405EC1), ref: 0040E722
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                                            • String ID: A$ A
                                                                                                            • API String ID: 3343386518-686259309
                                                                                                            • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                                            • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                                            • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                                            • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 0040272E
                                                                                                            • htons.WS2_32(00000001), ref: 00402752
                                                                                                            • htons.WS2_32(0000000F), ref: 004027D5
                                                                                                            • htons.WS2_32(00000001), ref: 004027E3
                                                                                                            • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                                              • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                                              • Part of subcall function 0040EBCC: HeapAlloc.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: htons$Heap$AllocCountProcessTicksendto
                                                                                                            • String ID:
                                                                                                            • API String ID: 1802437671-0
                                                                                                            • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                                            • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                                            • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                                            • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                                            APIs
                                                                                                            • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                                            • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: setsockopt
                                                                                                            • String ID:
                                                                                                            • API String ID: 3981526788-0
                                                                                                            • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                                            • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                                            • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                                            • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 005093C6
                                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 005093CD
                                                                                                            • CharToOemA.USER32(?,?), ref: 005093DB
                                                                                                            • wsprintfA.USER32 ref: 00509410
                                                                                                              • Part of subcall function 005092CB: GetTempPathA.KERNEL32(00000400,?), ref: 005092E2
                                                                                                              • Part of subcall function 005092CB: wsprintfA.USER32 ref: 00509350
                                                                                                              • Part of subcall function 005092CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00509375
                                                                                                              • Part of subcall function 005092CB: lstrlen.KERNEL32(?,?,00000000), ref: 00509389
                                                                                                              • Part of subcall function 005092CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 00509394
                                                                                                              • Part of subcall function 005092CB: CloseHandle.KERNEL32(00000000), ref: 0050939B
                                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00509448
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_500000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                                            • String ID:
                                                                                                            • API String ID: 3857584221-0
                                                                                                            • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                                            • Instruction ID: 1628605f90f3c1804d22a15f2d7bdfcc1dc627e61ef4eaf625077668ace51a19
                                                                                                            • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                                            • Instruction Fuzzy Hash: D8015EF69001197BDB21A7619D8DEDF3B7CEBD5701F0040A2BB49E2081EAB49AC58F75
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,004122F8), ref: 0040915F
                                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                                            • CharToOemA.USER32(?,?), ref: 00409174
                                                                                                            • wsprintfA.USER32 ref: 004091A9
                                                                                                              • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                                              • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                                              • Part of subcall function 00409064: CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                                              • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                                              • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                                              • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                                            • String ID:
                                                                                                            • API String ID: 3857584221-0
                                                                                                            • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                                            • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                                            • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                                            • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                                            APIs
                                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                                            • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                                            • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                                            • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: lstrlen$lstrcmpi
                                                                                                            • String ID: localcfg
                                                                                                            • API String ID: 1808961391-1857712256
                                                                                                            • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                                            • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                                            • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                                            • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                            • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                                            • API String ID: 2574300362-1087626847
                                                                                                            • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                                            • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                                            • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                                            • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                                            APIs
                                                                                                              • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                              • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                                            • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                                            • String ID: hi_id$localcfg
                                                                                                            • API String ID: 2777991786-2393279970
                                                                                                            • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                                            • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                                            • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                                            • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                                            APIs
                                                                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                                            • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                                            • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                            • String ID: *p@
                                                                                                            • API String ID: 3429775523-2474123842
                                                                                                            • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                                            • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                                            • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                                            • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                                            APIs
                                                                                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0050EEC5
                                                                                                            • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0050EED9
                                                                                                            • GetTickCount.KERNEL32 ref: 0050EEDF
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_500000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Time$CountFileInformationSystemTickVolume
                                                                                                            • String ID: z}-
                                                                                                            • API String ID: 1209300637-1318309817
                                                                                                            • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                                            • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                                            • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                                            • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_500000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: gethostbynameinet_addr
                                                                                                            • String ID: time_cfg$u6A
                                                                                                            • API String ID: 1594361348-1940331995
                                                                                                            • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                            • Instruction ID: f5f3fe5cfb17209746c8bc8e64668e3b05de3fdd32741c866f6791aa8baafeb3
                                                                                                            • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                            • Instruction Fuzzy Hash: 9FE0E2346086219FDB909B28F848ADA7BA5AF4A330F058595F494D72A1C7749CC1AA94
                                                                                                            APIs
                                                                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 005069E5
                                                                                                            • SetFileAttributesA.KERNEL32(?,00000002), ref: 00506A26
                                                                                                            • GetFileSize.KERNEL32(000000FF,00000000), ref: 00506A3A
                                                                                                            • CloseHandle.KERNEL32(000000FF), ref: 00506BD8
                                                                                                              • Part of subcall function 0050EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,00501DCF,?), ref: 0050EEA8
                                                                                                              • Part of subcall function 0050EE95: HeapFree.KERNEL32(00000000), ref: 0050EEAF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_500000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                                            • String ID:
                                                                                                            • API String ID: 3384756699-0
                                                                                                            • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                                            • Instruction ID: 566aa4bdf4ff6704a2f952561fb4f0fa03f14baaab6b2a1b6e8d1b8921190c95
                                                                                                            • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                                            • Instruction Fuzzy Hash: EF7115B190022DEFDF109FA4CC84AEEBFB9FB04314F10456AE515E6190E7349EA2DB60
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: wsprintf
                                                                                                            • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                                            • API String ID: 2111968516-120809033
                                                                                                            • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                                            • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                                            • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                                            • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                                            APIs
                                                                                                            • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                                            • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0040E127
                                                                                                            • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,004122F8), ref: 0040E158
                                                                                                            • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Value$CloseCreateDelete
                                                                                                            • String ID:
                                                                                                            • API String ID: 2667537340-0
                                                                                                            • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                                            • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                                            • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                                            • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                                            APIs
                                                                                                            • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 005041AB
                                                                                                            • GetLastError.KERNEL32 ref: 005041B5
                                                                                                            • WaitForSingleObject.KERNEL32(?,?), ref: 005041C6
                                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 005041D9
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_500000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 3373104450-0
                                                                                                            • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                            • Instruction ID: e86bc236f5567a618efa154d058bdd960ccee8666b4e55499de7f60bc192403e
                                                                                                            • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                            • Instruction Fuzzy Hash: 1D01E97651110AABDF01DF91ED84BEE7B6CFB18355F108061FA01E2090D7709A94CFB5
                                                                                                            APIs
                                                                                                            • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0050421F
                                                                                                            • GetLastError.KERNEL32 ref: 00504229
                                                                                                            • WaitForSingleObject.KERNEL32(?,?), ref: 0050423A
                                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 0050424D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_500000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                                            • String ID:
                                                                                                            • API String ID: 888215731-0
                                                                                                            • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                            • Instruction ID: 3b8152c374b5bcd641528852aec561f9f3e46abaaa6608c8e442907e94505fbd
                                                                                                            • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                            • Instruction Fuzzy Hash: C901A5B261110AABDF01DF90ED84BEE7BACFB08355F108461FA01E2090D7709A649FB6
                                                                                                            APIs
                                                                                                            • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                                            • GetLastError.KERNEL32 ref: 00403F4E
                                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 3373104450-0
                                                                                                            • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                            • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                                            • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                            • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                                            APIs
                                                                                                            • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                                            • GetLastError.KERNEL32 ref: 00403FC2
                                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                                            • String ID:
                                                                                                            • API String ID: 888215731-0
                                                                                                            • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                            • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                                            • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                            • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                                            APIs
                                                                                                            • lstrcmp.KERNEL32(?,80000009), ref: 0050E066
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_500000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: lstrcmp
                                                                                                            • String ID: A$ A$ A
                                                                                                            • API String ID: 1534048567-1846390581
                                                                                                            • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                                            • Instruction ID: 60cfe8b6ab6b27e5d6bc22ee60cb52aae534cdbbfee7987f978894d6659470c1
                                                                                                            • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                                            • Instruction Fuzzy Hash: 9AF06272600702DBCB20CF25D998A96BBE9FF45321B648A2AE154C30A0D3B4A899CB51
                                                                                                            APIs
                                                                                                            • QueryDosDeviceW.KERNEL32(00000000,00000000,00000000,00000000,0041B040,0041A731), ref: 0041A38C
                                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000,00000000,0041B040,0041A731), ref: 0041A3A7
                                                                                                            • RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 0041A3CA
                                                                                                            • GetNumaProcessorNode.KERNEL32(00000000,00000000), ref: 0041A3D4
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248486712.0000000000415000.00000020.00000001.01000000.00000005.sdmp, Offset: 00415000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_415000_nutgoowa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocateDeviceEnvironmentFreeHeapNodeNumaProcessorQueryStrings
                                                                                                            • String ID:
                                                                                                            • API String ID: 2305449109-0
                                                                                                            • Opcode ID: 1b5403d9b597b0220ecab3d9d64d0da133da4582f75a99000351f33451ae7082
                                                                                                            • Instruction ID: cbbff76f5b5b3703d3ea7a2db304a5cfc2eaf9a1075c9c9474a8520c0f451ca1
                                                                                                            • Opcode Fuzzy Hash: 1b5403d9b597b0220ecab3d9d64d0da133da4582f75a99000351f33451ae7082
                                                                                                            • Instruction Fuzzy Hash: 3EF05E31786214FBEA306B64EC4AF863724E708716F508032F719E92E0C6F428918A6E
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                                            • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                                            • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                            • String ID:
                                                                                                            • API String ID: 2207858713-0
                                                                                                            • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                                            • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                                            • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                                            • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                                            • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                                            • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                            • String ID:
                                                                                                            • API String ID: 2207858713-0
                                                                                                            • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                                            • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                                            • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                                            • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                                            • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                                            • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                                            • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                            • String ID:
                                                                                                            • API String ID: 2207858713-0
                                                                                                            • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                                            • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                                            • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                                            • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 00403103
                                                                                                            • GetTickCount.KERNEL32 ref: 0040310F
                                                                                                            • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                            • String ID:
                                                                                                            • API String ID: 2207858713-0
                                                                                                            • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                                            • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                                            • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                                            • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                                            APIs
                                                                                                            • WriteFile.KERNEL32(00000001,DP,00000000,00000000,00000000), ref: 0050E470
                                                                                                            • CloseHandle.KERNEL32(00000001,00000003), ref: 0050E484
                                                                                                              • Part of subcall function 0050E2FC: RegCreateKeyExA.ADVAPI32(80000001,0050E50A,00000000,00000000,00000000,00020106,00000000,0050E50A,00000000,000000E4), ref: 0050E319
                                                                                                              • Part of subcall function 0050E2FC: RegSetValueExA.ADVAPI32(0050E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0050E38E
                                                                                                              • Part of subcall function 0050E2FC: RegDeleteValueA.ADVAPI32(0050E50A,?,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,DP), ref: 0050E3BF
                                                                                                              • Part of subcall function 0050E2FC: RegCloseKey.ADVAPI32(0050E50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,DP,0050E50A), ref: 0050E3C8
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_500000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                                            • String ID: DP
                                                                                                            • API String ID: 4151426672-458182505
                                                                                                            • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                                            • Instruction ID: a95db290889fe77a4c7dd4ab06827ee0955a7939e6fe0103e06b16cc02cd9932
                                                                                                            • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                                            • Instruction Fuzzy Hash: EE41C9B2D00215BAEF206B518D4BFEF3F6CFB44724F248425F909940D2E7B58A50D6B5
                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 005083C6
                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 00508477
                                                                                                              • Part of subcall function 005069C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 005069E5
                                                                                                              • Part of subcall function 005069C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 00506A26
                                                                                                              • Part of subcall function 005069C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 00506A3A
                                                                                                              • Part of subcall function 0050EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,00501DCF,?), ref: 0050EEA8
                                                                                                              • Part of subcall function 0050EE95: HeapFree.KERNEL32(00000000), ref: 0050EEAF
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_500000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                                            • String ID: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exe
                                                                                                            • API String ID: 359188348-1914701919
                                                                                                            • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                                            • Instruction ID: 4441b0b680c172e74f964905b1cbd106f4daf5733036b792213e39f3d3496db5
                                                                                                            • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                                            • Instruction Fuzzy Hash: FC415FB290010ABFEF20EBA0DE85DFF7F6CFB44344F1444A6F544D6191EAB05A988B65
                                                                                                            APIs
                                                                                                            • GetLocalTime.KERNEL32(?), ref: 0050AFFF
                                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0050B00D
                                                                                                              • Part of subcall function 0050AF6F: gethostname.WS2_32(?,00000080), ref: 0050AF83
                                                                                                              • Part of subcall function 0050AF6F: lstrcpy.KERNEL32(?,00410B90), ref: 0050AFE6
                                                                                                              • Part of subcall function 0050331C: gethostname.WS2_32(?,00000080), ref: 0050333F
                                                                                                              • Part of subcall function 0050331C: gethostbyname.WS2_32(?), ref: 00503349
                                                                                                              • Part of subcall function 0050AA0A: inet_ntoa.WS2_32(00000000), ref: 0050AA10
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_500000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                                            • String ID: %OUTLOOK_BND_
                                                                                                            • API String ID: 1981676241-3684217054
                                                                                                            • Opcode ID: bb8041472755e196babefc9da9900d7748fbc848bd0525b5e1603bb455f94b3f
                                                                                                            • Instruction ID: cd3437228402cc52dbcd8875bc5ad51427264c561c93dc0425d3a9ab084cd542
                                                                                                            • Opcode Fuzzy Hash: bb8041472755e196babefc9da9900d7748fbc848bd0525b5e1603bb455f94b3f
                                                                                                            • Instruction Fuzzy Hash: 3741317290020DABDB25EFA0DC4AEEF3BACFF48304F244426F92592192EB75D654CB54
                                                                                                            APIs
                                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 00509536
                                                                                                            • Sleep.KERNEL32(000001F4), ref: 0050955D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_500000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ExecuteShellSleep
                                                                                                            • String ID:
                                                                                                            • API String ID: 4194306370-3916222277
                                                                                                            • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                                            • Instruction ID: decc59ece2a28a4332cc396040048363ca0a44a1c2c7e7cfddc837302f48a8ff
                                                                                                            • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                                            • Instruction Fuzzy Hash: 1F4105B18083856EEF378B65DC9D7AE7FA4BF42314F2801A5D482971EBD6B44D818711
                                                                                                            APIs
                                                                                                            • WriteFile.KERNEL32(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                                            • WriteFile.KERNEL32(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FileWrite
                                                                                                            • String ID: ,k@
                                                                                                            • API String ID: 3934441357-1053005162
                                                                                                            • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                                            • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                                            • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                                            • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 0050B9D9
                                                                                                            • InterlockedIncrement.KERNEL32(00413648), ref: 0050BA3A
                                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 0050BA94
                                                                                                            • GetTickCount.KERNEL32 ref: 0050BB79
                                                                                                            • GetTickCount.KERNEL32 ref: 0050BB99
                                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 0050BE15
                                                                                                            • closesocket.WS2_32(00000000), ref: 0050BEB4
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_500000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CountIncrementInterlockedTick$closesocket
                                                                                                            • String ID: %FROM_EMAIL
                                                                                                            • API String ID: 1869671989-2903620461
                                                                                                            • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                                            • Instruction ID: a0679e6efd973fd8677562de91e3a7cdf51bb8100a75e6db32432f5c5168e886
                                                                                                            • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                                            • Instruction Fuzzy Hash: 7D317C71500249DFEF25DFA4DC89AEE7BB8FB48700F204466FA24921A1EB34DA85CF14
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CountTickwsprintf
                                                                                                            • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                                            • API String ID: 2424974917-1012700906
                                                                                                            • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                                            • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                                            • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                                            • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                                            APIs
                                                                                                              • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                                              • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                                            • String ID: %FROM_EMAIL
                                                                                                            • API String ID: 3716169038-2903620461
                                                                                                            • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                                            • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                                            • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                                            • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                                            APIs
                                                                                                            • GetUserNameW.ADVAPI32(?,?), ref: 005070BC
                                                                                                            • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 005070F4
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_500000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Name$AccountLookupUser
                                                                                                            • String ID: |
                                                                                                            • API String ID: 2370142434-2343686810
                                                                                                            • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                            • Instruction ID: 536fc7b6dcc306ddee13acdf4f725034ee36dd946f1356f95cb9956d07c39f8e
                                                                                                            • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                            • Instruction Fuzzy Hash: 9C11F772D0411CEBDF21CBE4DC84AEEBBBDBB08711F1441A6E501E61D0D670AB99DBA0
                                                                                                            APIs
                                                                                                              • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                              • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                                            • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                                            • String ID: localcfg
                                                                                                            • API String ID: 2777991786-1857712256
                                                                                                            • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                                            • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                                            • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                                            • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                                            APIs
                                                                                                            • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                                            • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: IncrementInterlockedlstrcpyn
                                                                                                            • String ID: %FROM_EMAIL
                                                                                                            • API String ID: 224340156-2903620461
                                                                                                            • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                                            • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                                            • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                                            • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                                            APIs
                                                                                                            • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                                            • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: gethostbyaddrinet_ntoa
                                                                                                            • String ID: localcfg
                                                                                                            • API String ID: 2112563974-1857712256
                                                                                                            • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                                            • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                                            • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                                            • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                                            APIs
                                                                                                            • RegisterServiceCtrlHandlerA.ADVAPI32(gxtfamnt,Function_00009867), ref: 0040996C
                                                                                                              • Part of subcall function 00409892: SetServiceStatus.SECHOST(00413394), ref: 004098EB
                                                                                                              • Part of subcall function 004098F2: Sleep.KERNEL32(000003E8,00000100,004122F8,0040A3C7), ref: 00409909
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Service$CtrlHandlerRegisterSleepStatus
                                                                                                            • String ID: HvT$gxtfamnt
                                                                                                            • API String ID: 1317371667-3626281857
                                                                                                            • Opcode ID: ca430b9e4608bea333335a69787ed6bca2f17ce8de0e46e285fa1f472da398df
                                                                                                            • Instruction ID: 8090f714d00e8c700c7feefac428721607cdcb0429ac14865b211bf96103553c
                                                                                                            • Opcode Fuzzy Hash: ca430b9e4608bea333335a69787ed6bca2f17ce8de0e46e285fa1f472da398df
                                                                                                            • Instruction Fuzzy Hash: 55F054F2550308AEE2106F616D87B537548A711349F08C03FB919693D3EBBD4D44822D
                                                                                                            APIs
                                                                                                            • inet_addr.WS2_32(00000001), ref: 00402693
                                                                                                            • gethostbyname.WS2_32(00000001), ref: 0040269F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: gethostbynameinet_addr
                                                                                                            • String ID: time_cfg
                                                                                                            • API String ID: 1594361348-2401304539
                                                                                                            • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                            • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                                            • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                            • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000), ref: 0040EAF2
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040EB07
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                            • String ID: ntdll.dll
                                                                                                            • API String ID: 2574300362-2227199552
                                                                                                            • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                                            • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                                            • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                                            • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                                            APIs
                                                                                                              • Part of subcall function 00502F88: GetModuleHandleA.KERNEL32(?), ref: 00502FA1
                                                                                                              • Part of subcall function 00502F88: LoadLibraryA.KERNEL32(?), ref: 00502FB1
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 005031DA
                                                                                                            • HeapFree.KERNEL32(00000000), ref: 005031E1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2249103776.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_500000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 1017166417-0
                                                                                                            • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                                            • Instruction ID: f544a2f0efe72d2b169096df0751cedd5b241c7030d00a6ca4e1d1f3a36290ec
                                                                                                            • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                                            • Instruction Fuzzy Hash: 8F51993590020BAFCB11DF64D8889EEBB79FF19304F244569EC9687291E7329A19CB90
                                                                                                            APIs
                                                                                                              • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                                              • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                                            • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2248402464.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_400000_nutgoowa.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 1017166417-0
                                                                                                            • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                                            • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                                            • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                                            • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:15.3%
                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                            Signature Coverage:0.7%
                                                                                                            Total number of Nodes:1808
                                                                                                            Total number of Limit Nodes:18
                                                                                                            execution_graph 7926 508c51 7927 508c86 7926->7927 7928 508c5d 7926->7928 7929 508c8b lstrcmpA 7927->7929 7939 508c7b 7927->7939 7931 508c7d 7928->7931 7932 508c6e 7928->7932 7930 508c9e 7929->7930 7929->7939 7933 508cad 7930->7933 7936 50ec2e codecvt 4 API calls 7930->7936 7948 508bb3 7931->7948 7940 508be7 7932->7940 7938 50ebcc 4 API calls 7933->7938 7933->7939 7936->7933 7938->7939 7941 508bf2 7940->7941 7942 508c2a 7940->7942 7943 508bb3 6 API calls 7941->7943 7942->7939 7944 508bf8 7943->7944 7952 506410 7944->7952 7946 508c01 7946->7942 7967 506246 7946->7967 7949 508be4 7948->7949 7950 508bbc 7948->7950 7950->7949 7951 506246 6 API calls 7950->7951 7951->7949 7953 506421 7952->7953 7954 50641e 7952->7954 7955 50643a 7953->7955 7956 50643e VirtualAlloc 7953->7956 7954->7946 7955->7946 7957 506472 7956->7957 7958 50645b VirtualAlloc 7956->7958 7959 50ebcc 4 API calls 7957->7959 7958->7957 7966 5064fb 7958->7966 7960 506479 7959->7960 7960->7966 7977 506069 7960->7977 7963 5064da 7964 506246 6 API calls 7963->7964 7963->7966 7964->7966 7966->7946 7968 506252 7967->7968 7976 5062b3 7967->7976 7971 50628f 7968->7971 7973 506281 FreeLibrary 7968->7973 7975 506297 7968->7975 7969 5062a0 VirtualFree 7970 5062ad 7969->7970 7972 50ec2e codecvt 4 API calls 7970->7972 7974 50ec2e codecvt 4 API calls 7971->7974 7972->7976 7973->7968 7974->7975 7975->7969 7975->7970 7976->7942 7978 506090 IsBadReadPtr 7977->7978 7980 506089 7977->7980 7978->7980 7984 5060aa 7978->7984 7979 5060c0 LoadLibraryA 7979->7980 7979->7984 7980->7963 7987 505f3f 7980->7987 7981 50ebcc 4 API calls 7981->7984 7982 50ebed 8 API calls 7982->7984 7983 506191 IsBadReadPtr 7983->7980 7983->7984 7984->7979 7984->7980 7984->7981 7984->7982 7984->7983 7985 506141 GetProcAddress 7984->7985 7986 506155 GetProcAddress 7984->7986 7985->7984 7986->7984 7988 505fe6 7987->7988 7990 505f61 7987->7990 7988->7963 7989 505fbf VirtualProtect 7989->7988 7989->7990 7990->7988 7990->7989 8073 506511 wsprintfA IsBadReadPtr 8074 50656a htonl htonl wsprintfA wsprintfA 8073->8074 8075 50674e 8073->8075 8076 5065f3 8074->8076 8077 50e318 23 API calls 8075->8077 8079 50668a GetCurrentProcess StackWalk64 8076->8079 8080 5066a0 wsprintfA 8076->8080 8082 506652 wsprintfA 8076->8082 8078 506753 ExitProcess 8077->8078 8079->8076 8079->8080 8081 5066ba 8080->8081 8083 506712 wsprintfA 8081->8083 8084 5066da wsprintfA 8081->8084 8085 5066ed wsprintfA 8081->8085 8082->8076 8086 50e8a1 30 API calls 8083->8086 8084->8085 8085->8081 8087 506739 8086->8087 8088 50e318 23 API calls 8087->8088 8089 506741 8088->8089 7991 5043d2 7992 5043e0 7991->7992 7993 5043ef 7992->7993 7995 501940 7992->7995 7996 50ec2e codecvt 4 API calls 7995->7996 7997 501949 7996->7997 7997->7993 8090 504e92 GetTickCount 8091 504ec0 InterlockedExchange 8090->8091 8092 504ec9 8091->8092 8093 504ead GetTickCount 8091->8093 8093->8092 8094 504eb8 Sleep 8093->8094 8094->8091 7998 505453 8003 50543a 7998->8003 8006 505048 8003->8006 8007 504bd1 4 API calls 8006->8007 8010 505056 8007->8010 8008 50508b 8009 50ec2e codecvt 4 API calls 8009->8008 8010->8008 8010->8009 8011 504ed3 8016 504c9a 8011->8016 8017 504cd8 8016->8017 8019 504ca9 8016->8019 8018 50ec2e codecvt 4 API calls 8018->8017 8019->8018 8095 505d93 IsBadWritePtr 8096 505ddc 8095->8096 8097 505da8 8095->8097 8097->8096 8099 505389 8097->8099 8100 504bd1 4 API calls 8099->8100 8101 5053a5 8100->8101 8102 504ae6 8 API calls 8101->8102 8105 5053ad 8102->8105 8103 505407 8103->8096 8104 504ae6 8 API calls 8104->8105 8105->8103 8105->8104 8106 508314 8107 50675c 21 API calls 8106->8107 8108 508324 8107->8108 8109 505099 8110 504bd1 4 API calls 8109->8110 8111 5050a2 8110->8111 8020 50195b 8021 501971 8020->8021 8022 50196b 8020->8022 8023 50ec2e codecvt 4 API calls 8022->8023 8023->8021 8112 50f483 WSAStartup 8113 50f304 8116 50f26d setsockopt setsockopt setsockopt setsockopt setsockopt 8113->8116 8115 50f312 8116->8115 8117 505b84 IsBadWritePtr 8118 505b99 8117->8118 8119 505b9d 8117->8119 8120 504bd1 4 API calls 8119->8120 8121 505bcc 8120->8121 8122 505472 18 API calls 8121->8122 8123 505be5 8122->8123 8124 505c05 IsBadWritePtr 8125 505c24 IsBadWritePtr 8124->8125 8132 505ca6 8124->8132 8126 505c32 8125->8126 8125->8132 8127 505c82 8126->8127 8128 504bd1 4 API calls 8126->8128 8129 504bd1 4 API calls 8127->8129 8128->8127 8130 505c90 8129->8130 8131 505472 18 API calls 8130->8131 8131->8132 8024 50e749 8025 50dd05 6 API calls 8024->8025 8026 50e751 8025->8026 8027 50e781 lstrcmpA 8026->8027 8028 50e799 8026->8028 8027->8026 8029 50444a 8030 504458 8029->8030 8031 50446a 8030->8031 8032 501940 4 API calls 8030->8032 8032->8031 8033 505e4d 8034 505048 8 API calls 8033->8034 8035 505e55 8034->8035 8036 505e64 8035->8036 8037 501940 4 API calls 8035->8037 8037->8036 8146 505e0d 8149 5050dc 8146->8149 8148 505e20 8150 504bd1 4 API calls 8149->8150 8151 5050f2 8150->8151 8152 504ae6 8 API calls 8151->8152 8158 5050ff 8152->8158 8153 505130 8155 504ae6 8 API calls 8153->8155 8154 504ae6 8 API calls 8156 505110 lstrcmpA 8154->8156 8157 505138 8155->8157 8156->8153 8156->8158 8160 50516e 8157->8160 8161 504ae6 8 API calls 8157->8161 8173 50513e 8157->8173 8158->8153 8158->8154 8159 504ae6 8 API calls 8158->8159 8159->8158 8162 504ae6 8 API calls 8160->8162 8160->8173 8163 50515e 8161->8163 8164 5051b6 8162->8164 8163->8160 8165 504ae6 8 API calls 8163->8165 8192 504a3d 8164->8192 8165->8160 8168 504ae6 8 API calls 8169 5051c7 8168->8169 8170 504ae6 8 API calls 8169->8170 8171 5051d7 8170->8171 8172 504ae6 8 API calls 8171->8172 8174 5051e7 8172->8174 8173->8148 8174->8173 8175 504ae6 8 API calls 8174->8175 8176 505219 8175->8176 8177 504ae6 8 API calls 8176->8177 8178 505227 8177->8178 8179 504ae6 8 API calls 8178->8179 8180 50524f lstrcpyA 8179->8180 8181 504ae6 8 API calls 8180->8181 8184 505263 8181->8184 8182 504ae6 8 API calls 8183 505315 8182->8183 8185 504ae6 8 API calls 8183->8185 8184->8182 8186 505323 8185->8186 8187 504ae6 8 API calls 8186->8187 8189 505331 8187->8189 8188 504ae6 8 API calls 8188->8189 8189->8173 8189->8188 8190 504ae6 8 API calls 8189->8190 8191 505351 lstrcmpA 8190->8191 8191->8173 8191->8189 8193 504a53 8192->8193 8194 504a4a 8192->8194 8196 504a78 8193->8196 8197 50ebed 8 API calls 8193->8197 8195 50ebed 8 API calls 8194->8195 8195->8193 8198 504aa3 8196->8198 8199 504a8e 8196->8199 8197->8196 8200 504a9b 8198->8200 8202 50ebed 8 API calls 8198->8202 8199->8200 8201 50ec2e codecvt 4 API calls 8199->8201 8200->8168 8201->8200 8202->8200 8203 504c0d 8204 504ae6 8 API calls 8203->8204 8205 504c17 8204->8205 8206 50be31 lstrcmpiA 8207 50be55 lstrcmpiA 8206->8207 8214 50be71 8206->8214 8208 50be61 lstrcmpiA 8207->8208 8207->8214 8211 50bfc8 8208->8211 8208->8214 8209 50bf62 lstrcmpiA 8210 50bf77 lstrcmpiA 8209->8210 8213 50bf70 8209->8213 8212 50bf8c lstrcmpiA 8210->8212 8210->8213 8212->8213 8213->8211 8215 50bfc2 8213->8215 8216 50ec2e codecvt 4 API calls 8213->8216 8214->8209 8217 50ebcc 4 API calls 8214->8217 8218 50ec2e codecvt 4 API calls 8215->8218 8216->8213 8221 50beb6 8217->8221 8218->8211 8219 50bf5a 8219->8209 8220 50ebcc 4 API calls 8220->8221 8221->8209 8221->8211 8221->8219 8221->8220 8222 505d34 IsBadWritePtr 8223 505d47 8222->8223 8224 505d4a 8222->8224 8225 505389 12 API calls 8224->8225 8226 505d80 8225->8226 8050 504960 8051 50496d 8050->8051 8053 50497d 8050->8053 8052 50ebed 8 API calls 8051->8052 8052->8053 8054 504861 IsBadWritePtr 8055 504876 8054->8055 8056 509961 RegisterServiceCtrlHandlerA 8057 50997d 8056->8057 8058 5099cb 8056->8058 8066 509892 8057->8066 8060 50999a 8061 5099ba 8060->8061 8062 509892 SetServiceStatus 8060->8062 8061->8058 8064 509892 SetServiceStatus 8061->8064 8063 5099aa 8062->8063 8063->8061 8065 5098f2 41 API calls 8063->8065 8064->8058 8065->8061 8067 5098c2 SetServiceStatus 8066->8067 8067->8060 8227 505e21 8228 505e36 8227->8228 8229 505e29 8227->8229 8230 5050dc 17 API calls 8229->8230 8230->8228 8231 5035a5 8232 5030fa 4 API calls 8231->8232 8234 5035b3 8232->8234 8233 5035ea 8234->8233 8238 50355d 8234->8238 8236 5035da 8236->8233 8237 50355d 4 API calls 8236->8237 8237->8233 8239 50f04e 4 API calls 8238->8239 8240 50356a 8239->8240 8240->8236 8241 505029 8246 504a02 8241->8246 8247 504a12 8246->8247 8248 504a18 8246->8248 8250 50ec2e codecvt 4 API calls 8247->8250 8249 504a26 8248->8249 8251 50ec2e codecvt 4 API calls 8248->8251 8252 50ec2e codecvt 4 API calls 8249->8252 8253 504a34 8249->8253 8250->8248 8251->8249 8252->8253 6154 509a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 6270 50ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6154->6270 6156 509a95 6157 509aa3 GetModuleHandleA GetModuleFileNameA 6156->6157 6162 50a3cc 6156->6162 6170 509ac4 6157->6170 6158 50a41c CreateThread WSAStartup 6271 50e52e 6158->6271 7345 50405e CreateEventA 6158->7345 6159 509afd GetCommandLineA 6171 509b22 6159->6171 6160 50a406 DeleteFileA 6160->6162 6163 50a40d 6160->6163 6162->6158 6162->6160 6162->6163 6166 50a3ed GetLastError 6162->6166 6163->6158 6164 50a445 6290 50eaaf 6164->6290 6166->6163 6168 50a3f8 Sleep 6166->6168 6167 50a44d 6294 501d96 6167->6294 6168->6160 6170->6159 6174 509c0c 6171->6174 6181 509b47 6171->6181 6172 50a457 6342 5080c9 6172->6342 6534 5096aa 6174->6534 6185 509b96 lstrlenA 6181->6185 6188 509b58 6181->6188 6182 50a1d2 6189 50a1e3 GetCommandLineA 6182->6189 6183 509c39 6186 50a167 GetModuleHandleA GetModuleFileNameA 6183->6186 6540 504280 CreateEventA 6183->6540 6185->6188 6187 509c05 ExitProcess 6186->6187 6191 50a189 6186->6191 6188->6187 6493 50675c 6188->6493 6215 50a205 6189->6215 6191->6187 6197 50a1b2 GetDriveTypeA 6191->6197 6197->6187 6200 50a1c5 6197->6200 6641 509145 GetModuleHandleA GetModuleFileNameA CharToOemA 6200->6641 6201 50675c 21 API calls 6203 509c79 6201->6203 6203->6186 6210 509ca0 GetTempPathA 6203->6210 6211 509e3e 6203->6211 6204 509bff 6204->6187 6206 50a491 6207 50a49f GetTickCount 6206->6207 6208 50a4be Sleep 6206->6208 6214 50a4b7 GetTickCount 6206->6214 6389 50c913 6206->6389 6207->6206 6207->6208 6208->6206 6210->6211 6213 509cba 6210->6213 6218 509e6b GetEnvironmentVariableA 6211->6218 6225 509e04 6211->6225 6212 50a239 6649 506ec3 6212->6649 6566 5099d2 lstrcpyA 6213->6566 6214->6208 6215->6212 6219 50a285 lstrlenA 6215->6219 6221 509e7d 6218->6221 6218->6225 6219->6212 6222 5099d2 16 API calls 6221->6222 6224 509e9d 6222->6224 6224->6225 6230 509eb0 lstrcpyA lstrlenA 6224->6230 6636 50ec2e 6225->6636 6228 509d5f 6580 506cc9 6228->6580 6229 50a3c2 6653 5098f2 6229->6653 6232 509ef4 6230->6232 6235 506dc2 6 API calls 6232->6235 6239 509f03 6232->6239 6234 50a3c7 6234->6162 6235->6239 6236 50a39d StartServiceCtrlDispatcherA 6236->6229 6237 509d72 lstrcpyA lstrcatA lstrcatA 6238 509cf6 6237->6238 6589 509326 6238->6589 6240 509f32 RegOpenKeyExA 6239->6240 6241 509f48 RegSetValueExA RegCloseKey 6240->6241 6245 509f70 6240->6245 6241->6245 6242 50a35f 6242->6229 6242->6236 6250 509f9d GetModuleHandleA GetModuleFileNameA 6245->6250 6246 509e0c DeleteFileA 6246->6211 6247 509dde GetFileAttributesExA 6247->6246 6248 509df7 6247->6248 6248->6225 6626 5096ff 6248->6626 6252 509fc2 6250->6252 6253 50a093 6250->6253 6252->6253 6259 509ff1 GetDriveTypeA 6252->6259 6254 50a103 CreateProcessA 6253->6254 6257 50a0a4 wsprintfA 6253->6257 6255 50a13a 6254->6255 6256 50a12a DeleteFileA 6254->6256 6255->6225 6262 5096ff 3 API calls 6255->6262 6256->6255 6632 502544 6257->6632 6259->6253 6261 50a00d 6259->6261 6264 50a02d lstrcatA 6261->6264 6262->6225 6266 50a046 6264->6266 6267 50a052 lstrcatA 6266->6267 6268 50a064 lstrcatA 6266->6268 6267->6268 6268->6253 6269 50a081 lstrcatA 6268->6269 6269->6253 6270->6156 6660 50dd05 GetTickCount 6271->6660 6273 50e538 6668 50dbcf 6273->6668 6275 50e544 6276 50e555 GetFileSize 6275->6276 6280 50e5b8 6275->6280 6277 50e5b1 CloseHandle 6276->6277 6278 50e566 6276->6278 6277->6280 6692 50db2e 6278->6692 6678 50e3ca RegOpenKeyExA 6280->6678 6282 50e576 ReadFile 6282->6277 6284 50e58d 6282->6284 6696 50e332 6284->6696 6285 50e5f2 6288 50e3ca 19 API calls 6285->6288 6289 50e629 6285->6289 6288->6289 6289->6164 6291 50eabe 6290->6291 6293 50eaba 6290->6293 6292 50dd05 6 API calls 6291->6292 6291->6293 6292->6293 6293->6167 6295 50ee2a 6294->6295 6296 501db4 GetVersionExA 6295->6296 6297 501dd0 GetSystemInfo GetModuleHandleA GetProcAddress 6296->6297 6299 501e24 6297->6299 6300 501e16 GetCurrentProcess 6297->6300 6754 50e819 6299->6754 6300->6299 6302 501e3d 6303 50e819 11 API calls 6302->6303 6304 501e4e 6303->6304 6305 501e77 6304->6305 6795 50df70 6304->6795 6761 50ea84 6305->6761 6308 501e6c 6310 50df70 12 API calls 6308->6310 6310->6305 6311 50e819 11 API calls 6312 501e93 6311->6312 6765 50199c inet_addr LoadLibraryA 6312->6765 6315 50e819 11 API calls 6316 501eb9 6315->6316 6317 50f04e 4 API calls 6316->6317 6323 501ed8 6316->6323 6319 501ec9 6317->6319 6318 50e819 11 API calls 6320 501eee 6318->6320 6321 50ea84 30 API calls 6319->6321 6322 501f0a 6320->6322 6779 501b71 6320->6779 6321->6323 6325 50e819 11 API calls 6322->6325 6323->6318 6327 501f23 6325->6327 6326 501efd 6329 50ea84 30 API calls 6326->6329 6328 501f3f 6327->6328 6783 501bdf 6327->6783 6331 50e819 11 API calls 6328->6331 6329->6322 6333 501f5e 6331->6333 6335 501f77 6333->6335 6336 50ea84 30 API calls 6333->6336 6334 50ea84 30 API calls 6334->6328 6791 5030b5 6335->6791 6336->6335 6339 506ec3 2 API calls 6341 501f8e GetTickCount 6339->6341 6341->6172 6343 506ec3 2 API calls 6342->6343 6344 5080eb 6343->6344 6345 5080f9 6344->6345 6346 5080ef 6344->6346 6862 50704c 6345->6862 6849 507ee6 6346->6849 6349 5080f4 6351 50675c 21 API calls 6349->6351 6361 508269 CreateThread 6349->6361 6350 508110 6350->6349 6353 508156 RegOpenKeyExA 6350->6353 6352 508244 6351->6352 6358 50ec2e codecvt 4 API calls 6352->6358 6352->6361 6354 508216 6353->6354 6355 50816d RegQueryValueExA 6353->6355 6354->6349 6356 5081f7 6355->6356 6360 50818d 6355->6360 6357 50820d RegCloseKey 6356->6357 6359 50ec2e codecvt 4 API calls 6356->6359 6357->6354 6358->6361 6367 5081dd 6359->6367 6360->6356 6362 50ebcc 4 API calls 6360->6362 6368 505e6c 6361->6368 7323 50877e 6361->7323 6363 5081a0 6362->6363 6363->6357 6364 5081aa RegQueryValueExA 6363->6364 6364->6356 6365 5081c4 6364->6365 6366 50ebcc 4 API calls 6365->6366 6366->6367 6367->6357 6964 50ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6368->6964 6370 505e71 6965 50e654 6370->6965 6372 505ec1 6373 503132 6372->6373 6374 50df70 12 API calls 6373->6374 6375 50313b 6374->6375 6376 50c125 6375->6376 6976 50ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6376->6976 6378 50c12d 6379 50e654 13 API calls 6378->6379 6380 50c2bd 6379->6380 6381 50e654 13 API calls 6380->6381 6382 50c2c9 6381->6382 6383 50e654 13 API calls 6382->6383 6384 50a47a 6383->6384 6385 508db1 6384->6385 6386 508dbc 6385->6386 6387 50e654 13 API calls 6386->6387 6388 508dec Sleep 6387->6388 6388->6206 6390 50c92f 6389->6390 6392 50c93c 6390->6392 6988 50c517 6390->6988 6393 50ca2b 6392->6393 6394 50e819 11 API calls 6392->6394 6393->6206 6395 50c96a 6394->6395 6396 50e819 11 API calls 6395->6396 6397 50c97d 6396->6397 6398 50e819 11 API calls 6397->6398 6399 50c990 6398->6399 6400 50c9aa 6399->6400 6401 50ebcc 4 API calls 6399->6401 6400->6393 6977 502684 6400->6977 6401->6400 6406 50ca26 7005 50c8aa 6406->7005 6409 50ca44 6410 50ca4b closesocket 6409->6410 6411 50ca83 6409->6411 6410->6406 6412 50ea84 30 API calls 6411->6412 6413 50caac 6412->6413 6414 50f04e 4 API calls 6413->6414 6415 50cab2 6414->6415 6416 50ea84 30 API calls 6415->6416 6417 50caca 6416->6417 6418 50ea84 30 API calls 6417->6418 6419 50cad9 6418->6419 7009 50c65c 6419->7009 6422 50cb60 closesocket 6422->6393 6424 50dad2 closesocket 6425 50e318 23 API calls 6424->6425 6426 50dae0 6425->6426 6426->6393 6427 50df4c 20 API calls 6485 50cb70 6427->6485 6432 50e654 13 API calls 6432->6485 6438 50cc1c GetTempPathA 6438->6485 6439 50ea84 30 API calls 6439->6485 6440 50d569 closesocket Sleep 7056 50e318 6440->7056 6441 50d815 wsprintfA 6441->6485 6442 50c517 23 API calls 6442->6485 6444 50f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 6444->6485 6445 50e8a1 30 API calls 6445->6485 6446 50d582 ExitProcess 6447 50c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 6447->6485 6448 50cfe3 GetSystemDirectoryA 6448->6485 6449 50675c 21 API calls 6449->6485 6450 50d027 GetSystemDirectoryA 6450->6485 6451 50cfad GetEnvironmentVariableA 6451->6485 6452 50d105 lstrcatA 6452->6485 6453 50ef1e lstrlenA 6453->6485 6454 50ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 6454->6485 6455 50cc9f CreateFileA 6458 50ccc6 WriteFile 6455->6458 6455->6485 6456 508e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 6456->6485 6457 50d15b CreateFileA 6459 50d182 WriteFile CloseHandle 6457->6459 6457->6485 6460 50cdcc CloseHandle 6458->6460 6461 50cced CloseHandle 6458->6461 6459->6485 6460->6485 6466 50cd2f 6461->6466 6462 50d149 SetFileAttributesA 6462->6457 6463 50cd16 wsprintfA 6463->6466 6464 50d36e GetEnvironmentVariableA 6464->6485 6465 50d1bf SetFileAttributesA 6465->6485 6466->6463 7038 507fcf 6466->7038 6467 507ead 6 API calls 6467->6485 6468 50d22d GetEnvironmentVariableA 6468->6485 6470 50d3af lstrcatA 6473 50d3f2 CreateFileA 6470->6473 6470->6485 6472 507fcf 64 API calls 6472->6485 6476 50d415 WriteFile CloseHandle 6473->6476 6473->6485 6474 50cd81 WaitForSingleObject CloseHandle CloseHandle 6477 50f04e 4 API calls 6474->6477 6475 50cda5 6478 507ee6 64 API calls 6475->6478 6476->6485 6477->6475 6479 50cdbd DeleteFileA 6478->6479 6479->6485 6480 50d4b1 CreateProcessA 6483 50d4e8 CloseHandle CloseHandle 6480->6483 6480->6485 6481 50d3e0 SetFileAttributesA 6481->6473 6482 50d26e lstrcatA 6484 50d2b1 CreateFileA 6482->6484 6482->6485 6483->6485 6484->6485 6486 50d2d8 WriteFile CloseHandle 6484->6486 6485->6424 6485->6427 6485->6432 6485->6438 6485->6439 6485->6440 6485->6441 6485->6442 6485->6444 6485->6445 6485->6447 6485->6448 6485->6449 6485->6450 6485->6451 6485->6452 6485->6453 6485->6454 6485->6455 6485->6456 6485->6457 6485->6462 6485->6464 6485->6465 6485->6467 6485->6468 6485->6470 6485->6472 6485->6473 6485->6480 6485->6481 6485->6482 6485->6484 6487 507ee6 64 API calls 6485->6487 6488 50d452 SetFileAttributesA 6485->6488 6489 50d29f SetFileAttributesA 6485->6489 6492 50d31d SetFileAttributesA 6485->6492 7017 50c75d 6485->7017 7029 507e2f 6485->7029 7051 507ead 6485->7051 7061 5031d0 6485->7061 7078 503c09 6485->7078 7088 503a00 6485->7088 7092 50e7b4 6485->7092 7095 50c06c 6485->7095 7101 506f5f GetUserNameA 6485->7101 7112 50e854 6485->7112 7122 507dd6 6485->7122 6486->6485 6487->6485 6488->6485 6489->6484 6492->6485 6494 506784 CreateFileA 6493->6494 6495 50677a SetFileAttributesA 6493->6495 6496 5067a4 CreateFileA 6494->6496 6497 5067b5 6494->6497 6495->6494 6496->6497 6498 5067c5 6497->6498 6499 5067ba SetFileAttributesA 6497->6499 6500 506977 6498->6500 6501 5067cf GetFileSize 6498->6501 6499->6498 6500->6187 6521 506a60 CreateFileA 6500->6521 6502 5067e5 6501->6502 6503 506965 6501->6503 6502->6503 6505 5067ed ReadFile 6502->6505 6504 50696e FindCloseChangeNotification 6503->6504 6504->6500 6505->6503 6506 506811 SetFilePointer 6505->6506 6506->6503 6507 50682a ReadFile 6506->6507 6507->6503 6508 506848 SetFilePointer 6507->6508 6508->6503 6509 506867 6508->6509 6510 5068d5 6509->6510 6511 506878 ReadFile 6509->6511 6510->6504 6513 50ebcc 4 API calls 6510->6513 6512 5068d0 6511->6512 6514 506891 6511->6514 6512->6510 6515 5068f8 6513->6515 6514->6511 6514->6512 6515->6503 6516 506900 SetFilePointer 6515->6516 6517 50695a 6516->6517 6518 50690d ReadFile 6516->6518 6520 50ec2e codecvt 4 API calls 6517->6520 6518->6517 6519 506922 6518->6519 6519->6504 6520->6503 6522 506b8c GetLastError 6521->6522 6523 506a8f GetDiskFreeSpaceA 6521->6523 6525 506b86 6522->6525 6524 506ac5 6523->6524 6533 506ad7 6523->6533 7207 50eb0e 6524->7207 6525->6204 6529 506b56 CloseHandle 6529->6525 6532 506b65 GetLastError CloseHandle 6529->6532 6530 506b36 GetLastError CloseHandle 6531 506b7f DeleteFileA 6530->6531 6531->6525 6532->6531 7211 506987 6533->7211 6535 5096b9 6534->6535 6536 5073ff 17 API calls 6535->6536 6537 5096e2 6536->6537 6538 5096f7 6537->6538 6539 50704c 16 API calls 6537->6539 6538->6182 6538->6183 6539->6538 6541 5042a5 6540->6541 6542 50429d 6540->6542 7217 503ecd 6541->7217 6542->6186 6542->6201 6544 5042b0 7221 504000 6544->7221 6546 5043c1 CloseHandle 6546->6542 6547 5042b6 6547->6542 6547->6546 7227 503f18 WriteFile 6547->7227 6552 5043ba CloseHandle 6552->6546 6553 504318 6554 503f18 4 API calls 6553->6554 6555 504331 6554->6555 6556 503f18 4 API calls 6555->6556 6557 50434a 6556->6557 6558 50ebcc 4 API calls 6557->6558 6559 504350 6558->6559 6560 503f18 4 API calls 6559->6560 6561 504389 6560->6561 6562 50ec2e codecvt 4 API calls 6561->6562 6563 50438f 6562->6563 6564 503f8c 4 API calls 6563->6564 6565 50439f CloseHandle CloseHandle 6564->6565 6565->6542 6567 5099eb 6566->6567 6568 509a2f lstrcatA 6567->6568 6569 50ee2a 6568->6569 6570 509a4b lstrcatA 6569->6570 6571 506a60 13 API calls 6570->6571 6572 509a60 6571->6572 6572->6211 6572->6238 6573 506dc2 6572->6573 6574 506e33 6573->6574 6575 506dd7 6573->6575 6574->6228 6576 506cc9 5 API calls 6575->6576 6577 506ddc 6576->6577 6577->6577 6578 506e02 GetVolumeInformationA 6577->6578 6579 506e24 6577->6579 6578->6579 6579->6574 6581 506cdc GetModuleHandleA GetProcAddress 6580->6581 6588 506d8b 6580->6588 6582 506d12 GetSystemDirectoryA 6581->6582 6586 506cfd 6581->6586 6583 506d27 GetWindowsDirectoryA 6582->6583 6584 506d1e 6582->6584 6585 506d42 6583->6585 6584->6583 6584->6588 6587 50ef1e lstrlenA 6585->6587 6586->6582 6586->6588 6587->6588 6588->6237 7235 501910 6589->7235 6592 50934a GetModuleHandleA GetModuleFileNameA 6594 50937f 6592->6594 6595 5093a4 6594->6595 6596 5093d9 6594->6596 6597 5093c3 wsprintfA 6595->6597 6598 509401 wsprintfA 6596->6598 6599 509415 6597->6599 6598->6599 6602 506cc9 5 API calls 6599->6602 6623 5094a0 6599->6623 6600 506edd 5 API calls 6601 5094ac 6600->6601 6603 50962f 6601->6603 6605 5094e8 RegOpenKeyExA 6601->6605 6604 509439 6602->6604 6608 509646 6603->6608 7250 501820 6603->7250 6612 50ef1e lstrlenA 6604->6612 6606 509502 6605->6606 6607 5094fb 6605->6607 6611 50951f RegQueryValueExA 6606->6611 6607->6603 6613 50958a 6607->6613 6619 5095d6 6608->6619 7256 5091eb 6608->7256 6614 509530 6611->6614 6615 509539 6611->6615 6616 509462 6612->6616 6613->6608 6617 509593 6613->6617 6618 50956e RegCloseKey 6614->6618 6620 509556 RegQueryValueExA 6615->6620 6621 50947e wsprintfA 6616->6621 6617->6619 7237 50f0e4 6617->7237 6618->6607 6619->6246 6619->6247 6620->6614 6620->6618 6621->6623 6623->6600 6624 5095bb 6624->6619 7244 5018e0 6624->7244 6627 502544 6626->6627 6628 50972d RegOpenKeyExA 6627->6628 6629 509740 6628->6629 6630 509765 6628->6630 6631 50974f RegDeleteValueA RegCloseKey 6629->6631 6630->6225 6631->6630 6633 502554 lstrcatA 6632->6633 6634 50ee2a 6633->6634 6635 50a0ec lstrcatA 6634->6635 6635->6254 6637 50ec37 6636->6637 6638 50a15d 6636->6638 6639 50eba0 codecvt 2 API calls 6637->6639 6638->6186 6638->6187 6640 50ec3d GetProcessHeap RtlFreeHeap 6639->6640 6640->6638 6642 502544 6641->6642 6643 50919e wsprintfA 6642->6643 6644 5091bb 6643->6644 7294 509064 GetTempPathA 6644->7294 6647 5091d5 ShellExecuteA 6648 5091e7 6647->6648 6648->6204 6650 506ed5 6649->6650 6651 506ecc 6649->6651 6650->6242 6652 506e36 2 API calls 6651->6652 6652->6650 6654 5098f6 6653->6654 6655 504280 30 API calls 6654->6655 6656 509904 Sleep 6654->6656 6657 509915 6654->6657 6655->6654 6656->6654 6656->6657 6659 509947 6657->6659 7301 50977c 6657->7301 6659->6234 6661 50dd41 InterlockedExchange 6660->6661 6662 50dd20 GetCurrentThreadId 6661->6662 6663 50dd4a 6661->6663 6664 50dd53 GetCurrentThreadId 6662->6664 6665 50dd2e GetTickCount 6662->6665 6663->6664 6664->6273 6666 50dd39 Sleep 6665->6666 6667 50dd4c 6665->6667 6666->6661 6667->6664 6669 50dbf0 6668->6669 6701 50db67 GetEnvironmentVariableA 6669->6701 6671 50dc19 6672 50dcda 6671->6672 6673 50db67 3 API calls 6671->6673 6672->6275 6674 50dc5c 6673->6674 6674->6672 6675 50db67 3 API calls 6674->6675 6676 50dc9b 6675->6676 6676->6672 6677 50db67 3 API calls 6676->6677 6677->6672 6679 50e528 6678->6679 6680 50e3f4 6678->6680 6679->6285 6681 50e434 RegQueryValueExA 6680->6681 6682 50e458 6681->6682 6683 50e51d RegCloseKey 6681->6683 6684 50e46e RegQueryValueExA 6682->6684 6683->6679 6684->6682 6685 50e488 6684->6685 6685->6683 6686 50db2e 8 API calls 6685->6686 6687 50e499 6686->6687 6687->6683 6688 50e4b9 RegQueryValueExA 6687->6688 6689 50e4e8 6687->6689 6688->6687 6688->6689 6689->6683 6690 50e332 14 API calls 6689->6690 6691 50e513 6690->6691 6691->6683 6693 50db55 6692->6693 6694 50db3a 6692->6694 6693->6277 6693->6282 6705 50ebed 6694->6705 6723 50f04e SystemTimeToFileTime GetSystemTimeAsFileTime 6696->6723 6698 50e3be 6698->6277 6699 50e342 6699->6698 6726 50de24 6699->6726 6702 50dbca 6701->6702 6704 50db89 lstrcpyA CreateFileA 6701->6704 6702->6671 6704->6671 6706 50ec01 6705->6706 6707 50ebf6 6705->6707 6717 50eba0 6706->6717 6714 50ebcc GetProcessHeap RtlAllocateHeap 6707->6714 6715 50eb74 2 API calls 6714->6715 6716 50ebe8 6715->6716 6716->6693 6718 50eba7 GetProcessHeap HeapSize 6717->6718 6719 50ebbf GetProcessHeap RtlReAllocateHeap 6717->6719 6718->6719 6720 50eb74 6719->6720 6721 50eb7b GetProcessHeap HeapSize 6720->6721 6722 50eb93 6720->6722 6721->6722 6722->6693 6737 50eb41 6723->6737 6725 50f0b7 6725->6699 6727 50de3a 6726->6727 6732 50de4e 6727->6732 6746 50dd84 6727->6746 6730 50de9e 6731 50ebed 8 API calls 6730->6731 6730->6732 6735 50def6 6731->6735 6732->6699 6733 50de76 6750 50ddcf 6733->6750 6735->6732 6736 50ddcf lstrcmpA 6735->6736 6736->6732 6738 50eb61 6737->6738 6739 50eb4a 6737->6739 6738->6725 6742 50eae4 6739->6742 6741 50eb54 6741->6725 6741->6738 6743 50eb02 GetProcAddress 6742->6743 6744 50eaed LoadLibraryA 6742->6744 6743->6741 6744->6743 6745 50eb01 6744->6745 6745->6741 6747 50dd96 6746->6747 6748 50ddc5 6746->6748 6747->6748 6749 50ddad lstrcmpiA 6747->6749 6748->6730 6748->6733 6749->6747 6749->6748 6751 50de20 6750->6751 6752 50dddd 6750->6752 6751->6732 6752->6751 6753 50ddfa lstrcmpA 6752->6753 6753->6752 6755 50dd05 6 API calls 6754->6755 6756 50e821 6755->6756 6757 50dd84 lstrcmpiA 6756->6757 6758 50e82c 6757->6758 6759 50e844 6758->6759 6804 502480 6758->6804 6759->6302 6762 50ea98 6761->6762 6813 50e8a1 6762->6813 6764 501e84 6764->6311 6766 5019d5 GetProcAddress GetProcAddress GetProcAddress 6765->6766 6769 5019ce 6765->6769 6767 501ab3 FreeLibrary 6766->6767 6768 501a04 6766->6768 6767->6769 6768->6767 6770 501a14 GetBestInterface GetProcessHeap 6768->6770 6769->6315 6770->6769 6771 501a2e HeapAlloc 6770->6771 6771->6769 6772 501a42 GetAdaptersInfo 6771->6772 6773 501a62 6772->6773 6774 501a52 HeapReAlloc 6772->6774 6775 501aa1 FreeLibrary 6773->6775 6776 501a69 GetAdaptersInfo 6773->6776 6774->6773 6775->6769 6776->6775 6777 501a75 HeapFree 6776->6777 6777->6775 6841 501ac3 LoadLibraryA 6779->6841 6782 501bcf 6782->6326 6784 501ac3 13 API calls 6783->6784 6785 501c09 6784->6785 6786 501c5a 6785->6786 6787 501c0d GetComputerNameA 6785->6787 6786->6334 6788 501c45 GetVolumeInformationA 6787->6788 6789 501c1f 6787->6789 6788->6786 6789->6788 6790 501c41 6789->6790 6790->6786 6792 50ee2a 6791->6792 6793 5030d0 gethostname gethostbyname 6792->6793 6794 501f82 6793->6794 6794->6339 6794->6341 6796 50dd05 6 API calls 6795->6796 6797 50df7c 6796->6797 6798 50dd84 lstrcmpiA 6797->6798 6800 50df89 6798->6800 6799 50dfc4 6799->6308 6800->6799 6801 50ddcf lstrcmpA 6800->6801 6802 50ec2e codecvt 4 API calls 6800->6802 6803 50dd84 lstrcmpiA 6800->6803 6801->6800 6802->6800 6803->6800 6807 502419 lstrlenA 6804->6807 6806 502491 6806->6759 6808 502474 6807->6808 6809 50243d lstrlenA 6807->6809 6808->6806 6810 502464 lstrlenA 6809->6810 6811 50244e lstrcmpiA 6809->6811 6810->6808 6810->6809 6811->6810 6812 50245c 6811->6812 6812->6808 6812->6810 6814 50dd05 6 API calls 6813->6814 6815 50e8b4 6814->6815 6816 50dd84 lstrcmpiA 6815->6816 6817 50e8c0 6816->6817 6818 50e8c8 lstrcpynA 6817->6818 6828 50e90a 6817->6828 6819 50e8f5 6818->6819 6834 50df4c 6819->6834 6820 502419 4 API calls 6821 50e926 lstrlenA lstrlenA 6820->6821 6823 50e94c lstrlenA 6821->6823 6825 50e96a 6821->6825 6823->6825 6824 50e901 6826 50dd84 lstrcmpiA 6824->6826 6827 50ebcc 4 API calls 6825->6827 6829 50ea27 6825->6829 6826->6828 6830 50e98f 6827->6830 6828->6820 6828->6829 6829->6764 6830->6829 6831 50df4c 20 API calls 6830->6831 6832 50ea1e 6831->6832 6833 50ec2e codecvt 4 API calls 6832->6833 6833->6829 6835 50dd05 6 API calls 6834->6835 6836 50df51 6835->6836 6837 50f04e 4 API calls 6836->6837 6838 50df58 6837->6838 6839 50de24 10 API calls 6838->6839 6840 50df63 6839->6840 6840->6824 6842 501ae2 GetProcAddress 6841->6842 6843 501b68 GetComputerNameA GetVolumeInformationA 6841->6843 6842->6843 6847 501af5 6842->6847 6843->6782 6844 501b1c GetAdaptersAddresses 6845 501b29 6844->6845 6844->6847 6845->6843 6848 50ec2e codecvt 4 API calls 6845->6848 6846 50ebed 8 API calls 6846->6847 6847->6844 6847->6845 6847->6846 6848->6843 6850 506ec3 2 API calls 6849->6850 6851 507ef4 6850->6851 6861 507fc9 6851->6861 6885 5073ff 6851->6885 6853 507f16 6853->6861 6905 507809 GetUserNameA 6853->6905 6855 507f63 6855->6861 6929 50ef1e lstrlenA 6855->6929 6858 50ef1e lstrlenA 6859 507fb7 6858->6859 6931 507a95 RegOpenKeyExA 6859->6931 6861->6349 6863 507073 6862->6863 6864 5070b9 RegOpenKeyExA 6863->6864 6865 5070d0 6864->6865 6879 5071b8 6864->6879 6866 506dc2 6 API calls 6865->6866 6869 5070d5 6866->6869 6867 50719b RegEnumValueA 6868 5071af RegCloseKey 6867->6868 6867->6869 6868->6879 6869->6867 6871 5071d0 6869->6871 6962 50f1a5 lstrlenA 6869->6962 6872 507205 RegCloseKey 6871->6872 6873 507227 6871->6873 6872->6879 6874 5072b8 ___ascii_stricmp 6873->6874 6875 50728e RegCloseKey 6873->6875 6876 5072cd RegCloseKey 6874->6876 6877 5072dd 6874->6877 6875->6879 6876->6879 6878 507311 RegCloseKey 6877->6878 6881 507335 6877->6881 6878->6879 6879->6350 6880 5073d5 RegCloseKey 6882 5073e4 6880->6882 6881->6880 6883 50737e GetFileAttributesExA 6881->6883 6884 507397 6881->6884 6883->6884 6884->6880 6886 50741b 6885->6886 6887 506dc2 6 API calls 6886->6887 6888 50743f 6887->6888 6889 507469 RegOpenKeyExA 6888->6889 6890 5077f9 6889->6890 6900 507487 ___ascii_stricmp 6889->6900 6890->6853 6891 507703 RegEnumKeyA 6892 507714 RegCloseKey 6891->6892 6891->6900 6892->6890 6893 5074d2 RegOpenKeyExA 6893->6900 6894 50772c 6896 507742 RegCloseKey 6894->6896 6897 50774b 6894->6897 6895 507521 RegQueryValueExA 6895->6900 6896->6897 6899 5077ec RegCloseKey 6897->6899 6898 5076e4 RegCloseKey 6898->6900 6899->6890 6900->6891 6900->6893 6900->6894 6900->6895 6900->6898 6902 50f1a5 lstrlenA 6900->6902 6903 50777e GetFileAttributesExA 6900->6903 6904 507769 6900->6904 6901 5077e3 RegCloseKey 6901->6899 6902->6900 6903->6904 6904->6901 6906 50783d LookupAccountNameA 6905->6906 6907 507a8d 6905->6907 6906->6907 6908 507874 GetLengthSid GetFileSecurityA 6906->6908 6907->6855 6908->6907 6909 5078a8 GetSecurityDescriptorOwner 6908->6909 6910 5078c5 EqualSid 6909->6910 6911 50791d GetSecurityDescriptorDacl 6909->6911 6910->6911 6912 5078dc LocalAlloc 6910->6912 6911->6907 6918 507941 6911->6918 6912->6911 6913 5078ef InitializeSecurityDescriptor 6912->6913 6914 507916 LocalFree 6913->6914 6915 5078fb SetSecurityDescriptorOwner 6913->6915 6914->6911 6915->6914 6917 50790b SetFileSecurityA 6915->6917 6916 50795b GetAce 6916->6918 6917->6914 6918->6907 6918->6916 6919 507980 EqualSid 6918->6919 6920 507a3d 6918->6920 6921 5079be EqualSid 6918->6921 6922 50799d DeleteAce 6918->6922 6919->6918 6920->6907 6923 507a43 LocalAlloc 6920->6923 6921->6918 6922->6918 6923->6907 6924 507a56 InitializeSecurityDescriptor 6923->6924 6925 507a62 SetSecurityDescriptorDacl 6924->6925 6926 507a86 LocalFree 6924->6926 6925->6926 6927 507a73 SetFileSecurityA 6925->6927 6926->6907 6927->6926 6928 507a83 6927->6928 6928->6926 6930 507fa6 6929->6930 6930->6858 6932 507ac4 6931->6932 6933 507acb GetUserNameA 6931->6933 6932->6861 6934 507da7 RegCloseKey 6933->6934 6935 507aed LookupAccountNameA 6933->6935 6934->6932 6935->6934 6936 507b24 RegGetKeySecurity 6935->6936 6936->6934 6937 507b49 GetSecurityDescriptorOwner 6936->6937 6938 507b63 EqualSid 6937->6938 6939 507bb8 GetSecurityDescriptorDacl 6937->6939 6938->6939 6940 507b74 LocalAlloc 6938->6940 6941 507da6 6939->6941 6948 507bdc 6939->6948 6940->6939 6942 507b8a InitializeSecurityDescriptor 6940->6942 6941->6934 6943 507bb1 LocalFree 6942->6943 6944 507b96 SetSecurityDescriptorOwner 6942->6944 6943->6939 6944->6943 6946 507ba6 RegSetKeySecurity 6944->6946 6945 507bf8 GetAce 6945->6948 6946->6943 6947 507c1d EqualSid 6947->6948 6948->6941 6948->6945 6948->6947 6949 507c5f EqualSid 6948->6949 6950 507cd9 6948->6950 6951 507c3a DeleteAce 6948->6951 6949->6948 6950->6941 6952 507d5a LocalAlloc 6950->6952 6953 507cf2 RegOpenKeyExA 6950->6953 6951->6948 6952->6941 6954 507d70 InitializeSecurityDescriptor 6952->6954 6953->6952 6959 507d0f 6953->6959 6955 507d7c SetSecurityDescriptorDacl 6954->6955 6956 507d9f LocalFree 6954->6956 6955->6956 6957 507d8c RegSetKeySecurity 6955->6957 6956->6941 6957->6956 6958 507d9c 6957->6958 6958->6956 6960 507d43 RegSetValueExA 6959->6960 6960->6952 6961 507d54 6960->6961 6961->6952 6963 50f1c3 6962->6963 6963->6869 6963->6963 6964->6370 6966 50dd05 6 API calls 6965->6966 6969 50e65f 6966->6969 6967 50e6a5 6968 50ebcc 4 API calls 6967->6968 6974 50e6f5 6967->6974 6971 50e6b0 6968->6971 6969->6967 6970 50e68c lstrcmpA 6969->6970 6970->6969 6972 50e6b7 6971->6972 6973 50e6e0 lstrcpynA 6971->6973 6971->6974 6972->6372 6973->6974 6974->6972 6975 50e71d lstrcmpA 6974->6975 6975->6974 6976->6378 6978 502692 inet_addr 6977->6978 6979 50268e 6977->6979 6978->6979 6980 50269e gethostbyname 6978->6980 6981 50f428 6979->6981 6980->6979 7129 50f315 6981->7129 6984 50f43e 6985 50f473 recv 6984->6985 6986 50f47c 6985->6986 6987 50f458 6985->6987 6986->6409 6987->6985 6987->6986 6989 50c525 6988->6989 6990 50c532 6988->6990 6989->6990 6992 50ec2e codecvt 4 API calls 6989->6992 6991 50c548 6990->6991 7142 50e7ff 6990->7142 6994 50e7ff lstrcmpiA 6991->6994 7002 50c54f 6991->7002 6992->6990 6995 50c615 6994->6995 6996 50ebcc 4 API calls 6995->6996 6995->7002 6996->7002 6997 50c5d1 6999 50ebcc 4 API calls 6997->6999 6999->7002 7000 50e819 11 API calls 7001 50c5b7 7000->7001 7003 50f04e 4 API calls 7001->7003 7002->6392 7004 50c5bf 7003->7004 7004->6991 7004->6997 7007 50c8d2 7005->7007 7006 50c907 7006->6393 7007->7006 7008 50c517 23 API calls 7007->7008 7008->7006 7010 50c670 7009->7010 7011 50c67d 7009->7011 7012 50ebcc 4 API calls 7010->7012 7013 50c699 7011->7013 7014 50ebcc 4 API calls 7011->7014 7012->7011 7015 50c6f3 7013->7015 7016 50c73c send 7013->7016 7014->7013 7015->6422 7015->6485 7016->7015 7018 50c770 7017->7018 7019 50c77d 7017->7019 7020 50ebcc 4 API calls 7018->7020 7021 50c799 7019->7021 7023 50ebcc 4 API calls 7019->7023 7020->7019 7022 50c7b5 7021->7022 7024 50ebcc 4 API calls 7021->7024 7025 50f43e recv 7022->7025 7023->7021 7024->7022 7026 50c7cb 7025->7026 7027 50f43e recv 7026->7027 7028 50c7d3 7026->7028 7027->7028 7028->6485 7145 507db7 7029->7145 7032 507e70 7034 507e96 7032->7034 7036 50f04e 4 API calls 7032->7036 7033 50f04e 4 API calls 7035 507e4c 7033->7035 7034->6485 7035->7032 7037 50f04e 4 API calls 7035->7037 7036->7034 7037->7032 7039 506ec3 2 API calls 7038->7039 7040 507fdd 7039->7040 7041 5073ff 17 API calls 7040->7041 7050 5080c2 CreateProcessA 7040->7050 7042 507fff 7041->7042 7043 507809 21 API calls 7042->7043 7042->7050 7044 50804d 7043->7044 7045 50ef1e lstrlenA 7044->7045 7044->7050 7046 50809e 7045->7046 7047 50ef1e lstrlenA 7046->7047 7048 5080af 7047->7048 7049 507a95 24 API calls 7048->7049 7049->7050 7050->6474 7050->6475 7052 507db7 2 API calls 7051->7052 7053 507eb8 7052->7053 7054 50f04e 4 API calls 7053->7054 7055 507ece DeleteFileA 7054->7055 7055->6485 7057 50dd05 6 API calls 7056->7057 7058 50e31d 7057->7058 7149 50e177 7058->7149 7060 50e326 7060->6446 7062 5031f3 7061->7062 7072 5031ec 7061->7072 7063 50ebcc 4 API calls 7062->7063 7070 5031fc 7063->7070 7064 503459 7067 50f04e 4 API calls 7064->7067 7065 50349d 7066 50ec2e codecvt 4 API calls 7065->7066 7066->7072 7068 50345f 7067->7068 7069 5030fa 4 API calls 7068->7069 7069->7072 7071 50ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 7070->7071 7070->7072 7073 50344d 7070->7073 7076 50344b 7070->7076 7077 503141 lstrcmpiA 7070->7077 7175 5030fa GetTickCount 7070->7175 7071->7070 7072->6485 7074 50ec2e codecvt 4 API calls 7073->7074 7074->7076 7076->7064 7076->7065 7077->7070 7079 5030fa 4 API calls 7078->7079 7080 503c1a 7079->7080 7081 503ce6 7080->7081 7180 503a72 7080->7180 7081->6485 7084 503a72 9 API calls 7085 503c5e 7084->7085 7085->7081 7086 503a72 9 API calls 7085->7086 7087 50ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7085->7087 7086->7085 7087->7085 7089 503a10 7088->7089 7090 5030fa 4 API calls 7089->7090 7091 503a1a 7090->7091 7091->6485 7093 50dd05 6 API calls 7092->7093 7094 50e7be 7093->7094 7094->6485 7096 50c105 7095->7096 7097 50c07e wsprintfA 7095->7097 7096->6485 7189 50bfce GetTickCount wsprintfA 7097->7189 7099 50c0ef 7190 50bfce GetTickCount wsprintfA 7099->7190 7102 507047 7101->7102 7103 506f88 LookupAccountNameA 7101->7103 7102->6485 7105 507025 7103->7105 7106 506fcb 7103->7106 7191 506edd 7105->7191 7108 506fdb ConvertSidToStringSidA 7106->7108 7108->7105 7110 506ff1 7108->7110 7111 507013 LocalFree 7110->7111 7111->7105 7113 50dd05 6 API calls 7112->7113 7114 50e85c 7113->7114 7115 50dd84 lstrcmpiA 7114->7115 7116 50e867 7115->7116 7117 50e885 lstrcpyA 7116->7117 7202 5024a5 7116->7202 7205 50dd69 7117->7205 7123 507db7 2 API calls 7122->7123 7124 507de1 7123->7124 7125 507e16 7124->7125 7126 50f04e 4 API calls 7124->7126 7125->6485 7127 507df2 7126->7127 7127->7125 7128 50f04e 4 API calls 7127->7128 7128->7125 7130 50f33b 7129->7130 7138 50ca1d 7129->7138 7131 50f347 htons socket 7130->7131 7132 50f382 ioctlsocket 7131->7132 7133 50f374 closesocket 7131->7133 7134 50f3aa connect select 7132->7134 7135 50f39d 7132->7135 7133->7138 7137 50f3f2 __WSAFDIsSet 7134->7137 7134->7138 7136 50f39f closesocket 7135->7136 7136->7138 7137->7136 7139 50f403 ioctlsocket 7137->7139 7138->6406 7138->6984 7141 50f26d setsockopt setsockopt setsockopt setsockopt setsockopt 7139->7141 7141->7138 7143 50dd84 lstrcmpiA 7142->7143 7144 50c58e 7143->7144 7144->6991 7144->6997 7144->7000 7146 507dc8 InterlockedExchange 7145->7146 7147 507dc0 Sleep 7146->7147 7148 507dd4 7146->7148 7147->7146 7148->7032 7148->7033 7150 50e184 7149->7150 7151 50e223 7150->7151 7163 50e2e4 7150->7163 7165 50dfe2 7150->7165 7153 50dfe2 8 API calls 7151->7153 7151->7163 7157 50e23c 7153->7157 7154 50e1be 7154->7151 7155 50dbcf 3 API calls 7154->7155 7158 50e1d6 7155->7158 7156 50e21a CloseHandle 7156->7151 7157->7163 7169 50e095 RegCreateKeyExA 7157->7169 7158->7151 7158->7156 7159 50e1f9 WriteFile 7158->7159 7159->7156 7161 50e213 7159->7161 7161->7156 7162 50e2a3 7162->7163 7164 50e095 4 API calls 7162->7164 7163->7060 7164->7163 7166 50dffc 7165->7166 7168 50e024 7165->7168 7167 50db2e 8 API calls 7166->7167 7166->7168 7167->7168 7168->7154 7170 50e172 7169->7170 7172 50e0c0 7169->7172 7170->7162 7171 50e13d 7173 50e14e RegDeleteValueA RegCloseKey 7171->7173 7172->7171 7174 50e115 RegSetValueExA 7172->7174 7173->7170 7174->7171 7174->7172 7176 503122 InterlockedExchange 7175->7176 7177 50312e 7176->7177 7178 50310f GetTickCount 7176->7178 7177->7070 7178->7177 7179 50311a Sleep 7178->7179 7179->7176 7181 50f04e 4 API calls 7180->7181 7182 503a83 7181->7182 7185 503bc0 7182->7185 7186 503b66 lstrlenA 7182->7186 7187 503ac1 7182->7187 7183 503be6 7184 50ec2e codecvt 4 API calls 7183->7184 7184->7187 7185->7183 7188 50ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7185->7188 7186->7182 7186->7187 7187->7081 7187->7084 7188->7185 7189->7099 7190->7096 7192 506f55 wsprintfA 7191->7192 7193 506eef AllocateAndInitializeSid 7191->7193 7192->7102 7194 506f44 7193->7194 7195 506f1c CheckTokenMembership 7193->7195 7194->7192 7199 506e36 GetUserNameW 7194->7199 7196 506f3b FreeSid 7195->7196 7197 506f2e 7195->7197 7196->7194 7197->7196 7200 506e5f LookupAccountNameW 7199->7200 7201 506e97 7199->7201 7200->7201 7201->7192 7203 502419 4 API calls 7202->7203 7204 5024b6 7203->7204 7204->7117 7206 50dd79 lstrlenA 7205->7206 7206->6485 7208 50eb17 7207->7208 7209 50eb21 7207->7209 7210 50eae4 2 API calls 7208->7210 7209->6533 7210->7209 7213 5069b9 WriteFile 7211->7213 7214 506a3c 7213->7214 7216 5069ff 7213->7216 7214->6529 7214->6530 7215 506a10 WriteFile 7215->7214 7215->7216 7216->7214 7216->7215 7218 503ee2 7217->7218 7219 503edc 7217->7219 7218->6544 7220 506dc2 6 API calls 7219->7220 7220->7218 7222 50400b CreateFileA 7221->7222 7223 50402c GetLastError 7222->7223 7225 504052 7222->7225 7224 504037 7223->7224 7223->7225 7224->7225 7226 504041 Sleep 7224->7226 7225->6547 7226->7222 7226->7225 7228 503f4e GetLastError 7227->7228 7229 503f7c 7227->7229 7228->7229 7230 503f5b WaitForSingleObject GetOverlappedResult 7228->7230 7231 503f8c ReadFile 7229->7231 7230->7229 7232 503fc2 GetLastError 7231->7232 7233 503ff0 7231->7233 7232->7233 7234 503fcf WaitForSingleObject GetOverlappedResult 7232->7234 7233->6552 7233->6553 7234->7233 7236 501924 GetVersionExA 7235->7236 7236->6592 7238 50f0f1 7237->7238 7239 50f0ed 7237->7239 7240 50f119 7238->7240 7241 50f0fa lstrlenA SysAllocStringByteLen 7238->7241 7239->6624 7243 50f11c MultiByteToWideChar 7240->7243 7242 50f117 7241->7242 7241->7243 7242->6624 7243->7242 7245 501820 17 API calls 7244->7245 7246 5018f2 7245->7246 7247 5018f9 7246->7247 7261 501280 7246->7261 7247->6619 7249 501908 7249->6619 7273 501000 7250->7273 7252 501839 7253 501851 GetCurrentProcess 7252->7253 7254 50183d 7252->7254 7255 501864 7253->7255 7254->6608 7255->6608 7257 50920e 7256->7257 7260 509308 7256->7260 7258 5092f1 Sleep 7257->7258 7259 5092bf ShellExecuteA 7257->7259 7257->7260 7258->7257 7259->7257 7259->7260 7260->6619 7262 5012e1 7261->7262 7262->7262 7263 5016f9 GetLastError 7262->7263 7269 5013a8 7262->7269 7272 501699 7263->7272 7264 501570 lstrlenW 7264->7269 7265 5015be GetStartupInfoW 7265->7269 7266 5015ff CreateProcessWithLogonW 7267 5016bf GetLastError 7266->7267 7268 50163f WaitForSingleObject 7266->7268 7267->7272 7268->7269 7270 501659 CloseHandle 7268->7270 7269->7264 7269->7265 7269->7266 7271 501668 CloseHandle 7269->7271 7269->7272 7270->7269 7271->7269 7272->7249 7274 501023 7273->7274 7275 50100d LoadLibraryA 7273->7275 7277 5010b5 GetProcAddress 7274->7277 7293 5010ae 7274->7293 7275->7274 7276 501021 7275->7276 7276->7252 7278 5010d1 GetProcAddress 7277->7278 7279 50127b 7277->7279 7278->7279 7280 5010f0 GetProcAddress 7278->7280 7279->7252 7280->7279 7281 501110 GetProcAddress 7280->7281 7281->7279 7282 501130 GetProcAddress 7281->7282 7282->7279 7283 50114f GetProcAddress 7282->7283 7283->7279 7284 50116f GetProcAddress 7283->7284 7284->7279 7285 50118f GetProcAddress 7284->7285 7285->7279 7286 5011ae GetProcAddress 7285->7286 7286->7279 7287 5011ce GetProcAddress 7286->7287 7287->7279 7288 5011ee GetProcAddress 7287->7288 7288->7279 7289 501209 GetProcAddress 7288->7289 7289->7279 7290 501225 GetProcAddress 7289->7290 7290->7279 7291 501241 GetProcAddress 7290->7291 7291->7279 7292 50125c GetProcAddress 7291->7292 7292->7279 7293->7252 7295 50908d 7294->7295 7296 5090e2 wsprintfA 7295->7296 7297 50ee2a 7296->7297 7298 5090fd CreateFileA 7297->7298 7299 50911a lstrlenA WriteFile CloseHandle 7298->7299 7300 50913f 7298->7300 7299->7300 7300->6647 7300->6648 7302 50ee2a 7301->7302 7303 509794 CreateProcessA 7302->7303 7304 5097bb 7303->7304 7305 5097c2 7303->7305 7304->6659 7306 5097d4 GetThreadContext 7305->7306 7307 509801 7306->7307 7308 5097f5 7306->7308 7315 50637c 7307->7315 7309 5097f6 TerminateProcess 7308->7309 7309->7304 7311 509816 7311->7309 7312 50981e WriteProcessMemory 7311->7312 7312->7308 7313 50983b SetThreadContext 7312->7313 7313->7308 7314 509858 ResumeThread 7313->7314 7314->7304 7316 506386 7315->7316 7317 50638a GetModuleHandleA VirtualAlloc 7315->7317 7316->7311 7318 5063f5 7317->7318 7319 5063b6 7317->7319 7318->7311 7320 5063be VirtualAllocEx 7319->7320 7320->7318 7321 5063d6 7320->7321 7322 5063df WriteProcessMemory 7321->7322 7322->7318 7324 508791 7323->7324 7325 50879f 7323->7325 7326 50f04e 4 API calls 7324->7326 7327 5087bc 7325->7327 7328 50f04e 4 API calls 7325->7328 7326->7325 7329 50e819 11 API calls 7327->7329 7328->7327 7330 5087d7 7329->7330 7337 508803 7330->7337 7478 5026b2 gethostbyaddr 7330->7478 7333 5087eb 7335 50e8a1 30 API calls 7333->7335 7333->7337 7335->7337 7339 50e819 11 API calls 7337->7339 7340 5088a0 Sleep 7337->7340 7341 5026b2 2 API calls 7337->7341 7343 50f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 7337->7343 7344 50e8a1 30 API calls 7337->7344 7375 508cee 7337->7375 7383 50c4d6 7337->7383 7386 50c4e2 7337->7386 7389 502011 7337->7389 7424 508328 7337->7424 7339->7337 7340->7337 7341->7337 7343->7337 7344->7337 7346 504084 7345->7346 7347 50407d 7345->7347 7348 503ecd 6 API calls 7346->7348 7349 50408f 7348->7349 7350 504000 3 API calls 7349->7350 7352 504095 7350->7352 7351 504130 7354 503ecd 6 API calls 7351->7354 7352->7351 7353 5040c0 7352->7353 7358 503f18 4 API calls 7353->7358 7355 504159 CreateNamedPipeA 7354->7355 7356 504167 Sleep 7355->7356 7357 504188 ConnectNamedPipe 7355->7357 7356->7351 7359 504176 CloseHandle 7356->7359 7361 504195 GetLastError 7357->7361 7370 5041ab 7357->7370 7360 5040da 7358->7360 7359->7357 7362 503f8c 4 API calls 7360->7362 7363 50425e DisconnectNamedPipe 7361->7363 7361->7370 7364 5040ec 7362->7364 7363->7357 7365 504127 CloseHandle 7364->7365 7366 504101 7364->7366 7365->7351 7367 503f18 4 API calls 7366->7367 7368 50411c ExitProcess 7367->7368 7369 503f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 7369->7370 7370->7357 7370->7363 7370->7369 7371 503f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 7370->7371 7372 50426a CloseHandle CloseHandle 7370->7372 7371->7370 7373 50e318 23 API calls 7372->7373 7374 50427b 7373->7374 7374->7374 7376 508d02 GetTickCount 7375->7376 7377 508dae 7375->7377 7376->7377 7379 508d19 7376->7379 7377->7337 7378 508da1 GetTickCount 7378->7377 7379->7378 7382 508d89 7379->7382 7483 50a677 7379->7483 7486 50a688 7379->7486 7382->7378 7494 50c2dc 7383->7494 7387 50c2dc 142 API calls 7386->7387 7388 50c4ec 7387->7388 7388->7337 7390 502020 7389->7390 7391 50202e 7389->7391 7392 50f04e 4 API calls 7390->7392 7393 50f04e 4 API calls 7391->7393 7394 50204b 7391->7394 7392->7391 7393->7394 7395 50206e GetTickCount 7394->7395 7396 50f04e 4 API calls 7394->7396 7397 5020db GetTickCount 7395->7397 7405 502090 7395->7405 7399 502068 7396->7399 7398 502132 GetTickCount GetTickCount 7397->7398 7410 5020e7 7397->7410 7401 50f04e 4 API calls 7398->7401 7399->7395 7400 5020d4 GetTickCount 7400->7397 7404 502159 7401->7404 7402 50212b GetTickCount 7402->7398 7403 502684 2 API calls 7403->7405 7406 5021b4 7404->7406 7409 50e854 13 API calls 7404->7409 7405->7400 7405->7403 7413 5020ce 7405->7413 7834 501978 7405->7834 7408 50f04e 4 API calls 7406->7408 7412 5021d1 7408->7412 7414 50218e 7409->7414 7410->7402 7415 501978 15 API calls 7410->7415 7416 502125 7410->7416 7824 502ef8 7410->7824 7417 5021f2 7412->7417 7419 50ea84 30 API calls 7412->7419 7413->7400 7418 50e819 11 API calls 7414->7418 7415->7410 7416->7402 7417->7337 7420 50219c 7418->7420 7421 5021ec 7419->7421 7420->7406 7839 501c5f 7420->7839 7422 50f04e 4 API calls 7421->7422 7422->7417 7425 507dd6 6 API calls 7424->7425 7426 50833c 7425->7426 7427 506ec3 2 API calls 7426->7427 7455 508340 7426->7455 7428 50834f 7427->7428 7429 50835c 7428->7429 7434 50846b 7428->7434 7430 5073ff 17 API calls 7429->7430 7447 508373 7430->7447 7431 5085df 7432 508626 GetTempPathA 7431->7432 7444 508768 7431->7444 7465 508671 7431->7465 7456 508638 7432->7456 7433 50675c 21 API calls 7433->7431 7436 5084a7 RegOpenKeyExA 7434->7436 7458 508450 7434->7458 7438 5084c0 RegQueryValueExA 7436->7438 7439 50852f 7436->7439 7437 5086ad 7440 508762 7437->7440 7443 507e2f 6 API calls 7437->7443 7441 508521 RegCloseKey 7438->7441 7442 5084dd 7438->7442 7445 508564 RegOpenKeyExA 7439->7445 7449 5085a5 7439->7449 7440->7444 7441->7439 7442->7441 7450 50ebcc 4 API calls 7442->7450 7446 5086bb 7443->7446 7452 50ec2e codecvt 4 API calls 7444->7452 7444->7455 7448 508573 RegSetValueExA RegCloseKey 7445->7448 7445->7449 7451 50875b DeleteFileA 7446->7451 7464 5086e0 lstrcpyA lstrlenA 7446->7464 7447->7455 7447->7458 7459 5083ea RegOpenKeyExA 7447->7459 7448->7449 7449->7458 7461 50ec2e codecvt 4 API calls 7449->7461 7454 5084f0 7450->7454 7451->7440 7452->7455 7454->7441 7457 5084f8 RegQueryValueExA 7454->7457 7455->7337 7456->7465 7457->7441 7460 508515 7457->7460 7458->7431 7458->7433 7459->7458 7462 5083fd RegQueryValueExA 7459->7462 7463 50ec2e codecvt 4 API calls 7460->7463 7461->7458 7466 50842d RegSetValueExA 7462->7466 7467 50841e 7462->7467 7469 50851d 7463->7469 7470 507fcf 64 API calls 7464->7470 7911 506ba7 IsBadCodePtr 7465->7911 7468 508447 RegCloseKey 7466->7468 7467->7466 7467->7468 7468->7458 7469->7441 7471 508719 CreateProcessA 7470->7471 7472 50873d CloseHandle CloseHandle 7471->7472 7473 50874f 7471->7473 7472->7444 7474 507ee6 64 API calls 7473->7474 7475 508754 7474->7475 7476 507ead 6 API calls 7475->7476 7477 50875a 7476->7477 7477->7451 7479 5026fb 7478->7479 7480 5026cd 7478->7480 7479->7333 7481 5026e1 inet_ntoa 7480->7481 7482 5026de 7480->7482 7481->7482 7482->7333 7489 50a63d 7483->7489 7485 50a685 7485->7379 7487 50a63d GetTickCount 7486->7487 7488 50a696 7487->7488 7488->7379 7490 50a645 7489->7490 7491 50a64d 7489->7491 7490->7485 7492 50a66e 7491->7492 7493 50a65e GetTickCount 7491->7493 7492->7485 7493->7492 7511 50a4c7 GetTickCount 7494->7511 7497 50c47a 7502 50c4d2 7497->7502 7503 50c4ab InterlockedIncrement CreateThread 7497->7503 7498 50c300 GetTickCount 7500 50c337 7498->7500 7499 50c326 7499->7500 7501 50c32b GetTickCount 7499->7501 7500->7497 7505 50c363 GetTickCount 7500->7505 7501->7500 7502->7337 7503->7502 7504 50c4cb CloseHandle 7503->7504 7516 50b535 7503->7516 7504->7502 7505->7497 7506 50c373 7505->7506 7507 50c378 GetTickCount 7506->7507 7508 50c37f 7506->7508 7507->7508 7509 50c43b GetTickCount 7508->7509 7510 50c45e 7509->7510 7510->7497 7512 50a4f7 InterlockedExchange 7511->7512 7513 50a500 7512->7513 7514 50a4e4 GetTickCount 7512->7514 7513->7497 7513->7498 7513->7499 7514->7513 7515 50a4ef Sleep 7514->7515 7515->7512 7517 50b566 7516->7517 7518 50ebcc 4 API calls 7517->7518 7519 50b587 7518->7519 7520 50ebcc 4 API calls 7519->7520 7570 50b590 7520->7570 7521 50bdcd InterlockedDecrement 7522 50bde2 7521->7522 7524 50ec2e codecvt 4 API calls 7522->7524 7525 50bdea 7524->7525 7527 50ec2e codecvt 4 API calls 7525->7527 7526 50bdb7 Sleep 7526->7570 7529 50bdf2 7527->7529 7528 50bdcc 7528->7521 7530 50ec2e codecvt 4 API calls 7529->7530 7531 50be05 7529->7531 7530->7531 7532 50ebed 8 API calls 7532->7570 7535 50b6b6 lstrlenA 7535->7570 7536 5030b5 2 API calls 7536->7570 7537 50e819 11 API calls 7537->7570 7538 50b6ed lstrcpyA 7591 505ce1 7538->7591 7541 50b731 lstrlenA 7541->7570 7542 50b71f lstrcmpA 7542->7541 7542->7570 7543 50b772 GetTickCount 7543->7570 7544 50bd49 InterlockedIncrement 7685 50a628 7544->7685 7547 50b7ce InterlockedIncrement 7601 50acd7 7547->7601 7548 50bc5b InterlockedIncrement 7548->7570 7551 50b912 GetTickCount 7551->7570 7552 50b932 GetTickCount 7555 50bc6d InterlockedIncrement 7552->7555 7552->7570 7553 50bcdc closesocket 7553->7570 7554 50b826 InterlockedIncrement 7554->7543 7555->7570 7556 505ce1 22 API calls 7556->7570 7557 5038f0 6 API calls 7557->7570 7560 50bba6 InterlockedIncrement 7560->7570 7562 50bc4c closesocket 7562->7570 7565 50ba71 wsprintfA 7619 50a7c1 7565->7619 7567 50a7c1 22 API calls 7567->7570 7568 50ab81 lstrcpynA InterlockedIncrement 7568->7570 7569 50ef1e lstrlenA 7569->7570 7570->7521 7570->7526 7570->7528 7570->7532 7570->7535 7570->7536 7570->7537 7570->7538 7570->7541 7570->7542 7570->7543 7570->7544 7570->7547 7570->7548 7570->7551 7570->7552 7570->7553 7570->7554 7570->7556 7570->7557 7570->7560 7570->7562 7570->7565 7570->7567 7570->7568 7570->7569 7571 505ded 12 API calls 7570->7571 7572 50a688 GetTickCount 7570->7572 7573 503e10 7570->7573 7576 503e4f 7570->7576 7579 50384f 7570->7579 7599 50a7a3 inet_ntoa 7570->7599 7606 50abee 7570->7606 7618 501feb GetTickCount 7570->7618 7639 503cfb 7570->7639 7642 50b3c5 7570->7642 7673 50ab81 7570->7673 7571->7570 7572->7570 7574 5030fa 4 API calls 7573->7574 7575 503e1d 7574->7575 7575->7570 7577 5030fa 4 API calls 7576->7577 7578 503e5c 7577->7578 7578->7570 7580 5030fa 4 API calls 7579->7580 7582 503863 7580->7582 7581 5038b2 7581->7570 7582->7581 7583 5038b9 7582->7583 7584 503889 7582->7584 7694 5035f9 7583->7694 7688 503718 7584->7688 7589 5035f9 6 API calls 7589->7581 7590 503718 6 API calls 7590->7581 7592 505cf4 7591->7592 7593 505cec 7591->7593 7595 504bd1 4 API calls 7592->7595 7700 504bd1 GetTickCount 7593->7700 7596 505d02 7595->7596 7705 505472 7596->7705 7600 50a7b9 7599->7600 7600->7570 7602 50f315 14 API calls 7601->7602 7603 50aceb 7602->7603 7604 50acff 7603->7604 7605 50f315 14 API calls 7603->7605 7604->7570 7605->7604 7607 50abfb 7606->7607 7611 50ac65 7607->7611 7768 502f22 7607->7768 7609 50f315 14 API calls 7609->7611 7610 50ac23 7610->7611 7614 502684 2 API calls 7610->7614 7611->7609 7612 50ac6f 7611->7612 7617 50ac8a 7611->7617 7613 50ab81 2 API calls 7612->7613 7615 50ac81 7613->7615 7614->7610 7776 5038f0 7615->7776 7617->7570 7618->7570 7620 50a87d lstrlenA send 7619->7620 7621 50a7df 7619->7621 7622 50a899 7620->7622 7623 50a8bf 7620->7623 7621->7620 7624 50a8f2 7621->7624 7627 50a80a 7621->7627 7630 50a7fa wsprintfA 7621->7630 7625 50a8a5 wsprintfA 7622->7625 7638 50a89e 7622->7638 7623->7624 7626 50a8c4 send 7623->7626 7628 50a978 recv 7624->7628 7631 50a9b0 wsprintfA 7624->7631 7632 50a982 7624->7632 7625->7638 7626->7624 7629 50a8d8 wsprintfA 7626->7629 7627->7620 7627->7627 7628->7624 7628->7632 7629->7638 7630->7627 7631->7638 7633 5030b5 2 API calls 7632->7633 7632->7638 7634 50ab05 7633->7634 7635 50e819 11 API calls 7634->7635 7636 50ab17 7635->7636 7637 50a7a3 inet_ntoa 7636->7637 7637->7638 7638->7570 7640 5030fa 4 API calls 7639->7640 7641 503d0b 7640->7641 7641->7570 7643 505ce1 22 API calls 7642->7643 7644 50b3e6 7643->7644 7645 505ce1 22 API calls 7644->7645 7647 50b404 7645->7647 7646 50b440 7649 50ef7c 3 API calls 7646->7649 7647->7646 7648 50ef7c 3 API calls 7647->7648 7650 50b42b 7648->7650 7651 50b458 wsprintfA 7649->7651 7652 50ef7c 3 API calls 7650->7652 7653 50ef7c 3 API calls 7651->7653 7652->7646 7654 50b480 7653->7654 7655 50ef7c 3 API calls 7654->7655 7656 50b493 7655->7656 7657 50ef7c 3 API calls 7656->7657 7658 50b4bb 7657->7658 7792 50ad89 GetLocalTime SystemTimeToFileTime 7658->7792 7662 50b4cc 7663 50ef7c 3 API calls 7662->7663 7664 50b4dd 7663->7664 7665 50b211 7 API calls 7664->7665 7666 50b4ec 7665->7666 7667 50ef7c 3 API calls 7666->7667 7668 50b4fd 7667->7668 7669 50b211 7 API calls 7668->7669 7670 50b509 7669->7670 7671 50ef7c 3 API calls 7670->7671 7672 50b51a 7671->7672 7672->7570 7675 50abe9 GetTickCount 7673->7675 7676 50ab8c 7673->7676 7674 50aba8 lstrcpynA 7674->7676 7678 50a51d 7675->7678 7676->7674 7676->7675 7677 50abe1 InterlockedIncrement 7676->7677 7677->7676 7679 50a4c7 4 API calls 7678->7679 7680 50a52c 7679->7680 7681 50a542 GetTickCount 7680->7681 7683 50a539 GetTickCount 7680->7683 7681->7683 7684 50a56c 7683->7684 7684->7570 7686 50a4c7 4 API calls 7685->7686 7687 50a633 7686->7687 7687->7570 7689 50f04e 4 API calls 7688->7689 7691 50372a 7689->7691 7690 503847 7690->7581 7690->7590 7691->7690 7692 5037b3 GetCurrentThreadId 7691->7692 7692->7691 7693 5037c8 GetCurrentThreadId 7692->7693 7693->7691 7695 50f04e 4 API calls 7694->7695 7699 50360c 7695->7699 7696 5036f1 7696->7581 7696->7589 7697 5036da GetCurrentThreadId 7697->7696 7698 5036e5 GetCurrentThreadId 7697->7698 7698->7696 7699->7696 7699->7697 7701 504bff InterlockedExchange 7700->7701 7702 504c08 7701->7702 7703 504bec GetTickCount 7701->7703 7702->7592 7703->7702 7704 504bf7 Sleep 7703->7704 7704->7701 7724 504763 7705->7724 7707 50548a 7708 505b58 7707->7708 7718 50558d lstrcpynA 7707->7718 7719 505a9f lstrcpyA 7707->7719 7720 505935 lstrcpynA 7707->7720 7721 504ae6 8 API calls 7707->7721 7722 505472 13 API calls 7707->7722 7723 5058e7 lstrcpyA 7707->7723 7728 504ae6 7707->7728 7732 50ef7c lstrlenA lstrlenA lstrlenA 7707->7732 7734 504699 7708->7734 7711 504763 lstrlenA 7712 505b6e 7711->7712 7755 504f9f 7712->7755 7714 505b79 7714->7570 7716 505549 lstrlenA 7716->7707 7718->7707 7719->7707 7720->7707 7721->7707 7722->7707 7723->7707 7726 50477a 7724->7726 7725 504859 7725->7707 7726->7725 7727 50480d lstrlenA 7726->7727 7727->7726 7729 504af3 7728->7729 7731 504b03 7728->7731 7730 50ebed 8 API calls 7729->7730 7730->7731 7731->7716 7733 50efb4 7732->7733 7733->7707 7760 5045b3 7734->7760 7737 5045b3 7 API calls 7738 5046c6 7737->7738 7739 5045b3 7 API calls 7738->7739 7740 5046d8 7739->7740 7741 5045b3 7 API calls 7740->7741 7742 5046ea 7741->7742 7743 5045b3 7 API calls 7742->7743 7744 5046ff 7743->7744 7745 5045b3 7 API calls 7744->7745 7746 504711 7745->7746 7747 5045b3 7 API calls 7746->7747 7748 504723 7747->7748 7749 50ef7c 3 API calls 7748->7749 7750 504735 7749->7750 7751 50ef7c 3 API calls 7750->7751 7752 50474a 7751->7752 7753 50ef7c 3 API calls 7752->7753 7754 50475c 7753->7754 7754->7711 7756 504fac 7755->7756 7759 504fb0 7755->7759 7756->7714 7757 504ffd 7757->7714 7758 504fd5 IsBadCodePtr 7758->7759 7759->7757 7759->7758 7761 5045c1 7760->7761 7762 5045c8 7760->7762 7763 50ebcc 4 API calls 7761->7763 7764 50ebcc 4 API calls 7762->7764 7766 5045e1 7762->7766 7763->7762 7764->7766 7765 504691 7765->7737 7766->7765 7767 50ef7c 3 API calls 7766->7767 7767->7766 7783 502d21 GetModuleHandleA 7768->7783 7771 502fcf GetProcessHeap HeapFree 7775 502f44 7771->7775 7772 502f4f 7774 502f6b GetProcessHeap HeapFree 7772->7774 7773 502f85 7773->7771 7773->7773 7774->7775 7775->7610 7777 503900 7776->7777 7781 503980 7776->7781 7778 5030fa 4 API calls 7777->7778 7782 50390a 7778->7782 7779 50391b GetCurrentThreadId 7779->7782 7780 503939 GetCurrentThreadId 7780->7782 7781->7617 7782->7779 7782->7780 7782->7781 7784 502d46 LoadLibraryA 7783->7784 7785 502d5b GetProcAddress 7783->7785 7784->7785 7789 502d54 7784->7789 7786 502d6b DnsQuery_A 7785->7786 7785->7789 7787 502d7d 7786->7787 7786->7789 7788 502d97 GetProcessHeap HeapAlloc 7787->7788 7787->7789 7788->7789 7790 502dac 7788->7790 7789->7772 7789->7773 7789->7775 7790->7787 7791 502db5 lstrcpynA 7790->7791 7791->7790 7793 50adbf 7792->7793 7817 50ad08 gethostname 7793->7817 7796 5030b5 2 API calls 7797 50add3 7796->7797 7798 50a7a3 inet_ntoa 7797->7798 7805 50ade4 7797->7805 7798->7805 7799 50ae85 wsprintfA 7800 50ef7c 3 API calls 7799->7800 7801 50aebb 7800->7801 7803 50ef7c 3 API calls 7801->7803 7802 50ae36 wsprintfA wsprintfA 7804 50ef7c 3 API calls 7802->7804 7806 50aed2 7803->7806 7804->7805 7805->7799 7805->7802 7807 50b211 7806->7807 7808 50b2bb FileTimeToLocalFileTime FileTimeToSystemTime 7807->7808 7809 50b2af GetLocalTime 7807->7809 7810 50b2d2 7808->7810 7809->7810 7811 50b2d9 SystemTimeToFileTime 7810->7811 7812 50b31c GetTimeZoneInformation 7810->7812 7814 50b2ec 7811->7814 7813 50b33a wsprintfA 7812->7813 7813->7662 7815 50b312 FileTimeToSystemTime 7814->7815 7815->7812 7818 50ad71 7817->7818 7822 50ad26 lstrlenA 7817->7822 7820 50ad85 7818->7820 7821 50ad79 lstrcpyA 7818->7821 7820->7796 7821->7820 7822->7818 7823 50ad68 lstrlenA 7822->7823 7823->7818 7825 502d21 7 API calls 7824->7825 7826 502f01 7825->7826 7827 502f14 7826->7827 7828 502f06 7826->7828 7830 502684 2 API calls 7827->7830 7847 502df2 GetModuleHandleA 7828->7847 7832 502f1d 7830->7832 7832->7410 7833 502f1f 7833->7410 7835 50f428 14 API calls 7834->7835 7836 50198a 7835->7836 7837 501990 closesocket 7836->7837 7838 501998 7836->7838 7837->7838 7838->7405 7840 501c80 7839->7840 7841 501d1c 7840->7841 7842 501cc2 wsprintfA 7840->7842 7846 501d79 7840->7846 7841->7841 7844 501d47 wsprintfA 7841->7844 7843 502684 2 API calls 7842->7843 7843->7840 7845 502684 2 API calls 7844->7845 7845->7846 7846->7406 7848 502e10 LoadLibraryA 7847->7848 7849 502e0b 7847->7849 7850 502e17 7848->7850 7849->7848 7849->7850 7851 502ef1 7850->7851 7852 502e28 GetProcAddress 7850->7852 7851->7827 7851->7833 7852->7851 7853 502e3e GetProcessHeap HeapAlloc 7852->7853 7855 502e62 7853->7855 7854 502ede GetProcessHeap HeapFree 7854->7851 7855->7851 7855->7854 7856 502e7f htons inet_addr 7855->7856 7857 502ea5 gethostbyname 7855->7857 7859 502ceb 7855->7859 7856->7855 7856->7857 7857->7855 7860 502cf2 7859->7860 7862 502d1c 7860->7862 7863 502d0e Sleep 7860->7863 7864 502a62 GetProcessHeap HeapAlloc 7860->7864 7862->7855 7863->7860 7863->7862 7865 502a99 socket 7864->7865 7868 502a92 7864->7868 7866 502cd3 GetProcessHeap HeapFree 7865->7866 7867 502ab4 7865->7867 7866->7868 7867->7866 7882 502abd 7867->7882 7868->7860 7869 502adb htons 7884 5026ff 7869->7884 7871 502b04 select 7871->7882 7872 502ca4 7873 502cb3 GetProcessHeap HeapFree closesocket 7872->7873 7873->7868 7874 502b3f recv 7874->7882 7875 502b66 htons 7875->7872 7875->7882 7876 502b87 htons 7876->7872 7876->7882 7879 502bf3 GetProcessHeap HeapAlloc 7879->7882 7880 502c17 htons 7899 502871 7880->7899 7882->7869 7882->7871 7882->7872 7882->7873 7882->7874 7882->7875 7882->7876 7882->7879 7882->7880 7883 502c4d GetProcessHeap HeapFree 7882->7883 7891 502923 7882->7891 7903 502904 7882->7903 7883->7882 7885 50271d 7884->7885 7886 502717 7884->7886 7888 50272b GetTickCount htons 7885->7888 7887 50ebcc 4 API calls 7886->7887 7887->7885 7889 5027cc htons htons sendto 7888->7889 7890 50278a 7888->7890 7889->7882 7890->7889 7892 502944 7891->7892 7894 50293d 7891->7894 7907 502816 htons 7892->7907 7894->7882 7895 502950 7895->7894 7896 502871 htons 7895->7896 7897 5029bd htons htons htons 7895->7897 7896->7895 7897->7894 7898 5029f6 GetProcessHeap HeapAlloc 7897->7898 7898->7894 7898->7895 7900 5028e3 7899->7900 7902 502889 7899->7902 7900->7882 7901 5028c3 htons 7901->7900 7901->7902 7902->7900 7902->7901 7904 502908 7903->7904 7906 502921 7903->7906 7905 502909 GetProcessHeap HeapFree 7904->7905 7905->7905 7905->7906 7906->7882 7908 50286b 7907->7908 7909 502836 7907->7909 7908->7895 7909->7908 7910 50285c htons 7909->7910 7910->7908 7910->7909 7912 506bc0 7911->7912 7913 506bbc 7911->7913 7914 50ebcc 4 API calls 7912->7914 7925 506bd4 7912->7925 7913->7437 7915 506be4 7914->7915 7916 506c07 CreateFileA 7915->7916 7917 506bfc 7915->7917 7915->7925 7919 506c34 WriteFile 7916->7919 7920 506c2a 7916->7920 7918 50ec2e codecvt 4 API calls 7917->7918 7918->7925 7922 506c49 CloseHandle DeleteFileA 7919->7922 7923 506c5a CloseHandle 7919->7923 7921 50ec2e codecvt 4 API calls 7920->7921 7921->7925 7922->7920 7924 50ec2e codecvt 4 API calls 7923->7924 7924->7925 7925->7437
                                                                                                            APIs
                                                                                                            • closesocket.WS2_32(?), ref: 0050CA4E
                                                                                                            • closesocket.WS2_32(?), ref: 0050CB63
                                                                                                            • GetTempPathA.KERNEL32(00000120,?), ref: 0050CC28
                                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0050CCB4
                                                                                                            • WriteFile.KERNEL32(0050A4B3,?,-000000E8,?,00000000), ref: 0050CCDC
                                                                                                            • CloseHandle.KERNEL32(0050A4B3), ref: 0050CCED
                                                                                                            • wsprintfA.USER32 ref: 0050CD21
                                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0050CD77
                                                                                                            • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0050CD89
                                                                                                            • CloseHandle.KERNEL32(?), ref: 0050CD98
                                                                                                            • CloseHandle.KERNEL32(?), ref: 0050CD9D
                                                                                                            • DeleteFileA.KERNEL32(?), ref: 0050CDC4
                                                                                                            • CloseHandle.KERNEL32(0050A4B3), ref: 0050CDCC
                                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0050CFB1
                                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0050CFEF
                                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0050D033
                                                                                                            • lstrcatA.KERNEL32(?,03B00108), ref: 0050D10C
                                                                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 0050D155
                                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0050D171
                                                                                                            • WriteFile.KERNEL32(00000000,03B0012C,?,?,00000000), ref: 0050D195
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0050D19C
                                                                                                            • SetFileAttributesA.KERNEL32(?,00000002), ref: 0050D1C8
                                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0050D231
                                                                                                            • lstrcatA.KERNEL32(?,03B00108,?,?,?,?,?,?,?,00000100), ref: 0050D27C
                                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0050D2AB
                                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0050D2C7
                                                                                                            • WriteFile.KERNEL32(00000000,03B0012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0050D2EB
                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0050D2F2
                                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0050D326
                                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0050D372
                                                                                                            • lstrcatA.KERNEL32(?,03B00108,?,?,?,?,?,?,?,00000100), ref: 0050D3BD
                                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0050D3EC
                                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0050D408
                                                                                                            • WriteFile.KERNEL32(00000000,03B0012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0050D428
                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0050D42F
                                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0050D45B
                                                                                                            • CreateProcessA.KERNEL32(?,00510264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0050D4DE
                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0050D4F4
                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0050D4FC
                                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0050D513
                                                                                                            • closesocket.WS2_32(?), ref: 0050D56C
                                                                                                            • Sleep.KERNEL32(000003E8), ref: 0050D577
                                                                                                            • ExitProcess.KERNEL32 ref: 0050D583
                                                                                                            • wsprintfA.USER32 ref: 0050D81F
                                                                                                              • Part of subcall function 0050C65C: send.WS2_32(00000000,?,00000000), ref: 0050C74B
                                                                                                            • closesocket.WS2_32(?), ref: 0050DAD5
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                                            • String ID: .dat$.sys$4$@$C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exe$X Q$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                                            • API String ID: 562065436-246024975
                                                                                                            • Opcode ID: c8ecec00cc2dbbc3ae45c9802affead7c2ef96b43afb1cb0079aff4141de2a58
                                                                                                            • Instruction ID: 341f0f29d735acc2201552fb6f58d7f251a221d6d9e7c07c49fea01da462c3d3
                                                                                                            • Opcode Fuzzy Hash: c8ecec00cc2dbbc3ae45c9802affead7c2ef96b43afb1cb0079aff4141de2a58
                                                                                                            • Instruction Fuzzy Hash: CFB2D372940209AFEB20DBA4DC8AEEE7FBCFB59300F144569F505A31D1D7709A89DB60
                                                                                                            APIs
                                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 00509A7F
                                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 00509A83
                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00506511), ref: 00509A8A
                                                                                                              • Part of subcall function 0050EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0050EC5E
                                                                                                              • Part of subcall function 0050EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0050EC72
                                                                                                              • Part of subcall function 0050EC54: GetTickCount.KERNEL32 ref: 0050EC78
                                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00509AB3
                                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00509ABA
                                                                                                            • GetCommandLineA.KERNEL32 ref: 00509AFD
                                                                                                            • lstrlenA.KERNEL32(?), ref: 00509B99
                                                                                                            • ExitProcess.KERNEL32 ref: 00509C06
                                                                                                            • GetTempPathA.KERNEL32(000001F4,?), ref: 00509CAC
                                                                                                            • lstrcpyA.KERNEL32(?,00000000), ref: 00509D7A
                                                                                                            • lstrcatA.KERNEL32(?,?), ref: 00509D8B
                                                                                                            • lstrcatA.KERNEL32(?,0051070C), ref: 00509D9D
                                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00509DED
                                                                                                            • DeleteFileA.KERNEL32(00000022), ref: 00509E38
                                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00509E6F
                                                                                                            • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00509EC8
                                                                                                            • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00509ED5
                                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00509F3B
                                                                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00509F5E
                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00509F6A
                                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00509FAD
                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00509FB4
                                                                                                            • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00509FFE
                                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0050A038
                                                                                                            • lstrcatA.KERNEL32(00000022,00510A34), ref: 0050A05E
                                                                                                            • lstrcatA.KERNEL32(00000022,00000022), ref: 0050A072
                                                                                                            • lstrcatA.KERNEL32(00000022,00510A34), ref: 0050A08D
                                                                                                            • wsprintfA.USER32 ref: 0050A0B6
                                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0050A0DE
                                                                                                            • lstrcatA.KERNEL32(00000022,?), ref: 0050A0FD
                                                                                                            • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0050A120
                                                                                                            • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0050A131
                                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0050A174
                                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 0050A17B
                                                                                                            • GetDriveTypeA.KERNEL32(00000022), ref: 0050A1B6
                                                                                                            • GetCommandLineA.KERNEL32 ref: 0050A1E5
                                                                                                              • Part of subcall function 005099D2: lstrcpyA.KERNEL32(?,?,00000100,005122F8,00000000,?,00509E9D,?,00000022,?,?,?,?,?,?,?), ref: 005099DF
                                                                                                              • Part of subcall function 005099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00509E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00509A3C
                                                                                                              • Part of subcall function 005099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00509E9D,?,00000022,?,?,?), ref: 00509A52
                                                                                                            • lstrlenA.KERNEL32(?), ref: 0050A288
                                                                                                            • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0050A3B7
                                                                                                            • GetLastError.KERNEL32 ref: 0050A3ED
                                                                                                            • Sleep.KERNELBASE(000003E8), ref: 0050A400
                                                                                                            • DeleteFileA.KERNELBASE(005133D8), ref: 0050A407
                                                                                                            • CreateThread.KERNELBASE(00000000,00000000,0050405E,00000000,00000000,00000000), ref: 0050A42C
                                                                                                            • WSAStartup.WS2_32(00001010,?), ref: 0050A43A
                                                                                                            • CreateThread.KERNELBASE(00000000,00000000,0050877E,00000000,00000000,00000000), ref: 0050A469
                                                                                                            • Sleep.KERNELBASE(00000BB8), ref: 0050A48A
                                                                                                            • GetTickCount.KERNEL32 ref: 0050A49F
                                                                                                            • GetTickCount.KERNEL32 ref: 0050A4B7
                                                                                                            • Sleep.KERNELBASE(00001A90), ref: 0050A4C3
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                                            • String ID: "$"$"$%X%08X$C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exe$D$P$\$gxtfamnt
                                                                                                            • API String ID: 2089075347-1003240152
                                                                                                            • Opcode ID: 892b7f7e1ea18625505ab96bda9a7d488739c0e2e9c22501043e80077ce2bb97
                                                                                                            • Instruction ID: 854fceeca143caec0b7a302a99c8e0bb58a9669ca67f5afe27aa0d38320be9d2
                                                                                                            • Opcode Fuzzy Hash: 892b7f7e1ea18625505ab96bda9a7d488739c0e2e9c22501043e80077ce2bb97
                                                                                                            • Instruction Fuzzy Hash: 6C5252B1D4025AAFDB11DBA0CC4DEEE7FBCBB54300F5444A5F509A61C2E7749A88CB61

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 905 50199c-5019cc inet_addr LoadLibraryA 906 5019d5-5019fe GetProcAddress * 3 905->906 907 5019ce-5019d0 905->907 909 501ab3-501ab6 FreeLibrary 906->909 910 501a04-501a06 906->910 908 501abf-501ac2 907->908 912 501abc 909->912 910->909 911 501a0c-501a0e 910->911 911->909 913 501a14-501a28 GetBestInterface GetProcessHeap 911->913 914 501abe 912->914 913->912 915 501a2e-501a40 HeapAlloc 913->915 914->908 915->912 916 501a42-501a50 GetAdaptersInfo 915->916 917 501a62-501a67 916->917 918 501a52-501a60 HeapReAlloc 916->918 919 501aa1-501aad FreeLibrary 917->919 920 501a69-501a73 GetAdaptersInfo 917->920 918->917 919->912 922 501aaf-501ab1 919->922 920->919 921 501a75 920->921 923 501a77-501a80 921->923 922->914 924 501a82-501a86 923->924 925 501a8a-501a91 923->925 924->923 926 501a88 924->926 927 501a93 925->927 928 501a96-501a9b HeapFree 925->928 926->928 927->928 928->919
                                                                                                            APIs
                                                                                                            • inet_addr.WS2_32(123.45.67.89), ref: 005019B1
                                                                                                            • LoadLibraryA.KERNELBASE(Iphlpapi.dll,?,?,?,?,00000001,00501E9E), ref: 005019BF
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 005019E2
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 005019ED
                                                                                                            • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 005019F9
                                                                                                            • GetBestInterface.IPHLPAPI(?,?,?,?,?,?,00000001,00501E9E), ref: 00501A1B
                                                                                                            • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00501E9E), ref: 00501A1D
                                                                                                            • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00501E9E), ref: 00501A36
                                                                                                            • GetAdaptersInfo.IPHLPAPI(00000000,00501E9E,?,?,?,?,00000001,00501E9E), ref: 00501A4A
                                                                                                            • HeapReAlloc.KERNEL32(?,00000000,00000000,00501E9E,?,?,?,?,00000001,00501E9E), ref: 00501A5A
                                                                                                            • GetAdaptersInfo.IPHLPAPI(00000000,00501E9E,?,?,?,?,00000001,00501E9E), ref: 00501A6E
                                                                                                            • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00501E9E), ref: 00501A9B
                                                                                                            • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00501E9E), ref: 00501AA4
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Heap$AddressProc$AdaptersAllocFreeInfoLibrary$BestInterfaceLoadProcessinet_addr
                                                                                                            • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                                            • API String ID: 293628436-270533642
                                                                                                            • Opcode ID: 95b23e613ce0baba26b9ef177122a441fc3a86e65192504950881ed7406739dc
                                                                                                            • Instruction ID: 235062e299b88bac7767b10399925413eed712e25e641f46bdc25d5eb2114298
                                                                                                            • Opcode Fuzzy Hash: 95b23e613ce0baba26b9ef177122a441fc3a86e65192504950881ed7406739dc
                                                                                                            • Instruction Fuzzy Hash: 4F315A36E01619AFCF119FE4CDC88BEBFB9FB55311B14456AE501A2190D7B04E80DB95

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 696 507a95-507ac2 RegOpenKeyExA 697 507ac4-507ac6 696->697 698 507acb-507ae7 GetUserNameA 696->698 699 507db4-507db6 697->699 700 507da7-507db3 RegCloseKey 698->700 701 507aed-507b1e LookupAccountNameA 698->701 700->699 701->700 702 507b24-507b43 RegGetKeySecurity 701->702 702->700 703 507b49-507b61 GetSecurityDescriptorOwner 702->703 704 507b63-507b72 EqualSid 703->704 705 507bb8-507bd6 GetSecurityDescriptorDacl 703->705 704->705 706 507b74-507b88 LocalAlloc 704->706 707 507da6 705->707 708 507bdc-507be1 705->708 706->705 709 507b8a-507b94 InitializeSecurityDescriptor 706->709 707->700 708->707 710 507be7-507bf2 708->710 711 507bb1-507bb2 LocalFree 709->711 712 507b96-507ba4 SetSecurityDescriptorOwner 709->712 710->707 713 507bf8-507c08 GetAce 710->713 711->705 712->711 714 507ba6-507bab RegSetKeySecurity 712->714 715 507cc6 713->715 716 507c0e-507c1b 713->716 714->711 717 507cc9-507cd3 715->717 718 507c1d-507c2f EqualSid 716->718 719 507c4f-507c52 716->719 717->713 722 507cd9-507cdc 717->722 723 507c31-507c34 718->723 724 507c36-507c38 718->724 720 507c54-507c5e 719->720 721 507c5f-507c71 EqualSid 719->721 720->721 726 507c73-507c84 721->726 727 507c86 721->727 722->707 728 507ce2-507ce8 722->728 723->718 723->724 724->719 725 507c3a-507c4d DeleteAce 724->725 725->717 729 507c8b-507c8e 726->729 727->729 730 507d5a-507d6e LocalAlloc 728->730 731 507cea-507cf0 728->731 733 507c90-507c96 729->733 734 507c9d-507c9f 729->734 730->707 735 507d70-507d7a InitializeSecurityDescriptor 730->735 731->730 732 507cf2-507d0d RegOpenKeyExA 731->732 732->730 736 507d0f-507d16 732->736 733->734 737 507ca1-507ca5 734->737 738 507ca7-507cc3 734->738 739 507d7c-507d8a SetSecurityDescriptorDacl 735->739 740 507d9f-507da0 LocalFree 735->740 741 507d19-507d1e 736->741 737->715 737->738 738->715 739->740 742 507d8c-507d9a RegSetKeySecurity 739->742 740->707 741->741 743 507d20-507d52 call 502544 RegSetValueExA 741->743 742->740 744 507d9c 742->744 743->730 747 507d54 743->747 744->740 747->730
                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.KERNELBASE(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00507ABA
                                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 00507ADF
                                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,0051070C,?,?,?), ref: 00507B16
                                                                                                            • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00507B3B
                                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00507B59
                                                                                                            • EqualSid.ADVAPI32(?,00000022), ref: 00507B6A
                                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00507B7E
                                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00507B8C
                                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00507B9C
                                                                                                            • RegSetKeySecurity.KERNELBASE(00000000,00000001,00000000), ref: 00507BAB
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00507BB2
                                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,00507FC9,?,00000000), ref: 00507BCE
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                                            • String ID: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exe$D
                                                                                                            • API String ID: 2976863881-4068003161
                                                                                                            • Opcode ID: 184035f64c04ca0170f2a5e6d416434df9845cbcbc7202f3f5c0c556f4699cca
                                                                                                            • Instruction ID: e0c4adf7c78148ff50d71db00b4b5fc1bf7c484126fdf6ab816842e2f848e265
                                                                                                            • Opcode Fuzzy Hash: 184035f64c04ca0170f2a5e6d416434df9845cbcbc7202f3f5c0c556f4699cca
                                                                                                            • Instruction Fuzzy Hash: E2A13972D0421DAFDB119FA1DC88EEEBFB9FB48304F048069E505E6190E775AA85DB60

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 748 507809-507837 GetUserNameA 749 50783d-50786e LookupAccountNameA 748->749 750 507a8e-507a94 748->750 749->750 751 507874-5078a2 GetLengthSid GetFileSecurityA 749->751 751->750 752 5078a8-5078c3 GetSecurityDescriptorOwner 751->752 753 5078c5-5078da EqualSid 752->753 754 50791d-50793b GetSecurityDescriptorDacl 752->754 753->754 755 5078dc-5078ed LocalAlloc 753->755 756 507941-507946 754->756 757 507a8d 754->757 755->754 758 5078ef-5078f9 InitializeSecurityDescriptor 755->758 756->757 759 50794c-507955 756->759 757->750 760 507916-507917 LocalFree 758->760 761 5078fb-507909 SetSecurityDescriptorOwner 758->761 759->757 762 50795b-50796b GetAce 759->762 760->754 761->760 763 50790b-507910 SetFileSecurityA 761->763 764 507971-50797e 762->764 765 507a2a 762->765 763->760 767 507980-507992 EqualSid 764->767 768 5079ae-5079b1 764->768 766 507a2d-507a37 765->766 766->762 769 507a3d-507a41 766->769 772 507994-507997 767->772 773 507999-50799b 767->773 770 5079b3-5079bd 768->770 771 5079be-5079d0 EqualSid 768->771 769->757 775 507a43-507a54 LocalAlloc 769->775 770->771 776 5079d2-5079e3 771->776 777 5079e5 771->777 772->767 772->773 773->768 774 50799d-5079ac DeleteAce 773->774 774->766 775->757 778 507a56-507a60 InitializeSecurityDescriptor 775->778 779 5079ea-5079ed 776->779 777->779 780 507a62-507a71 SetSecurityDescriptorDacl 778->780 781 507a86-507a87 LocalFree 778->781 782 5079f8-5079fb 779->782 783 5079ef-5079f5 779->783 780->781 784 507a73-507a81 SetFileSecurityA 780->784 781->757 785 507a03-507a0e 782->785 786 5079fd-507a01 782->786 783->782 784->781 787 507a83 784->787 788 507a10-507a17 785->788 789 507a19-507a24 785->789 786->765 786->785 787->781 790 507a27 788->790 789->790 790->765
                                                                                                            APIs
                                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 0050782F
                                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00507866
                                                                                                            • GetLengthSid.ADVAPI32(?), ref: 00507878
                                                                                                            • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0050789A
                                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00507F63,?), ref: 005078B8
                                                                                                            • EqualSid.ADVAPI32(?,00507F63), ref: 005078D2
                                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 005078E3
                                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 005078F1
                                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00507901
                                                                                                            • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00507910
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00507917
                                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00507933
                                                                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 00507963
                                                                                                            • EqualSid.ADVAPI32(?,00507F63), ref: 0050798A
                                                                                                            • DeleteAce.ADVAPI32(?,00000000), ref: 005079A3
                                                                                                            • EqualSid.ADVAPI32(?,00507F63), ref: 005079C5
                                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00507A4A
                                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00507A58
                                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00507A69
                                                                                                            • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00507A79
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00507A87
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                                            • String ID: D
                                                                                                            • API String ID: 3722657555-2746444292
                                                                                                            • Opcode ID: 1812dab3a89b0f74ec818650e5c06cb7c4fcfe9ae15811e0a1802019b410c9d1
                                                                                                            • Instruction ID: 92118027d1e225097e8903102c2711c166ff0f71403f4b36e59e447e8a7eb12c
                                                                                                            • Opcode Fuzzy Hash: 1812dab3a89b0f74ec818650e5c06cb7c4fcfe9ae15811e0a1802019b410c9d1
                                                                                                            • Instruction Fuzzy Hash: CF812B71E0421DABDB21CFA5CD48FEEBBB8BF0C340F14856AE505E6190D774AA45DBA0

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 791 508328-50833e call 507dd6 794 508340-508343 791->794 795 508348-508356 call 506ec3 791->795 796 50877b-50877d 794->796 799 50846b-508474 795->799 800 50835c-508378 call 5073ff 795->800 802 5085c2-5085ce 799->802 803 50847a-508480 799->803 810 508464-508466 800->810 811 50837e-508384 800->811 805 5085d0-5085da call 50675c 802->805 806 508615-508620 802->806 803->802 807 508486-5084ba call 502544 RegOpenKeyExA 803->807 818 5085df-5085eb 805->818 808 508626-50864c GetTempPathA call 508274 call 50eca5 806->808 809 5086a7-5086b0 call 506ba7 806->809 824 5084c0-5084db RegQueryValueExA 807->824 825 508543-508571 call 502544 RegOpenKeyExA 807->825 846 508671-5086a4 call 502544 call 50ef00 call 50ee2a 808->846 847 50864e-50866f call 50eca5 808->847 826 508762 809->826 827 5086b6-5086bd call 507e2f 809->827 817 508779-50877a 810->817 811->810 816 50838a-50838d 811->816 816->810 822 508393-508399 816->822 817->796 818->806 823 5085ed-5085ef 818->823 829 50839c-5083a1 822->829 823->806 830 5085f1-5085fa 823->830 832 508521-50852d RegCloseKey 824->832 833 5084dd-5084e1 824->833 852 508573-50857b 825->852 853 5085a5-5085b7 call 50ee2a 825->853 835 508768-50876b 826->835 856 5086c3-50873b call 50ee2a * 2 lstrcpyA lstrlenA call 507fcf CreateProcessA 827->856 857 50875b-50875c DeleteFileA 827->857 829->829 837 5083a3-5083af 829->837 830->806 839 5085fc-50860f call 5024c2 830->839 832->825 838 50852f-508541 call 50eed1 832->838 833->832 841 5084e3-5084e6 833->841 844 508776-508778 835->844 845 50876d-508775 call 50ec2e 835->845 848 5083b1 837->848 849 5083b3-5083ba 837->849 838->825 838->853 839->806 839->835 841->832 842 5084e8-5084f6 call 50ebcc 841->842 842->832 875 5084f8-508513 RegQueryValueExA 842->875 844->817 845->844 846->809 847->846 848->849 862 508450-50845f call 50ee2a 849->862 863 5083c0-5083fb call 502544 RegOpenKeyExA 849->863 865 50857e-508583 852->865 853->802 876 5085b9-5085c1 call 50ec2e 853->876 899 50873d-50874d CloseHandle * 2 856->899 900 50874f-50875a call 507ee6 call 507ead 856->900 857->826 862->802 863->862 885 5083fd-50841c RegQueryValueExA 863->885 865->865 866 508585-50859f RegSetValueExA RegCloseKey 865->866 866->853 875->832 881 508515-50851e call 50ec2e 875->881 876->802 881->832 890 50842d-508441 RegSetValueExA 885->890 891 50841e-508421 885->891 893 508447-50844a RegCloseKey 890->893 891->890 892 508423-508426 891->892 892->890 897 508428-50842b 892->897 893->862 897->890 897->893 899->835 900->857
                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 005083F3
                                                                                                            • RegQueryValueExA.KERNELBASE(00510750,?,00000000,?,00508893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00508414
                                                                                                            • RegSetValueExA.KERNELBASE(00510750,?,00000000,00000004,00508893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00508441
                                                                                                            • RegCloseKey.ADVAPI32(00510750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0050844A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Value$CloseOpenQuery
                                                                                                            • String ID: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exe$localcfg
                                                                                                            • API String ID: 237177642-3319097516
                                                                                                            • Opcode ID: f62301472b34ef75fa41396f1818ab2b8189f95eb3f7c4f08792fb4799f8ab61
                                                                                                            • Instruction ID: 76f9ffff5dbd03bf1be5d29e774cd711a18f9a1512cc476077653d8822d41992
                                                                                                            • Opcode Fuzzy Hash: f62301472b34ef75fa41396f1818ab2b8189f95eb3f7c4f08792fb4799f8ab61
                                                                                                            • Instruction Fuzzy Hash: D4C1BFB194020DBEEF11ABA0DC8AEFE7FBCFB54304F144465F641A20D1EA715E889B61

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 929 501d96-501dce call 50ee2a GetVersionExA 932 501de0 929->932 933 501dd0-501dde 929->933 934 501de3-501e14 GetSystemInfo GetModuleHandleA GetProcAddress 932->934 933->934 935 501e24-501e59 call 50e819 * 2 934->935 936 501e16-501e21 GetCurrentProcess 934->936 941 501e7a-501ea0 call 50ea84 call 50e819 call 50199c 935->941 942 501e5b-501e77 call 50df70 * 2 935->942 936->935 953 501ea2-501ea6 941->953 954 501ea8 941->954 942->941 955 501eac-501ec1 call 50e819 953->955 954->955 958 501ee0-501ef6 call 50e819 955->958 959 501ec3-501ed3 call 50f04e call 50ea84 955->959 965 501f14-501f2b call 50e819 958->965 966 501ef8 call 501b71 958->966 967 501ed8-501ede 959->967 972 501f49-501f65 call 50e819 965->972 973 501f2d call 501bdf 965->973 970 501efd-501f11 call 50ea84 966->970 967->958 970->965 981 501f67-501f77 call 50ea84 972->981 982 501f7a-501f8c call 5030b5 972->982 978 501f32-501f46 call 50ea84 973->978 978->972 981->982 988 501f93-501f9a 982->988 989 501f8e-501f91 982->989 990 501fb7 988->990 991 501f9c-501fa3 call 506ec3 988->991 992 501fbb-501fc0 989->992 990->992 997 501fa5-501fac 991->997 998 501fae-501fb5 991->998 994 501fc2 992->994 995 501fc9-501fea GetTickCount 992->995 994->995 997->992 998->992
                                                                                                            APIs
                                                                                                            • GetVersionExA.KERNEL32 ref: 00501DC6
                                                                                                            • GetSystemInfo.KERNELBASE(?), ref: 00501DE8
                                                                                                            • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00501E03
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00501E0A
                                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 00501E1B
                                                                                                            • GetTickCount.KERNEL32 ref: 00501FC9
                                                                                                              • Part of subcall function 00501BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00501C15
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                                            • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                                            • API String ID: 4207808166-1381319158
                                                                                                            • Opcode ID: d9b80689de33d14097327332ee7d2f17a45b03fb34ee048fabcfb654f72ada0a
                                                                                                            • Instruction ID: 941854a180f39005540473f6127420ed0bbe6d779639f412e8a0c7fbb90abfd2
                                                                                                            • Opcode Fuzzy Hash: d9b80689de33d14097327332ee7d2f17a45b03fb34ee048fabcfb654f72ada0a
                                                                                                            • Instruction Fuzzy Hash: CE518EB09047456FE320AF658C8AF6FBEECFB94704F044D1DF596821C2D6B4A944C7A6

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 999 5073ff-507419 1000 50741b 999->1000 1001 50741d-507422 999->1001 1000->1001 1002 507424 1001->1002 1003 507426-50742b 1001->1003 1002->1003 1004 507430-507435 1003->1004 1005 50742d 1003->1005 1006 507437 1004->1006 1007 50743a-507481 call 506dc2 call 502544 RegOpenKeyExA 1004->1007 1005->1004 1006->1007 1012 507487-50749d call 50ee2a 1007->1012 1013 5077f9-5077fe call 50ee2a 1007->1013 1019 507703-50770e RegEnumKeyA 1012->1019 1018 507801 1013->1018 1022 507804-507808 1018->1022 1020 5074a2-5074b1 call 506cad 1019->1020 1021 507714-50771d RegCloseKey 1019->1021 1025 5074b7-5074cc call 50f1a5 1020->1025 1026 5076ed-507700 1020->1026 1021->1018 1025->1026 1029 5074d2-5074f8 RegOpenKeyExA 1025->1029 1026->1019 1030 507727-50772a 1029->1030 1031 5074fe-507530 call 502544 RegQueryValueExA 1029->1031 1032 507755-507764 call 50ee2a 1030->1032 1033 50772c-507740 call 50ef00 1030->1033 1031->1030 1039 507536-50753c 1031->1039 1041 5076df-5076e2 1032->1041 1042 507742-507745 RegCloseKey 1033->1042 1043 50774b-50774e 1033->1043 1044 50753f-507544 1039->1044 1041->1026 1045 5076e4-5076e7 RegCloseKey 1041->1045 1042->1043 1047 5077ec-5077f7 RegCloseKey 1043->1047 1044->1044 1046 507546-50754b 1044->1046 1045->1026 1046->1032 1048 507551-50756b call 50ee95 1046->1048 1047->1022 1048->1032 1051 507571-507593 call 502544 call 50ee95 1048->1051 1056 507753 1051->1056 1057 507599-5075a0 1051->1057 1056->1032 1058 5075a2-5075c6 call 50ef00 call 50ed03 1057->1058 1059 5075c8-5075d7 call 50ed03 1057->1059 1065 5075d8-5075da 1058->1065 1059->1065 1067 5075dc 1065->1067 1068 5075df-507623 call 50ee95 call 502544 call 50ee95 call 50ee2a 1065->1068 1067->1068 1077 507626-50762b 1068->1077 1077->1077 1078 50762d-507634 1077->1078 1079 507637-50763c 1078->1079 1079->1079 1080 50763e-507642 1079->1080 1081 507644-507656 call 50ed77 1080->1081 1082 50765c-507673 call 50ed23 1080->1082 1081->1082 1089 507769-50777c call 50ef00 1081->1089 1087 507680 1082->1087 1088 507675-50767e 1082->1088 1091 507683-50768e call 506cad 1087->1091 1088->1091 1094 5077e3-5077e6 RegCloseKey 1089->1094 1096 507722-507725 1091->1096 1097 507694-5076bf call 50f1a5 call 506c96 1091->1097 1094->1047 1098 5076dd 1096->1098 1103 5076c1-5076c7 1097->1103 1104 5076d8 1097->1104 1098->1041 1103->1104 1105 5076c9-5076d2 1103->1105 1104->1098 1105->1104 1106 50777e-507797 GetFileAttributesExA 1105->1106 1107 507799 1106->1107 1108 50779a-50779f 1106->1108 1107->1108 1109 5077a1 1108->1109 1110 5077a3-5077a8 1108->1110 1109->1110 1111 5077c4-5077c8 1110->1111 1112 5077aa-5077c0 call 50ee08 1110->1112 1114 5077d7-5077dc 1111->1114 1115 5077ca-5077d6 call 50ef00 1111->1115 1112->1111 1116 5077e0-5077e2 1114->1116 1117 5077de 1114->1117 1115->1114 1116->1094 1117->1116
                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,74DF0F10,00000000), ref: 00507472
                                                                                                            • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 005074F0
                                                                                                            • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,74DF0F10,00000000), ref: 00507528
                                                                                                            • ___ascii_stricmp.LIBCMT ref: 0050764D
                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 005076E7
                                                                                                            • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00507706
                                                                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 00507717
                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,74DF0F10,00000000), ref: 00507745
                                                                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 005077EF
                                                                                                              • Part of subcall function 0050F1A5: lstrlenA.KERNEL32(000000C8,000000E4,005122F8,000000C8,00507150,?), ref: 0050F1AD
                                                                                                            • GetFileAttributesExA.KERNELBASE(00000022,00000000,?), ref: 0050778F
                                                                                                            • RegCloseKey.KERNELBASE(?), ref: 005077E6
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                                            • String ID: "
                                                                                                            • API String ID: 3433985886-123907689
                                                                                                            • Opcode ID: b53e40c9896724260ce2e35fcddd400f150dea692746c6e80d5ffcea22e93b10
                                                                                                            • Instruction ID: a11c04822a304c078addef65cb16725277479b9206a681dc7c24e7681d7f6084
                                                                                                            • Opcode Fuzzy Hash: b53e40c9896724260ce2e35fcddd400f150dea692746c6e80d5ffcea22e93b10
                                                                                                            • Instruction Fuzzy Hash: 05C18271D0420EABEB119FA4DC49BEE7FB9FF48350F2444A5F504A61D1EB71AE848B60

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1121 50675c-506778 1122 506784-5067a2 CreateFileA 1121->1122 1123 50677a-50677e SetFileAttributesA 1121->1123 1124 5067a4-5067b2 CreateFileA 1122->1124 1125 5067b5-5067b8 1122->1125 1123->1122 1124->1125 1126 5067c5-5067c9 1125->1126 1127 5067ba-5067bf SetFileAttributesA 1125->1127 1128 506977-506986 1126->1128 1129 5067cf-5067df GetFileSize 1126->1129 1127->1126 1130 5067e5-5067e7 1129->1130 1131 50696b 1129->1131 1130->1131 1133 5067ed-50680b ReadFile 1130->1133 1132 50696e-506971 FindCloseChangeNotification 1131->1132 1132->1128 1133->1131 1134 506811-506824 SetFilePointer 1133->1134 1134->1131 1135 50682a-506842 ReadFile 1134->1135 1135->1131 1136 506848-506861 SetFilePointer 1135->1136 1136->1131 1137 506867-506876 1136->1137 1138 5068d5-5068df 1137->1138 1139 506878-50688f ReadFile 1137->1139 1138->1132 1142 5068e5-5068eb 1138->1142 1140 506891-50689e 1139->1140 1141 5068d2 1139->1141 1143 5068a0-5068b5 1140->1143 1144 5068b7-5068ba 1140->1144 1141->1138 1145 5068f0-5068fe call 50ebcc 1142->1145 1146 5068ed 1142->1146 1147 5068bd-5068c3 1143->1147 1144->1147 1145->1131 1152 506900-50690b SetFilePointer 1145->1152 1146->1145 1149 5068c5 1147->1149 1150 5068c8-5068ce 1147->1150 1149->1150 1150->1139 1153 5068d0 1150->1153 1154 50695a-506969 call 50ec2e 1152->1154 1155 50690d-506920 ReadFile 1152->1155 1153->1138 1154->1132 1155->1154 1156 506922-506958 1155->1156 1156->1132
                                                                                                            APIs
                                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 0050677E
                                                                                                            • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 0050679A
                                                                                                            • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 005067B0
                                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 005067BF
                                                                                                            • GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 005067D3
                                                                                                            • ReadFile.KERNELBASE(000000FF,?,00000040,00508244,00000000,?,74DF0F10,00000000), ref: 00506807
                                                                                                            • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0050681F
                                                                                                            • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 0050683E
                                                                                                            • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0050685C
                                                                                                            • ReadFile.KERNEL32(000000FF,?,00000028,00508244,00000000,?,74DF0F10,00000000), ref: 0050688B
                                                                                                            • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,74DF0F10,00000000), ref: 00506906
                                                                                                            • ReadFile.KERNEL32(000000FF,?,00000000,00508244,00000000,?,74DF0F10,00000000), ref: 0050691C
                                                                                                            • FindCloseChangeNotification.KERNELBASE(000000FF,?,74DF0F10,00000000), ref: 00506971
                                                                                                              • Part of subcall function 0050EC2E: GetProcessHeap.KERNEL32(00000000,'P,00000000,0050EA27,00000000), ref: 0050EC41
                                                                                                              • Part of subcall function 0050EC2E: RtlFreeHeap.NTDLL(00000000), ref: 0050EC48
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                                                            • String ID:
                                                                                                            • API String ID: 1400801100-0
                                                                                                            • Opcode ID: 639f1e95b553b9bd166d436dfc243706d11fb9bd3d1ea8763cb4605ca17acd2c
                                                                                                            • Instruction ID: 3917cf360b3892c23b294bcd10a83fc4f887286906164dc975b924c4249a5570
                                                                                                            • Opcode Fuzzy Hash: 639f1e95b553b9bd166d436dfc243706d11fb9bd3d1ea8763cb4605ca17acd2c
                                                                                                            • Instruction Fuzzy Hash: 4D71F671D0021DEFDB119FA4CC84AEEBBB9FF04354F10896AF515A6190E7309EA6DB60

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1159 50f315-50f332 1160 50f334-50f336 1159->1160 1161 50f33b-50f372 call 50ee2a htons socket 1159->1161 1163 50f424-50f427 1160->1163 1165 50f382-50f39b ioctlsocket 1161->1165 1166 50f374-50f37d closesocket 1161->1166 1167 50f3aa-50f3f0 connect select 1165->1167 1168 50f39d 1165->1168 1166->1163 1170 50f421 1167->1170 1171 50f3f2-50f401 __WSAFDIsSet 1167->1171 1169 50f39f-50f3a8 closesocket 1168->1169 1172 50f423 1169->1172 1170->1172 1171->1169 1173 50f403-50f416 ioctlsocket call 50f26d 1171->1173 1172->1163 1175 50f41b-50f41f 1173->1175 1175->1172
                                                                                                            APIs
                                                                                                            • htons.WS2_32(0050CA1D), ref: 0050F34D
                                                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 0050F367
                                                                                                            • closesocket.WS2_32(00000000), ref: 0050F375
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: closesockethtonssocket
                                                                                                            • String ID: time_cfg
                                                                                                            • API String ID: 311057483-2401304539
                                                                                                            • Opcode ID: 49106f83c63fd5e8c18301dc2ef0afe4d235daddb8187350417134f8a2f553fc
                                                                                                            • Instruction ID: 66cb3943cd1df8515e4c1df91128a563974d07e6cb66ae210405d410c875b081
                                                                                                            • Opcode Fuzzy Hash: 49106f83c63fd5e8c18301dc2ef0afe4d235daddb8187350417134f8a2f553fc
                                                                                                            • Instruction Fuzzy Hash: DE317C76900119ABDB20DFA4DC89DEF7BBCFF88310F104566F915D3190E7749A859BA0

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1176 50405e-50407b CreateEventA 1177 504084-5040a8 call 503ecd call 504000 1176->1177 1178 50407d-504081 1176->1178 1183 504130-50413e call 50ee2a 1177->1183 1184 5040ae-5040be call 50ee2a 1177->1184 1189 50413f-504165 call 503ecd CreateNamedPipeA 1183->1189 1184->1183 1190 5040c0-5040f1 call 50eca5 call 503f18 call 503f8c 1184->1190 1195 504167-504174 Sleep 1189->1195 1196 504188-504193 ConnectNamedPipe 1189->1196 1207 5040f3-5040ff 1190->1207 1208 504127-50412a CloseHandle 1190->1208 1195->1189 1198 504176-504182 CloseHandle 1195->1198 1200 504195-5041a5 GetLastError 1196->1200 1201 5041ab-5041c0 call 503f8c 1196->1201 1198->1196 1200->1201 1203 50425e-504265 DisconnectNamedPipe 1200->1203 1201->1196 1209 5041c2-5041f2 call 503f18 call 503f8c 1201->1209 1203->1196 1207->1208 1210 504101-504121 call 503f18 ExitProcess 1207->1210 1208->1183 1209->1203 1217 5041f4-504200 1209->1217 1217->1203 1218 504202-504215 call 503f8c 1217->1218 1218->1203 1221 504217-50421b 1218->1221 1221->1203 1222 50421d-504230 call 503f8c 1221->1222 1222->1203 1225 504232-504236 1222->1225 1225->1196 1226 50423c-504251 call 503f18 1225->1226 1229 504253-504259 1226->1229 1230 50426a-504276 CloseHandle * 2 call 50e318 1226->1230 1229->1196 1232 50427b 1230->1232 1232->1232
                                                                                                            APIs
                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00504070
                                                                                                            • ExitProcess.KERNEL32 ref: 00504121
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CreateEventExitProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 2404124870-0
                                                                                                            • Opcode ID: 365de3eb3d98912efd2305941b32d15b8977d6efc763d090a3599e9ddd7511e9
                                                                                                            • Instruction ID: fe4e00568dd3d64cff57a129710427d2c35e96457ca407e48cee69fb5d2769de
                                                                                                            • Opcode Fuzzy Hash: 365de3eb3d98912efd2305941b32d15b8977d6efc763d090a3599e9ddd7511e9
                                                                                                            • Instruction Fuzzy Hash: 0C5192B1D4021ABAEB20ABA08D4AFFF7E7CFB65714F500065F714A60D0E7748A85DB61

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1233 502d21-502d44 GetModuleHandleA 1234 502d46-502d52 LoadLibraryA 1233->1234 1235 502d5b-502d69 GetProcAddress 1233->1235 1234->1235 1236 502d54-502d56 1234->1236 1235->1236 1237 502d6b-502d7b DnsQuery_A 1235->1237 1238 502dee-502df1 1236->1238 1237->1236 1239 502d7d-502d88 1237->1239 1240 502d8a-502d8b 1239->1240 1241 502deb 1239->1241 1242 502d90-502d95 1240->1242 1241->1238 1243 502de2-502de8 1242->1243 1244 502d97-502daa GetProcessHeap HeapAlloc 1242->1244 1243->1242 1245 502dea 1243->1245 1244->1245 1246 502dac-502dd9 call 50ee2a lstrcpynA 1244->1246 1245->1241 1249 502de0 1246->1249 1250 502ddb-502dde 1246->1250 1249->1243 1250->1243
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,00502F01,?,005020FF,00512000), ref: 00502D3A
                                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00502D4A
                                                                                                            • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00502D61
                                                                                                            • DnsQuery_A.DNSAPI(00000000,0000000F,00000000,00000000,?,00000000), ref: 00502D77
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00502D99
                                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 00502DA0
                                                                                                            • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00502DCB
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcessQuery_lstrcpyn
                                                                                                            • String ID: DnsQuery_A$dnsapi.dll
                                                                                                            • API String ID: 233223969-3847274415
                                                                                                            • Opcode ID: 57a3337e4a764654cf259fe4dad85e38e7fe4f5fba66da8d66b0c6b83ca1ac44
                                                                                                            • Instruction ID: 5e8d5393919580bf0395801bab34ba3dc7c7a37efbe1ce21dcb8f7e584df7fd6
                                                                                                            • Opcode Fuzzy Hash: 57a3337e4a764654cf259fe4dad85e38e7fe4f5fba66da8d66b0c6b83ca1ac44
                                                                                                            • Instruction Fuzzy Hash: 99215E72940226ABCB21AF54DC489AEBFB8FF58B50F104415F905E7190D7B09E8697D0

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1251 5080c9-5080ed call 506ec3 1254 5080f9-508115 call 50704c 1251->1254 1255 5080ef call 507ee6 1251->1255 1260 508225-50822b 1254->1260 1261 50811b-508121 1254->1261 1258 5080f4 1255->1258 1258->1260 1262 50826c-508273 1260->1262 1263 50822d-508233 1260->1263 1261->1260 1264 508127-50812a 1261->1264 1263->1262 1265 508235-50823f call 50675c 1263->1265 1264->1260 1266 508130-508167 call 502544 RegOpenKeyExA 1264->1266 1269 508244-50824b 1265->1269 1271 508216-508222 call 50ee2a 1266->1271 1272 50816d-50818b RegQueryValueExA 1266->1272 1269->1262 1273 50824d-508269 call 5024c2 call 50ec2e 1269->1273 1271->1260 1274 5081f7-5081fe 1272->1274 1275 50818d-508191 1272->1275 1273->1262 1278 508200-508206 call 50ec2e 1274->1278 1279 50820d-508210 RegCloseKey 1274->1279 1275->1274 1280 508193-508196 1275->1280 1289 50820c 1278->1289 1279->1271 1280->1274 1285 508198-5081a8 call 50ebcc 1280->1285 1285->1279 1291 5081aa-5081c2 RegQueryValueExA 1285->1291 1289->1279 1291->1274 1292 5081c4-5081ca 1291->1292 1293 5081cd-5081d2 1292->1293 1293->1293 1294 5081d4-5081e5 call 50ebcc 1293->1294 1294->1279 1297 5081e7-5081f5 call 50ef00 1294->1297 1297->1289
                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 0050815F
                                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0050A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 00508187
                                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0050A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 005081BE
                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 00508210
                                                                                                              • Part of subcall function 0050675C: SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 0050677E
                                                                                                              • Part of subcall function 0050675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 0050679A
                                                                                                              • Part of subcall function 0050675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 005067B0
                                                                                                              • Part of subcall function 0050675C: SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 005067BF
                                                                                                              • Part of subcall function 0050675C: GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 005067D3
                                                                                                              • Part of subcall function 0050675C: ReadFile.KERNELBASE(000000FF,?,00000040,00508244,00000000,?,74DF0F10,00000000), ref: 00506807
                                                                                                              • Part of subcall function 0050675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0050681F
                                                                                                              • Part of subcall function 0050675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 0050683E
                                                                                                              • Part of subcall function 0050675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0050685C
                                                                                                              • Part of subcall function 0050EC2E: GetProcessHeap.KERNEL32(00000000,'P,00000000,0050EA27,00000000), ref: 0050EC41
                                                                                                              • Part of subcall function 0050EC2E: RtlFreeHeap.NTDLL(00000000), ref: 0050EC48
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                                            • String ID: C:\Windows\SysWOW64\gxtfamnt\nutgoowa.exe
                                                                                                            • API String ID: 124786226-1914701919
                                                                                                            • Opcode ID: 7deb0fae6d5e7646515ccb2e15620e67461171443052e12908adc6cc42ca6622
                                                                                                            • Instruction ID: 62bc903943d7ede15ac174e0ed7a0c04691da67a73e35a9b37c2ec8b8486e59d
                                                                                                            • Opcode Fuzzy Hash: 7deb0fae6d5e7646515ccb2e15620e67461171443052e12908adc6cc42ca6622
                                                                                                            • Instruction Fuzzy Hash: 5B41A2B690120ABFEB10EBA0DC89DFE7F7CFB54304F14486AF545A2091EA705E98DB50

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1300 501ac3-501adc LoadLibraryA 1301 501ae2-501af3 GetProcAddress 1300->1301 1302 501b6b-501b70 1300->1302 1303 501af5-501b01 1301->1303 1304 501b6a 1301->1304 1305 501b1c-501b27 GetAdaptersAddresses 1303->1305 1304->1302 1306 501b03-501b12 call 50ebed 1305->1306 1307 501b29-501b2b 1305->1307 1306->1307 1315 501b14-501b1b 1306->1315 1309 501b5b-501b5e 1307->1309 1310 501b2d-501b32 1307->1310 1313 501b69 1309->1313 1314 501b60-501b68 call 50ec2e 1309->1314 1312 501b34-501b3b 1310->1312 1310->1313 1316 501b54-501b59 1312->1316 1317 501b3d-501b52 1312->1317 1313->1304 1314->1313 1315->1305 1316->1309 1316->1312 1317->1316 1317->1317
                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00501AD4
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00501AE9
                                                                                                            • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 00501B20
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AdaptersAddressAddressesLibraryLoadProc
                                                                                                            • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                                            • API String ID: 3646706440-1087626847
                                                                                                            • Opcode ID: 9a2641407adcab22159bc6f4ddb2d6c657b3ca700bae8cce800299d612cf4234
                                                                                                            • Instruction ID: 5f405b4644014e9015e7a815f877b43c0713e3850742e92fae2b09aa2d33df73
                                                                                                            • Opcode Fuzzy Hash: 9a2641407adcab22159bc6f4ddb2d6c657b3ca700bae8cce800299d612cf4234
                                                                                                            • Instruction Fuzzy Hash: 1411D075E01528BFCB219BA4CC89CEDBFBAFB44B10B244456E005E71C1E7704E80DB99

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1320 50e3ca-50e3ee RegOpenKeyExA 1321 50e3f4-50e3fb 1320->1321 1322 50e528-50e52d 1320->1322 1323 50e3fe-50e403 1321->1323 1323->1323 1324 50e405-50e40f 1323->1324 1325 50e411-50e413 1324->1325 1326 50e414-50e452 call 50ee08 call 50f1ed RegQueryValueExA 1324->1326 1325->1326 1331 50e458-50e486 call 50f1ed RegQueryValueExA 1326->1331 1332 50e51d-50e527 RegCloseKey 1326->1332 1335 50e488-50e48a 1331->1335 1332->1322 1335->1332 1336 50e490-50e4a1 call 50db2e 1335->1336 1336->1332 1339 50e4a3-50e4a6 1336->1339 1340 50e4a9-50e4d3 call 50f1ed RegQueryValueExA 1339->1340 1343 50e4d5-50e4da 1340->1343 1344 50e4e8-50e4ea 1340->1344 1343->1344 1345 50e4dc-50e4e6 1343->1345 1344->1332 1346 50e4ec-50e516 call 502544 call 50e332 1344->1346 1345->1340 1345->1344 1346->1332
                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.KERNELBASE(80000001,0050E5F2,00000000,00020119,0050E5F2,005122F8), ref: 0050E3E6
                                                                                                            • RegQueryValueExA.ADVAPI32(0050E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0050E44E
                                                                                                            • RegQueryValueExA.ADVAPI32(0050E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0050E482
                                                                                                            • RegQueryValueExA.ADVAPI32(0050E5F2,?,00000000,?,80000001,?), ref: 0050E4CF
                                                                                                            • RegCloseKey.ADVAPI32(0050E5F2,?,?,?,?,000000C8,000000E4), ref: 0050E520
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: QueryValue$CloseOpen
                                                                                                            • String ID:
                                                                                                            • API String ID: 1586453840-0
                                                                                                            • Opcode ID: e7fc5c4db0a6141db0788364b9e480f218df65f4dddf529385173fa7410c8cbb
                                                                                                            • Instruction ID: f55c2ad985c9d26fd195856649735389e126495d66f52f60a6665c25da057077
                                                                                                            • Opcode Fuzzy Hash: e7fc5c4db0a6141db0788364b9e480f218df65f4dddf529385173fa7410c8cbb
                                                                                                            • Instruction Fuzzy Hash: E34107B2D0021DBFDF119FD4DC86DEEBBB9FB58304F144866F910A21A0E3319A559B60

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1351 50f26d-50f303 setsockopt * 5
                                                                                                            APIs
                                                                                                            • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0050F2A0
                                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0050F2C0
                                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0050F2DD
                                                                                                            • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0050F2EC
                                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0050F2FD
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: setsockopt
                                                                                                            • String ID:
                                                                                                            • API String ID: 3981526788-0
                                                                                                            • Opcode ID: 291293ef17cb1847856b45f17152cac2038bb40c726c7c279c0c1f9b71ca7684
                                                                                                            • Instruction ID: 4b5e48ea6e6e7991d833856fbd15fea9caaf58009b13741d866a5e791797be4a
                                                                                                            • Opcode Fuzzy Hash: 291293ef17cb1847856b45f17152cac2038bb40c726c7c279c0c1f9b71ca7684
                                                                                                            • Instruction Fuzzy Hash: 3E110AB6A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44DB94

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1352 501bdf-501c04 call 501ac3 1354 501c09-501c0b 1352->1354 1355 501c5a-501c5e 1354->1355 1356 501c0d-501c1d GetComputerNameA 1354->1356 1357 501c45-501c57 GetVolumeInformationA 1356->1357 1358 501c1f-501c24 1356->1358 1357->1355 1358->1357 1359 501c26-501c3b 1358->1359 1359->1359 1360 501c3d-501c3f 1359->1360 1360->1357 1361 501c41-501c43 1360->1361 1361->1355
                                                                                                            APIs
                                                                                                              • Part of subcall function 00501AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00501AD4
                                                                                                              • Part of subcall function 00501AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00501AE9
                                                                                                              • Part of subcall function 00501AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 00501B20
                                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 00501C15
                                                                                                            • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00501C51
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                                            • String ID: hi_id$localcfg
                                                                                                            • API String ID: 2794401326-2393279970
                                                                                                            • Opcode ID: 645fb7b1722b502c8df69e72571354a03b616b32d16c5db543f89281d51ea3d6
                                                                                                            • Instruction ID: eb3e01e95d27d9e4a88b35ac85cbc1bb4af8b9b1970476572c4876fa0055df4d
                                                                                                            • Opcode Fuzzy Hash: 645fb7b1722b502c8df69e72571354a03b616b32d16c5db543f89281d51ea3d6
                                                                                                            • Instruction Fuzzy Hash: B1018072A40518BBEB10DAE8C8C59EFBABCBB48745F104476EA02E3180D270DE4486A6
                                                                                                            APIs
                                                                                                              • Part of subcall function 00501AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00501AD4
                                                                                                              • Part of subcall function 00501AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00501AE9
                                                                                                              • Part of subcall function 00501AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 00501B20
                                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 00501BA3
                                                                                                            • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,00501EFD,00000000,00000000,00000000,00000000), ref: 00501BB8
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                                            • String ID: localcfg
                                                                                                            • API String ID: 2794401326-1857712256
                                                                                                            • Opcode ID: 0e277f5d8006388157fbb48fb8d8883924b0cd070b6208f784e69d01bafe3de9
                                                                                                            • Instruction ID: 5e8dd50ad15ee06546f0a23ee081265a4d187c58bfe7e649cd16a1977caae89a
                                                                                                            • Opcode Fuzzy Hash: 0e277f5d8006388157fbb48fb8d8883924b0cd070b6208f784e69d01bafe3de9
                                                                                                            • Instruction Fuzzy Hash: 10014BB6D0050CBFEB009BE9CC859EFFABCBB98754F254562A601E7191E6705E0846A1
                                                                                                            APIs
                                                                                                            • inet_addr.WS2_32(00000002), ref: 00502693
                                                                                                            • gethostbyname.WS2_32(00000002), ref: 0050269F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: gethostbynameinet_addr
                                                                                                            • String ID: time_cfg
                                                                                                            • API String ID: 1594361348-2401304539
                                                                                                            • Opcode ID: d3a7e5e609bdb88cd99e65a832bc8edb9f7d5a1ea4d718ae7b95f882efcbe2ad
                                                                                                            • Instruction ID: ed515e179ba6d4304a3e054bf42b3678497d7603c216f4c879c8d1ee3c7de8a7
                                                                                                            • Opcode Fuzzy Hash: d3a7e5e609bdb88cd99e65a832bc8edb9f7d5a1ea4d718ae7b95f882efcbe2ad
                                                                                                            • Instruction Fuzzy Hash: 00E08C302040119FCB508B28F848ACA3BA4AF16330F018180F450C71E0CB709CC09680
                                                                                                            APIs
                                                                                                              • Part of subcall function 0050EBA0: GetProcessHeap.KERNEL32(00000000,00000000,0050EC0A,00000000,80000001,?,0050DB55,7FFF0001), ref: 0050EBAD
                                                                                                              • Part of subcall function 0050EBA0: HeapSize.KERNEL32(00000000,?,0050DB55,7FFF0001), ref: 0050EBB4
                                                                                                            • GetProcessHeap.KERNEL32(00000000,'P,00000000,0050EA27,00000000), ref: 0050EC41
                                                                                                            • RtlFreeHeap.NTDLL(00000000), ref: 0050EC48
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Heap$Process$FreeSize
                                                                                                            • String ID: 'P
                                                                                                            • API String ID: 1305341483-3487395147
                                                                                                            • Opcode ID: 69c2c96dadd1cab04c3ddec8001ab59be2712f8e68fae409c45725bfef901dc6
                                                                                                            • Instruction ID: 9b851007790c700395432187d5b4e0911146937d8531b36ee4de300d9fcd1297
                                                                                                            • Opcode Fuzzy Hash: 69c2c96dadd1cab04c3ddec8001ab59be2712f8e68fae409c45725bfef901dc6
                                                                                                            • Instruction Fuzzy Hash: DBC012324462307BD5513750BC4EFDF7F28BF95711F194809F405660D0C7A45C8096E1
                                                                                                            APIs
                                                                                                              • Part of subcall function 0050DD05: GetTickCount.KERNEL32 ref: 0050DD0F
                                                                                                              • Part of subcall function 0050DD05: InterlockedExchange.KERNEL32(005136B4,00000001), ref: 0050DD44
                                                                                                              • Part of subcall function 0050DD05: GetCurrentThreadId.KERNEL32 ref: 0050DD53
                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,74DF0F10,?,00000000,?,0050A445), ref: 0050E558
                                                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,74DF0F10,?,00000000,?,0050A445), ref: 0050E583
                                                                                                            • CloseHandle.KERNEL32(00000000,?,74DF0F10,?,00000000,?,0050A445), ref: 0050E5B2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                                            • String ID:
                                                                                                            • API String ID: 3683885500-0
                                                                                                            • Opcode ID: 6b0c86d9b44261fb5663d27780446efa81c0659a6accc1f5eb8eb47b379c8f4b
                                                                                                            • Instruction ID: 49f4f06855b02c1c63dab3d2028e9d02bcbfbf52aa4ee27e004e08a253342584
                                                                                                            • Opcode Fuzzy Hash: 6b0c86d9b44261fb5663d27780446efa81c0659a6accc1f5eb8eb47b379c8f4b
                                                                                                            • Instruction Fuzzy Hash: 0C2105B2A403063AF22077619C0FFEF3E1CFBA5754F200858BE09B51E3E955E95082B5
                                                                                                            APIs
                                                                                                            • Sleep.KERNELBASE(000003E8), ref: 005088A5
                                                                                                              • Part of subcall function 0050F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0050E342,00000000,75A8EA50,80000001,00000000,0050E513,?,00000000,00000000,?,000000E4), ref: 0050F089
                                                                                                              • Part of subcall function 0050F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0050E342,00000000,75A8EA50,80000001,00000000,0050E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0050F093
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Time$FileSystem$Sleep
                                                                                                            • String ID: localcfg$rresolv
                                                                                                            • API String ID: 1561729337-486471987
                                                                                                            • Opcode ID: 2a719ea6cf6982bcd8e11f50538182fbbc555781ff3a346f0c5e81c84f5a41bf
                                                                                                            • Instruction ID: 5cdafef5108becac8a10dfe6b038b2761640061c62b12530b3f236a84309a83c
                                                                                                            • Opcode Fuzzy Hash: 2a719ea6cf6982bcd8e11f50538182fbbc555781ff3a346f0c5e81c84f5a41bf
                                                                                                            • Instruction Fuzzy Hash: 7A2109711483026AF324B765AC4FFBE3EE8FF90710FA48819F944850C2EE91559486A1
                                                                                                            APIs
                                                                                                            • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,005122F8,005042B6,00000000,00000001,005122F8,00000000,?,005098FD), ref: 00504021
                                                                                                            • GetLastError.KERNEL32(?,005098FD,00000001,00000100,005122F8,0050A3C7), ref: 0050402C
                                                                                                            • Sleep.KERNEL32(000001F4,?,005098FD,00000001,00000100,005122F8,0050A3C7), ref: 00504046
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CreateErrorFileLastSleep
                                                                                                            • String ID:
                                                                                                            • API String ID: 408151869-0
                                                                                                            • Opcode ID: 4b82b42fd60d0070f6e0229f6a4ebcb0bb3c7214c12b63a0f18dd46a301d9308
                                                                                                            • Instruction ID: 0c94f6c9036c028af1cc5ccd1bb5a2116d3dfed5defe2e076a1b17ac0b912e62
                                                                                                            • Opcode Fuzzy Hash: 4b82b42fd60d0070f6e0229f6a4ebcb0bb3c7214c12b63a0f18dd46a301d9308
                                                                                                            • Instruction Fuzzy Hash: 5EF0A771240141EAD7310B24AC5DB6F3AA1FB85730F658B64F3B5FA0E0C67058C5AF14
                                                                                                            APIs
                                                                                                            • GetEnvironmentVariableA.KERNEL32(0050DC19,?,00000104), ref: 0050DB7F
                                                                                                            • lstrcpyA.KERNEL32(?,005128F8), ref: 0050DBA4
                                                                                                            • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000080,00000000), ref: 0050DBC2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CreateEnvironmentFileVariablelstrcpy
                                                                                                            • String ID:
                                                                                                            • API String ID: 2536392590-0
                                                                                                            • Opcode ID: 4629f07ed4df7c15a818d1830820bb3784eb07cd05e92c771993f19519a3dfcc
                                                                                                            • Instruction ID: 9dfb114eb255fad2ffd559f543d83fa4c721b0019807ec6141830069a1e8e179
                                                                                                            • Opcode Fuzzy Hash: 4629f07ed4df7c15a818d1830820bb3784eb07cd05e92c771993f19519a3dfcc
                                                                                                            • Instruction Fuzzy Hash: 23F0B47010020DABEF10DF64DC49FD93B69BB14308F504194BB51A40D0D7F2D589DF20
                                                                                                            APIs
                                                                                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0050EC5E
                                                                                                            • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0050EC72
                                                                                                            • GetTickCount.KERNEL32 ref: 0050EC78
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Time$CountFileInformationSystemTickVolume
                                                                                                            • String ID:
                                                                                                            • API String ID: 1209300637-0
                                                                                                            • Opcode ID: a5642d945947d926b3378ab8e95ab1f98ecd22f43e2e7c94174a94c7c7442461
                                                                                                            • Instruction ID: 3f0e8a3bdc6705c111e6f2b8aef7d9a7ba0e3fdd690d7934389af478985dff07
                                                                                                            • Opcode Fuzzy Hash: a5642d945947d926b3378ab8e95ab1f98ecd22f43e2e7c94174a94c7c7442461
                                                                                                            • Instruction Fuzzy Hash: B4E09AF5810204BFEB01EBB0EC4EEAB77BCEB18214F904651B911D60E0DAB49A489B60
                                                                                                            APIs
                                                                                                            • gethostname.WS2_32(?,00000080), ref: 005030D8
                                                                                                            • gethostbyname.WS2_32(?), ref: 005030E2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: gethostbynamegethostname
                                                                                                            • String ID:
                                                                                                            • API String ID: 3961807697-0
                                                                                                            • Opcode ID: f4c1f7829392eeddc64a75c6d890241a256b8028200344cf2bd5e85cff5a5d28
                                                                                                            • Instruction ID: 8274be45e77ba63f44f9197090df9ef8924ca72af037b9c926e647a78dfe5f92
                                                                                                            • Opcode Fuzzy Hash: f4c1f7829392eeddc64a75c6d890241a256b8028200344cf2bd5e85cff5a5d28
                                                                                                            • Instruction Fuzzy Hash: E5E0657590111D9BCB009BA8EC8AFCA7BACBB04304F184461F905E3290EA74E9088790
                                                                                                            APIs
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,7FFF0001,80000001,?,0050DB55,7FFF0001), ref: 0050EC13
                                                                                                            • RtlReAllocateHeap.NTDLL(00000000,?,0050DB55,7FFF0001), ref: 0050EC1A
                                                                                                              • Part of subcall function 0050EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0050EBFE,7FFF0001,?,0050DB55,7FFF0001), ref: 0050EBD3
                                                                                                              • Part of subcall function 0050EBCC: RtlAllocateHeap.NTDLL(00000000,?,0050DB55,7FFF0001), ref: 0050EBDA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Heap$AllocateProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 1357844191-0
                                                                                                            • Opcode ID: 9ae2dadc51ec592a594c747c187abb41a0d4c5ba60fd3b3722ea1708f6d9613d
                                                                                                            • Instruction ID: f5ecfb4e3ee1ec9ab86fd4298be395d52a7aea7c606c72be3882bd5694ed1a09
                                                                                                            • Opcode Fuzzy Hash: 9ae2dadc51ec592a594c747c187abb41a0d4c5ba60fd3b3722ea1708f6d9613d
                                                                                                            • Instruction Fuzzy Hash: 24E01A32144218BADF013B94EC0AAED7F69FB94362F248415FA0D890A1CB768990EA94
                                                                                                            APIs
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0050EBFE,7FFF0001,?,0050DB55,7FFF0001), ref: 0050EBD3
                                                                                                            • RtlAllocateHeap.NTDLL(00000000,?,0050DB55,7FFF0001), ref: 0050EBDA
                                                                                                              • Part of subcall function 0050EB74: GetProcessHeap.KERNEL32(00000000,00000000,0050EC28,00000000,?,0050DB55,7FFF0001), ref: 0050EB81
                                                                                                              • Part of subcall function 0050EB74: HeapSize.KERNEL32(00000000,?,0050DB55,7FFF0001), ref: 0050EB88
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Heap$Process$AllocateSize
                                                                                                            • String ID:
                                                                                                            • API String ID: 2559512979-0
                                                                                                            • Opcode ID: 5379eb7d8f4a8b5424c22d50cb46fee1e96d06c171f8f7d45e9a9592ed7e3a0f
                                                                                                            • Instruction ID: 33dded4bd62ad6f25f3927e752aa1fcce12f39226fd9d02807d987daf54b4749
                                                                                                            • Opcode Fuzzy Hash: 5379eb7d8f4a8b5424c22d50cb46fee1e96d06c171f8f7d45e9a9592ed7e3a0f
                                                                                                            • Instruction Fuzzy Hash: 76C08C322882207BC60137A4BC0DEDE3EA8EF883A2F048404F609C21E0CB784880D7A2
                                                                                                            APIs
                                                                                                            • recv.WS2_32(000000C8,?,00000000,0050CA44), ref: 0050F476
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: recv
                                                                                                            • String ID:
                                                                                                            • API String ID: 1507349165-0
                                                                                                            • Opcode ID: 719c549695599d9771e6cd2e54aa2180c1e473524992fc1171775908c92417b2
                                                                                                            • Instruction ID: 1ce64893e228f645637719a1246b561adc900ef0f4bf9abcdf69ff8aa3adb71f
                                                                                                            • Opcode Fuzzy Hash: 719c549695599d9771e6cd2e54aa2180c1e473524992fc1171775908c92417b2
                                                                                                            • Instruction Fuzzy Hash: A7F08C3220024AABDF219E9ADD84CEF3FAEFBC93107040122FE14D3110D631E8209BA0
                                                                                                            APIs
                                                                                                            • closesocket.WS2_32(00000000), ref: 00501992
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: closesocket
                                                                                                            • String ID:
                                                                                                            • API String ID: 2781271927-0
                                                                                                            • Opcode ID: a6de318caa048a000550137cb9314766706374c275f357bd131c161c993358be
                                                                                                            • Instruction ID: 764f377b00cb20131bcda38daeae0d92805aa5e0d465ee564248a78fb4f0fc62
                                                                                                            • Opcode Fuzzy Hash: a6de318caa048a000550137cb9314766706374c275f357bd131c161c993358be
                                                                                                            • Instruction Fuzzy Hash: 96D022261086322A82502318BC084BFAFCCEF45262700842AFC48C0090C630CC818396
                                                                                                            APIs
                                                                                                            • lstrcmpiA.KERNEL32(80000011,00000000), ref: 0050DDB5
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: lstrcmpi
                                                                                                            • String ID:
                                                                                                            • API String ID: 1586166983-0
                                                                                                            • Opcode ID: 3c43cc2f1fa5c5955402a06d60df2b811b3814ce9192a2221a619166f0685f4f
                                                                                                            • Instruction ID: b3b5101accf7e75a9c3fead4be2f88c0696984f62091f218fc4889e737a11839
                                                                                                            • Opcode Fuzzy Hash: 3c43cc2f1fa5c5955402a06d60df2b811b3814ce9192a2221a619166f0685f4f
                                                                                                            • Instruction Fuzzy Hash: E6F05E33200203CBCB208FA4984465ABBF4FB45325F19492AE155921D0D730DC95CB21
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00509816,EntryPoint), ref: 0050638F
                                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00509816,EntryPoint), ref: 005063A9
                                                                                                            • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 005063CA
                                                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 005063EB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 1965334864-0
                                                                                                            • Opcode ID: 56770765126b29c11552f69ebcead4cf7074b23df3f59ec3574566ec16ae36ae
                                                                                                            • Instruction ID: 0b904addb6ab51985741e594749a31010f6cea01995e800d4e4ee95eb0e77179
                                                                                                            • Opcode Fuzzy Hash: 56770765126b29c11552f69ebcead4cf7074b23df3f59ec3574566ec16ae36ae
                                                                                                            • Instruction Fuzzy Hash: B4118FB1600219BFEB118F65DC4AF9B3FA8EB447A4F104424F908A72D0D670DC109AA0
                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00501839,00509646), ref: 00501012
                                                                                                            • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 005010C2
                                                                                                            • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 005010E1
                                                                                                            • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 00501101
                                                                                                            • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 00501121
                                                                                                            • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00501140
                                                                                                            • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 00501160
                                                                                                            • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 00501180
                                                                                                            • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0050119F
                                                                                                            • GetProcAddress.KERNEL32(00000000,NtClose), ref: 005011BF
                                                                                                            • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 005011DF
                                                                                                            • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 005011FE
                                                                                                            • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0050121A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$LibraryLoad
                                                                                                            • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                                            • API String ID: 2238633743-3228201535
                                                                                                            • Opcode ID: 858617002256c48afb2ed241f9bd28e8739106075e69036e6eec4da2a5376470
                                                                                                            • Instruction ID: c26c76ec829366bbefd074826ec443e9e23b2c5d2d3243b89261e9e04c93b1e7
                                                                                                            • Opcode Fuzzy Hash: 858617002256c48afb2ed241f9bd28e8739106075e69036e6eec4da2a5376470
                                                                                                            • Instruction Fuzzy Hash: B3518F71542E42ABD7108F69EDA47D63EE87758330F1483169520D61F0D7F0CAC9EB5A
                                                                                                            APIs
                                                                                                            • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0050B2B3
                                                                                                            • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0050B2C2
                                                                                                            • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0050B2D0
                                                                                                            • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0050B2E1
                                                                                                            • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0050B31A
                                                                                                            • GetTimeZoneInformation.KERNEL32(?), ref: 0050B329
                                                                                                            • wsprintfA.USER32 ref: 0050B3B7
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                                            • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                                            • API String ID: 766114626-2976066047
                                                                                                            • Opcode ID: 2dc0909f863296c71de76d1a715e30eca2709523d681a5baa977ffbd9f8d52f5
                                                                                                            • Instruction ID: e34c81ad66c378864a9487c7fe0cbe40daf7d8b1a44e21b6591a41f0f97585db
                                                                                                            • Opcode Fuzzy Hash: 2dc0909f863296c71de76d1a715e30eca2709523d681a5baa977ffbd9f8d52f5
                                                                                                            • Instruction Fuzzy Hash: B251D7B1D0021DAAEF14DF95D8898EEFFF9BB48308F10556AE501A6190D7B44EC9DF90
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                                            • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                                            • API String ID: 2400214276-165278494
                                                                                                            • Opcode ID: 4590f3773400e9921c88fb48fe4d2f0ed43b269d5642fa670bcd38da6b85112a
                                                                                                            • Instruction ID: 687ab96397d24fceef39b0bbe8a605f380c8daccae5c18eb7713c7ece3cd5ea9
                                                                                                            • Opcode Fuzzy Hash: 4590f3773400e9921c88fb48fe4d2f0ed43b269d5642fa670bcd38da6b85112a
                                                                                                            • Instruction Fuzzy Hash: FB614E72940208AFEF609FA4DC45FEE7BE9FF48300F148469F969D21A1DAB19994CF50
                                                                                                            APIs
                                                                                                            • wsprintfA.USER32 ref: 0050A7FB
                                                                                                            • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0050A87E
                                                                                                            • send.WS2_32(00000000,?,00000000,00000000), ref: 0050A893
                                                                                                            • wsprintfA.USER32 ref: 0050A8AF
                                                                                                            • send.WS2_32(00000000,.,00000005,00000000), ref: 0050A8D2
                                                                                                            • wsprintfA.USER32 ref: 0050A8E2
                                                                                                            • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0050A97C
                                                                                                            • wsprintfA.USER32 ref: 0050A9B9
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: wsprintf$send$lstrlenrecv
                                                                                                            • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                                            • API String ID: 3650048968-2394369944
                                                                                                            • Opcode ID: 9d11cc238a051c050578d46af23d3260bc77c905729b1ff24f7c767d75b64c2a
                                                                                                            • Instruction ID: d7cc77c9213c55a7fdb188f1b1383cd5c3121c8b45f4abd896ae8c0011db7a76
                                                                                                            • Opcode Fuzzy Hash: 9d11cc238a051c050578d46af23d3260bc77c905729b1ff24f7c767d75b64c2a
                                                                                                            • Instruction Fuzzy Hash: E8A11872A44309AAEF218B54DC8AFEE3F69FF50304F284826F905A60D1DA719DC8D753
                                                                                                            APIs
                                                                                                            • ShellExecuteExW.SHELL32(?), ref: 0050139A
                                                                                                            • lstrlenW.KERNEL32(-00000003), ref: 00501571
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ExecuteShelllstrlen
                                                                                                            • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDu$uac$useless$wusa.exe
                                                                                                            • API String ID: 1628651668-179334549
                                                                                                            • Opcode ID: 911b4db9b3c893c3653c1b29aa0b3bbcc1af95cb06263f914d2316e4f9daa93f
                                                                                                            • Instruction ID: 751ce91fb21d685593a7fb15a448e85d63d483c4522eda1431262f9c38a0fa0a
                                                                                                            • Opcode Fuzzy Hash: 911b4db9b3c893c3653c1b29aa0b3bbcc1af95cb06263f914d2316e4f9daa93f
                                                                                                            • Instruction Fuzzy Hash: D7F199B55087419FD720DF64C888BAEBBE4FB98300F10892DF6969B290D7B4D948CF56
                                                                                                            APIs
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,74DEF380), ref: 00502A83
                                                                                                            • HeapAlloc.KERNEL32(00000000,?,74DEF380), ref: 00502A86
                                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 00502AA0
                                                                                                            • htons.WS2_32(00000000), ref: 00502ADB
                                                                                                            • select.WS2_32 ref: 00502B28
                                                                                                            • recv.WS2_32(?,00000000,00001000,00000000), ref: 00502B4A
                                                                                                            • htons.WS2_32(?), ref: 00502B71
                                                                                                            • htons.WS2_32(?), ref: 00502B8C
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00502BFB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                                            • String ID:
                                                                                                            • API String ID: 1639031587-0
                                                                                                            • Opcode ID: 07aa2900283d7c6fa2c8997cf20546f615f92e497692e7aa600034d6b79a5bed
                                                                                                            • Instruction ID: a502538ae01dfdb855733f8af8e1fba6d054cc8f2afacdd1b980f9d456adf3e6
                                                                                                            • Opcode Fuzzy Hash: 07aa2900283d7c6fa2c8997cf20546f615f92e497692e7aa600034d6b79a5bed
                                                                                                            • Instruction Fuzzy Hash: 9261BD71904305ABE720AF64DC4CB6EBFE8FB98341F114809F949971D0D7B4DC849BA2
                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,74DF0F10,?,74DF0F10,00000000), ref: 005070C2
                                                                                                            • RegEnumValueA.ADVAPI32(74DF0F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,74DF0F10,00000000), ref: 0050719E
                                                                                                            • RegCloseKey.ADVAPI32(74DF0F10,?,74DF0F10,00000000), ref: 005071B2
                                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 00507208
                                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 00507291
                                                                                                            • ___ascii_stricmp.LIBCMT ref: 005072C2
                                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 005072D0
                                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 00507314
                                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0050738D
                                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 005073D8
                                                                                                              • Part of subcall function 0050F1A5: lstrlenA.KERNEL32(000000C8,000000E4,005122F8,000000C8,00507150,?), ref: 0050F1AD
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                                            • String ID: $"
                                                                                                            • API String ID: 4293430545-3817095088
                                                                                                            • Opcode ID: 675ce0fabf584b9d6b965294e31fed8b569770919736f78427837651cb547d1f
                                                                                                            • Instruction ID: 4320fa16f783a1b538d5777f61cc1fb310b219cfca596271804050aaf8e344d0
                                                                                                            • Opcode Fuzzy Hash: 675ce0fabf584b9d6b965294e31fed8b569770919736f78427837651cb547d1f
                                                                                                            • Instruction Fuzzy Hash: 30B17571D0420EAAEF159FA4DC49BEE7FB8BF58300F200965F501E60D0EB75AA94DB64
                                                                                                            APIs
                                                                                                            • GetLocalTime.KERNEL32(?), ref: 0050AD98
                                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0050ADA6
                                                                                                              • Part of subcall function 0050AD08: gethostname.WS2_32(?,00000080), ref: 0050AD1C
                                                                                                              • Part of subcall function 0050AD08: lstrlenA.KERNEL32(00000000), ref: 0050AD60
                                                                                                              • Part of subcall function 0050AD08: lstrlenA.KERNEL32(00000000), ref: 0050AD69
                                                                                                              • Part of subcall function 0050AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0050AD7F
                                                                                                              • Part of subcall function 005030B5: gethostname.WS2_32(?,00000080), ref: 005030D8
                                                                                                              • Part of subcall function 005030B5: gethostbyname.WS2_32(?), ref: 005030E2
                                                                                                            • wsprintfA.USER32 ref: 0050AEA5
                                                                                                              • Part of subcall function 0050A7A3: inet_ntoa.WS2_32(?), ref: 0050A7A9
                                                                                                            • wsprintfA.USER32 ref: 0050AE4F
                                                                                                            • wsprintfA.USER32 ref: 0050AE5E
                                                                                                              • Part of subcall function 0050EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0050EF92
                                                                                                              • Part of subcall function 0050EF7C: lstrlenA.KERNEL32(?), ref: 0050EF99
                                                                                                              • Part of subcall function 0050EF7C: lstrlenA.KERNEL32(00000000), ref: 0050EFA0
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                                            • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                                            • API String ID: 3631595830-1816598006
                                                                                                            • Opcode ID: d71c062c950a424347ac914a279c49d6126c9511c7560f28bd3391068c989e9a
                                                                                                            • Instruction ID: d1776c456e3db3157f1b21e2ad0b730fc65abe66f172e9872d660611f6a1f601
                                                                                                            • Opcode Fuzzy Hash: d71c062c950a424347ac914a279c49d6126c9511c7560f28bd3391068c989e9a
                                                                                                            • Instruction Fuzzy Hash: DE4121B290030DABDF25EFA0DC4AEEE7FADFB48304F24481AB91592191E675D994CB50
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(iphlpapi.dll,74DF23A0,?,000DBBA0,?,00000000,00502F0F,?,005020FF,00512000), ref: 00502E01
                                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00502F0F,?,005020FF,00512000), ref: 00502E11
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00502E2E
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00502F0F,?,005020FF,00512000), ref: 00502E4C
                                                                                                            • HeapAlloc.KERNEL32(00000000,?,00000000,00502F0F,?,005020FF,00512000), ref: 00502E4F
                                                                                                            • htons.WS2_32(00000035), ref: 00502E88
                                                                                                            • inet_addr.WS2_32(?), ref: 00502E93
                                                                                                            • gethostbyname.WS2_32(?), ref: 00502EA6
                                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00502F0F,?,005020FF,00512000), ref: 00502EE3
                                                                                                            • HeapFree.KERNEL32(00000000,?,00000000,00502F0F,?,005020FF,00512000), ref: 00502EE6
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                                            • String ID: GetNetworkParams$iphlpapi.dll
                                                                                                            • API String ID: 929413710-2099955842
                                                                                                            • Opcode ID: 3a4e272cdc96803a822b1a41ff5c8aca8ee28519ff4a732b76a99e2e2d3166b1
                                                                                                            • Instruction ID: cd2c27532e4ead97a83378aad8fe2b29cf5695f319133da8742034cfb0d19cb1
                                                                                                            • Opcode Fuzzy Hash: 3a4e272cdc96803a822b1a41ff5c8aca8ee28519ff4a732b76a99e2e2d3166b1
                                                                                                            • Instruction Fuzzy Hash: 89319C31A8060AABDB119BB8DC8CABE7BBCBF14360F144115F918E72D0EB74D9819B50
                                                                                                            APIs
                                                                                                            • GetVersionExA.KERNEL32(?,?,00509DD7,?,00000022,?,?,00000000,00000001), ref: 00509340
                                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00509DD7,?,00000022,?,?,00000000,00000001), ref: 0050936E
                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00509DD7,?,00000022,?,?,00000000,00000001), ref: 00509375
                                                                                                            • wsprintfA.USER32 ref: 005093CE
                                                                                                            • wsprintfA.USER32 ref: 0050940C
                                                                                                            • wsprintfA.USER32 ref: 0050948D
                                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 005094F1
                                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00509526
                                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00509571
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                                            • String ID: runas
                                                                                                            • API String ID: 3696105349-4000483414
                                                                                                            • Opcode ID: 1f2ed18019052f978adbca341d67d7773b9411d8169a388198b21692217e4085
                                                                                                            • Instruction ID: 3f1a0974d60bb951f728dbd4652a6eaf09f3ca73e6f6d5b99750744a4c623dd1
                                                                                                            • Opcode Fuzzy Hash: 1f2ed18019052f978adbca341d67d7773b9411d8169a388198b21692217e4085
                                                                                                            • Instruction Fuzzy Hash: EEA16BB2940209ABEB21DFA1CC49FDE3FACFB54740F104026FA15961D2E7769984DFA1
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 00502078
                                                                                                            • GetTickCount.KERNEL32 ref: 005020D4
                                                                                                            • GetTickCount.KERNEL32 ref: 005020DB
                                                                                                            • GetTickCount.KERNEL32 ref: 0050212B
                                                                                                            • GetTickCount.KERNEL32 ref: 00502132
                                                                                                            • GetTickCount.KERNEL32 ref: 00502142
                                                                                                              • Part of subcall function 0050F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0050E342,00000000,75A8EA50,80000001,00000000,0050E513,?,00000000,00000000,?,000000E4), ref: 0050F089
                                                                                                              • Part of subcall function 0050F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0050E342,00000000,75A8EA50,80000001,00000000,0050E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0050F093
                                                                                                              • Part of subcall function 0050E854: lstrcpyA.KERNEL32(00000001,?,?,0050D8DF,00000001,localcfg,except_info,00100000,00510264), ref: 0050E88B
                                                                                                              • Part of subcall function 0050E854: lstrlenA.KERNEL32(00000001,?,0050D8DF,00000001,localcfg,except_info,00100000,00510264), ref: 0050E899
                                                                                                              • Part of subcall function 00501C5F: wsprintfA.USER32 ref: 00501CE1
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                                            • String ID: Sad$localcfg$net_type$rbl_bl$rbl_ip
                                                                                                            • API String ID: 3976553417-3390358268
                                                                                                            • Opcode ID: 2aefa239f266d06c03fd725ca4477cdce4bd50a857540af6ede733cade657aa1
                                                                                                            • Instruction ID: 6064e4441b5342d8d47b22efcbac359a991417d0805ad64f999caa5be1ee5cf3
                                                                                                            • Opcode Fuzzy Hash: 2aefa239f266d06c03fd725ca4477cdce4bd50a857540af6ede733cade657aa1
                                                                                                            • Instruction Fuzzy Hash: DF5123789083465EE728EF34ED4EB9E3FD4FB54314F10442DE615861E1DBB8A898EB11
                                                                                                            APIs
                                                                                                            • wsprintfA.USER32 ref: 0050B467
                                                                                                              • Part of subcall function 0050EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0050EF92
                                                                                                              • Part of subcall function 0050EF7C: lstrlenA.KERNEL32(?), ref: 0050EF99
                                                                                                              • Part of subcall function 0050EF7C: lstrlenA.KERNEL32(00000000), ref: 0050EFA0
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: lstrlen$wsprintf
                                                                                                            • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                                            • API String ID: 1220175532-2340906255
                                                                                                            • Opcode ID: cfa7369d1dff8c21b8701068e5a065c1fac6a5226d4eec6a1eb43ffc48f737b2
                                                                                                            • Instruction ID: da680337661145dca5793cb7a7377fb1ca6ca1537e1d4dc29b8a72ba48263af0
                                                                                                            • Opcode Fuzzy Hash: cfa7369d1dff8c21b8701068e5a065c1fac6a5226d4eec6a1eb43ffc48f737b2
                                                                                                            • Instruction Fuzzy Hash: 714140B254011A7EEF01AA94CDC6DFFBE6CFF89748B140515F904A2081DB74AD948BA1
                                                                                                            APIs
                                                                                                              • Part of subcall function 0050A4C7: GetTickCount.KERNEL32 ref: 0050A4D1
                                                                                                              • Part of subcall function 0050A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0050A4FA
                                                                                                            • GetTickCount.KERNEL32 ref: 0050C31F
                                                                                                            • GetTickCount.KERNEL32 ref: 0050C32B
                                                                                                            • GetTickCount.KERNEL32 ref: 0050C363
                                                                                                            • GetTickCount.KERNEL32 ref: 0050C378
                                                                                                            • GetTickCount.KERNEL32 ref: 0050C44D
                                                                                                            • InterlockedIncrement.KERNEL32(0050C4E4), ref: 0050C4AE
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,0050B535,00000000,?,0050C4E0), ref: 0050C4C1
                                                                                                            • CloseHandle.KERNEL32(00000000,?,0050C4E0,00513588,00508810), ref: 0050C4CC
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                                            • String ID: localcfg
                                                                                                            • API String ID: 1553760989-1857712256
                                                                                                            • Opcode ID: 42603aad92aa302d6881db44b9587f566c37afa7b8aff8f5661bb006d76d9ce5
                                                                                                            • Instruction ID: ceb4d653d5dacd71a61852ce5116ab90e22404a5cab35b0aaa071f55901d74b4
                                                                                                            • Opcode Fuzzy Hash: 42603aad92aa302d6881db44b9587f566c37afa7b8aff8f5661bb006d76d9ce5
                                                                                                            • Instruction Fuzzy Hash: E7512AB1A00B418FDB649F69C9D552ABFE9FB49300B509E2EE58BC7AD0D774E8448B10
                                                                                                            APIs
                                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0050BE4F
                                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0050BE5B
                                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0050BE67
                                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0050BF6A
                                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0050BF7F
                                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0050BF94
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: lstrcmpi
                                                                                                            • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                                            • API String ID: 1586166983-1625972887
                                                                                                            • Opcode ID: d52c16a5b0fbde81e2973d5ad5bded26d7cace750ef60d6e7fdbbc7b2bd4136f
                                                                                                            • Instruction ID: a88a0086294ad672b4c2ac31b52836ffa9b66789689da79b685ddbf13889e7c5
                                                                                                            • Opcode Fuzzy Hash: d52c16a5b0fbde81e2973d5ad5bded26d7cace750ef60d6e7fdbbc7b2bd4136f
                                                                                                            • Instruction Fuzzy Hash: 8351BC71A0021BEFEB118B64DDC5AAEBFA9BF44344F144469E905AB2D1D730ED808F90
                                                                                                            APIs
                                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,74DE8A60,?,?,?,?,00509A60,?,?,00509E9D), ref: 00506A7D
                                                                                                            • GetDiskFreeSpaceA.KERNEL32(00509E9D,00509A60,?,?,?,005122F8,?,?,?,00509A60,?,?,00509E9D), ref: 00506ABB
                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00509A60,?,?,00509E9D), ref: 00506B40
                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00509A60,?,?,00509E9D), ref: 00506B4E
                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00509A60,?,?,00509E9D), ref: 00506B5F
                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00509A60,?,?,00509E9D), ref: 00506B6F
                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00509A60,?,?,00509E9D), ref: 00506B7D
                                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00509A60,?,?,00509E9D), ref: 00506B80
                                                                                                            • GetLastError.KERNEL32(?,?,?,00509A60,?,?,00509E9D,?,?,?,?,?,00509E9D,?,00000022,?), ref: 00506B96
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                                            • String ID:
                                                                                                            • API String ID: 3188212458-0
                                                                                                            • Opcode ID: 26419afec498a79a41489b64f2182b295ee5d497b98b17f4009bb57836df9cb3
                                                                                                            • Instruction ID: abcf4216ab48120485268ff140546530f280629a4c93133bd44c60ece84e744b
                                                                                                            • Opcode Fuzzy Hash: 26419afec498a79a41489b64f2182b295ee5d497b98b17f4009bb57836df9cb3
                                                                                                            • Instruction Fuzzy Hash: E231F5B290014DBFDB01EFA08D49ADE7F78FF58310F148465E211E7191D73089A9DB61
                                                                                                            APIs
                                                                                                            • GetUserNameA.ADVAPI32(?,0050D7C3), ref: 00506F7A
                                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0050D7C3), ref: 00506FC1
                                                                                                            • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00506FE8
                                                                                                            • LocalFree.KERNEL32(00000120), ref: 0050701F
                                                                                                            • wsprintfA.USER32 ref: 00507036
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                                            • String ID: /%d$|
                                                                                                            • API String ID: 676856371-4124749705
                                                                                                            • Opcode ID: 82f50152e7908c822c73ddf2ca92b97d3e76a99b1fbc3f73b0dc1e902c28365b
                                                                                                            • Instruction ID: e9af8ce6c7fad9b3d8acb30925b13914427ce8e94e86e457d8a23f0f4d7b8eb7
                                                                                                            • Opcode Fuzzy Hash: 82f50152e7908c822c73ddf2ca92b97d3e76a99b1fbc3f73b0dc1e902c28365b
                                                                                                            • Instruction Fuzzy Hash: 5D312B72900209AFDB01DFA4DC49ADE7FACBF04310F048156F849DB181DA74EA58CB90
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,005122F8,000000E4,00506DDC,000000C8), ref: 00506CE7
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00506CEE
                                                                                                            • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00506D14
                                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00506D2B
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                                            • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                                            • API String ID: 1082366364-3395550214
                                                                                                            • Opcode ID: 4b8cd8f485072a6ba7a71bd36578ec7171d7b7e4238299d678b7917d6af8c1f8
                                                                                                            • Instruction ID: fd4cac0e9b8d01d64405e34fdbf1692caac6390b18a99210657c090ad0644069
                                                                                                            • Opcode Fuzzy Hash: 4b8cd8f485072a6ba7a71bd36578ec7171d7b7e4238299d678b7917d6af8c1f8
                                                                                                            • Instruction Fuzzy Hash: C62105527812457AF72257319C8DFFF2E8CAB62754F1C4154F804AA0D1CAD988E9D2BA
                                                                                                            APIs
                                                                                                            • CreateProcessA.KERNEL32(00000000,00509947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,005122F8), ref: 005097B1
                                                                                                            • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,005122F8), ref: 005097EB
                                                                                                            • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,005122F8), ref: 005097F9
                                                                                                            • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,005122F8), ref: 00509831
                                                                                                            • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,005122F8), ref: 0050984E
                                                                                                            • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,005122F8), ref: 0050985B
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                                            • String ID: D
                                                                                                            • API String ID: 2981417381-2746444292
                                                                                                            • Opcode ID: 733634c39260455c3f6b077fd6f6b7a2945270ad665b30c8c5e9d98df30bd153
                                                                                                            • Instruction ID: 5f62a5e7e0fa6cbe2c950851cd2438df93717e73bf5e4e903b50db2423469bb3
                                                                                                            • Opcode Fuzzy Hash: 733634c39260455c3f6b077fd6f6b7a2945270ad665b30c8c5e9d98df30bd153
                                                                                                            • Instruction Fuzzy Hash: 3B213BB2941219BBDB219FA1DC49EEF7FBCFF09750F004460BA19E1195EB709A44DAA0
                                                                                                            APIs
                                                                                                              • Part of subcall function 0050DD05: GetTickCount.KERNEL32 ref: 0050DD0F
                                                                                                              • Part of subcall function 0050DD05: InterlockedExchange.KERNEL32(005136B4,00000001), ref: 0050DD44
                                                                                                              • Part of subcall function 0050DD05: GetCurrentThreadId.KERNEL32 ref: 0050DD53
                                                                                                              • Part of subcall function 0050DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0050DDB5
                                                                                                            • lstrcpynA.KERNEL32(?,00501E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0050EAAA,?,?), ref: 0050E8DE
                                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0050EAAA,?,?,00000001,?,00501E84,?), ref: 0050E935
                                                                                                            • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0050EAAA,?,?,00000001,?,00501E84,?,0000000A), ref: 0050E93D
                                                                                                            • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0050EAAA,?,?,00000001,?,00501E84,?), ref: 0050E94F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                                            • String ID: flags_upd$localcfg
                                                                                                            • API String ID: 204374128-3505511081
                                                                                                            • Opcode ID: 88621185a04065dd3abe3cab1c23b2b25e0b21644ccf6d3fcbdefad925b41e2d
                                                                                                            • Instruction ID: a21e5e7bae61a1df0ffc852c1c1bb23d4ec166c0a97000dbbd0d82d9e93a9542
                                                                                                            • Opcode Fuzzy Hash: 88621185a04065dd3abe3cab1c23b2b25e0b21644ccf6d3fcbdefad925b41e2d
                                                                                                            • Instruction Fuzzy Hash: 4851307290020AAFCF11EFE8CD899AEBBF9BF48304F14495AF405A3251D775EA548B50
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Code
                                                                                                            • String ID:
                                                                                                            • API String ID: 3609698214-0
                                                                                                            • Opcode ID: c1721506ab667248037b16f2bacddd175f0a4bb5ed10c9fc3e2f0995f2b36558
                                                                                                            • Instruction ID: faec00f6b169f680c0167ec490c524741c0d20c20b2c39a843d00bf0387f4a18
                                                                                                            • Opcode Fuzzy Hash: c1721506ab667248037b16f2bacddd175f0a4bb5ed10c9fc3e2f0995f2b36558
                                                                                                            • Instruction Fuzzy Hash: 8521AC76100116FFEB10ABA0ED8DEEF3EACFB48360B208815F542E10D0EA719E54A674
                                                                                                            APIs
                                                                                                            • GetTempPathA.KERNEL32(00000400,?,00000000,005122F8), ref: 0050907B
                                                                                                            • wsprintfA.USER32 ref: 005090E9
                                                                                                            • CreateFileA.KERNEL32(005122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0050910E
                                                                                                            • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00509122
                                                                                                            • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0050912D
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00509134
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                                            • String ID:
                                                                                                            • API String ID: 2439722600-0
                                                                                                            • Opcode ID: 4c93c736f798a84b97110812fccc406c60e17e6ffd93e8c2e844685f7652c648
                                                                                                            • Instruction ID: 938e89fd382aed4aab99f249dc7cbec2e6737e16a34bec32773bd672efde2ab2
                                                                                                            • Opcode Fuzzy Hash: 4c93c736f798a84b97110812fccc406c60e17e6ffd93e8c2e844685f7652c648
                                                                                                            • Instruction Fuzzy Hash: D811B4B66401157BF7246722DC0FFEF3E6DEBD8B04F00C465BB0AA50D1EAB04E859660
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 0050DD0F
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0050DD20
                                                                                                            • GetTickCount.KERNEL32 ref: 0050DD2E
                                                                                                            • Sleep.KERNEL32(00000000,?,74DF0F10,?,00000000,0050E538,?,74DF0F10,?,00000000,?,0050A445), ref: 0050DD3B
                                                                                                            • InterlockedExchange.KERNEL32(005136B4,00000001), ref: 0050DD44
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0050DD53
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                                            • String ID:
                                                                                                            • API String ID: 3819781495-0
                                                                                                            • Opcode ID: eba2b6b781916e608914db1571d45536446d8a842bf59ec6f6f88126e349b26f
                                                                                                            • Instruction ID: a1f38e56255029a04c18d9a257a4749cb18e87c59d6d7e30ae9fcee8bc98899f
                                                                                                            • Opcode Fuzzy Hash: eba2b6b781916e608914db1571d45536446d8a842bf59ec6f6f88126e349b26f
                                                                                                            • Instruction Fuzzy Hash: 89F08277205204AFDB80ABA5ACC8BBD7FB5F778352F508015E509C22E9C760558DAF72
                                                                                                            APIs
                                                                                                            • gethostname.WS2_32(?,00000080), ref: 0050AD1C
                                                                                                            • lstrlenA.KERNEL32(00000000), ref: 0050AD60
                                                                                                            • lstrlenA.KERNEL32(00000000), ref: 0050AD69
                                                                                                            • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0050AD7F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: lstrlen$gethostnamelstrcpy
                                                                                                            • String ID: LocalHost
                                                                                                            • API String ID: 3695455745-3154191806
                                                                                                            • Opcode ID: 3b5be071bf136e97dede568a14f7e65e0c2fe640184b74e839ef8eb407599ecb
                                                                                                            • Instruction ID: 5b340fbe4dc3c162f4fec148074e2d3cdb3460e61f7f7aa84c2f8add9b823dec
                                                                                                            • Opcode Fuzzy Hash: 3b5be071bf136e97dede568a14f7e65e0c2fe640184b74e839ef8eb407599ecb
                                                                                                            • Instruction Fuzzy Hash: 4E01F92684438A5EDF314738D848BED3F657B96706F504056E8C09F5D5E66488878793
                                                                                                            APIs
                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,005098FD,00000001,00000100,005122F8,0050A3C7), ref: 00504290
                                                                                                            • CloseHandle.KERNEL32(0050A3C7), ref: 005043AB
                                                                                                            • CloseHandle.KERNEL32(00000001), ref: 005043AE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle$CreateEvent
                                                                                                            • String ID:
                                                                                                            • API String ID: 1371578007-0
                                                                                                            • Opcode ID: 327e418384bebbb49ff9a93498a510162365f5bd3a87d61ee9f9ebeb75f6e7c5
                                                                                                            • Instruction ID: 3f89f4961bebc69a6ef3b75bb12e447757b4344d12272ce30c32587699b786dc
                                                                                                            • Opcode Fuzzy Hash: 327e418384bebbb49ff9a93498a510162365f5bd3a87d61ee9f9ebeb75f6e7c5
                                                                                                            • Instruction Fuzzy Hash: 64417FB190020ABADB10ABA1CD4AFEFBFBCFF44364F205555F614A61D1D7749A80DBA0
                                                                                                            APIs
                                                                                                            • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,005064CF,00000000), ref: 0050609C
                                                                                                            • LoadLibraryA.KERNEL32(?,?,005064CF,00000000), ref: 005060C3
                                                                                                            • GetProcAddress.KERNEL32(?,00000014), ref: 0050614A
                                                                                                            • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0050619E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Read$AddressLibraryLoadProc
                                                                                                            • String ID:
                                                                                                            • API String ID: 2438460464-0
                                                                                                            • Opcode ID: 0c55055e8614f9b969f19449340c7587327340071976ca2529a8b8c990a9e19c
                                                                                                            • Instruction ID: dff536dc0f47371f3483724b9cf5a2e55e8ddb191f0fae5f2ef3df13df40d22d
                                                                                                            • Opcode Fuzzy Hash: 0c55055e8614f9b969f19449340c7587327340071976ca2529a8b8c990a9e19c
                                                                                                            • Instruction Fuzzy Hash: 13415C71A00206AFDB14CF54C884BADBBB5FF54354F248469E815D72D1D730ED64DB90
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 69e57b16b030440b2e9d21f0826acbd122dcacc5a3ec48e9814c1ff419f5b41f
                                                                                                            • Instruction ID: da834639ac67eea9f06f449ffd20309879e1656ae33e7472f53f0837482e959f
                                                                                                            • Opcode Fuzzy Hash: 69e57b16b030440b2e9d21f0826acbd122dcacc5a3ec48e9814c1ff419f5b41f
                                                                                                            • Instruction Fuzzy Hash: 9631C971A00319ABCB109F95CC896BE7BF4FF88701F108859F504E7181E774D641CB60
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 0050272E
                                                                                                            • htons.WS2_32(00000001), ref: 00502752
                                                                                                            • htons.WS2_32(0000000F), ref: 005027D5
                                                                                                            • htons.WS2_32(00000001), ref: 005027E3
                                                                                                            • sendto.WS2_32(?,00512BF8,00000009,00000000,00000010,00000010), ref: 00502802
                                                                                                              • Part of subcall function 0050EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0050EBFE,7FFF0001,?,0050DB55,7FFF0001), ref: 0050EBD3
                                                                                                              • Part of subcall function 0050EBCC: RtlAllocateHeap.NTDLL(00000000,?,0050DB55,7FFF0001), ref: 0050EBDA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                                            • String ID:
                                                                                                            • API String ID: 1128258776-0
                                                                                                            • Opcode ID: 237b3099d97e6ab7b68bde660b9c7609ac029d493db88d90bbb24b1a545c8142
                                                                                                            • Instruction ID: bc79374ba4e8333af299d73b35e643113fcf6454fbd35d9adcc4fc81cf8d5a74
                                                                                                            • Opcode Fuzzy Hash: 237b3099d97e6ab7b68bde660b9c7609ac029d493db88d90bbb24b1a545c8142
                                                                                                            • Instruction Fuzzy Hash: 0E31583424C3929FD7108F74DC84AA97B60FF69314F29C06DE859CB3A3D6769886EB00
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,005122F8), ref: 0050915F
                                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00509166
                                                                                                            • CharToOemA.USER32(?,?), ref: 00509174
                                                                                                            • wsprintfA.USER32 ref: 005091A9
                                                                                                              • Part of subcall function 00509064: GetTempPathA.KERNEL32(00000400,?,00000000,005122F8), ref: 0050907B
                                                                                                              • Part of subcall function 00509064: wsprintfA.USER32 ref: 005090E9
                                                                                                              • Part of subcall function 00509064: CreateFileA.KERNEL32(005122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0050910E
                                                                                                              • Part of subcall function 00509064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00509122
                                                                                                              • Part of subcall function 00509064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0050912D
                                                                                                              • Part of subcall function 00509064: CloseHandle.KERNEL32(00000000), ref: 00509134
                                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 005091E1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                                            • String ID:
                                                                                                            • API String ID: 3857584221-0
                                                                                                            • Opcode ID: 5382baea829238024de6ae345c1475b4d42bdb1ecde70f1314b8dedfb1011702
                                                                                                            • Instruction ID: 4a3312dfa92fda4305dcc95cc97de9024a85c838fd0f52f721181f5d9851d163
                                                                                                            • Opcode Fuzzy Hash: 5382baea829238024de6ae345c1475b4d42bdb1ecde70f1314b8dedfb1011702
                                                                                                            • Instruction Fuzzy Hash: F70180F69401197BDB20A7618C4DEDF3A7CEB95701F0000A1BB09E20C0DAB496C9CF70
                                                                                                            APIs
                                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00502491,?,?,?,0050E844,-00000030,?,?,?,00000001), ref: 00502429
                                                                                                            • lstrlenA.KERNEL32(?,?,00502491,?,?,?,0050E844,-00000030,?,?,?,00000001,00501E3D,00000001,localcfg,lid_file_upd), ref: 0050243E
                                                                                                            • lstrcmpiA.KERNEL32(?,?), ref: 00502452
                                                                                                            • lstrlenA.KERNEL32(?,?,00502491,?,?,?,0050E844,-00000030,?,?,?,00000001,00501E3D,00000001,localcfg,lid_file_upd), ref: 00502467
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: lstrlen$lstrcmpi
                                                                                                            • String ID: localcfg
                                                                                                            • API String ID: 1808961391-1857712256
                                                                                                            • Opcode ID: 54fc7643900b795c46b5ec04639e5875907b0ddbd1d6276ac53c5eded81f972e
                                                                                                            • Instruction ID: 6103bb43570fc611df6ca2dfe8b32c4ea21cb46930d34c6c862316e1c4ab21f1
                                                                                                            • Opcode Fuzzy Hash: 54fc7643900b795c46b5ec04639e5875907b0ddbd1d6276ac53c5eded81f972e
                                                                                                            • Instruction Fuzzy Hash: C4011632600218EFCF11EF69CC888DE7BA9FF44394B01C426E859A7251E370EA449A90
                                                                                                            APIs
                                                                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00506F0F
                                                                                                            • CheckTokenMembership.ADVAPI32(00000000,?,*pP), ref: 00506F24
                                                                                                            • FreeSid.ADVAPI32(?), ref: 00506F3E
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                            • String ID: *pP
                                                                                                            • API String ID: 3429775523-2395943462
                                                                                                            • Opcode ID: fdd46d7063cf35722c66e09f72b65b6ac5ffbbf6d35a5a4b261fc653d5924adf
                                                                                                            • Instruction ID: 465642c1c7b3357514674a116d563b29e5e25d7f325245d460d7e48bb2fef2ac
                                                                                                            • Opcode Fuzzy Hash: fdd46d7063cf35722c66e09f72b65b6ac5ffbbf6d35a5a4b261fc653d5924adf
                                                                                                            • Instruction Fuzzy Hash: 0601E171904209AFDB10DFE4ECCDAAE7BB8FB18300F508869E605E2191E7749E98DB14
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: wsprintf
                                                                                                            • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                                            • API String ID: 2111968516-120809033
                                                                                                            • Opcode ID: 81fc1901132f413310dfff0a352c8ca6d78056b6790db7b9b0c151362f00f109
                                                                                                            • Instruction ID: dac9082ebab15cd11690421a1124fce4999632c7f6bb13e24938e38b161a17dd
                                                                                                            • Opcode Fuzzy Hash: 81fc1901132f413310dfff0a352c8ca6d78056b6790db7b9b0c151362f00f109
                                                                                                            • Instruction Fuzzy Hash: 64419D729042999FDF21CF788C49BEE7FE8AF49310F240456F9A4D3192D635DA05CBA0
                                                                                                            APIs
                                                                                                              • Part of subcall function 0050DD05: GetTickCount.KERNEL32 ref: 0050DD0F
                                                                                                              • Part of subcall function 0050DD05: InterlockedExchange.KERNEL32(005136B4,00000001), ref: 0050DD44
                                                                                                              • Part of subcall function 0050DD05: GetCurrentThreadId.KERNEL32 ref: 0050DD53
                                                                                                            • lstrcmpA.KERNEL32(74DF0F18,00000000,?,74DF0F10,00000000,?,00505EC1), ref: 0050E693
                                                                                                            • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,74DF0F10,00000000,?,00505EC1), ref: 0050E6E9
                                                                                                            • lstrcmpA.KERNEL32(89ABCDEF,00000008,?,74DF0F10,00000000,?,00505EC1), ref: 0050E722
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                                            • String ID: 89ABCDEF
                                                                                                            • API String ID: 3343386518-71641322
                                                                                                            • Opcode ID: b971e34a3e86432fc1c96759f64afafd0769b1b03182f3e0f3c79ef6d50a1516
                                                                                                            • Instruction ID: 22031ef4b400f1749b17aa9c4834935d85e2260bf315564c2cd91c172188e4f7
                                                                                                            • Opcode Fuzzy Hash: b971e34a3e86432fc1c96759f64afafd0769b1b03182f3e0f3c79ef6d50a1516
                                                                                                            • Instruction Fuzzy Hash: 4131AE315007429BDB318F64E88A7AE7FE8FB65310F24892AE556875D0D771E884CB91
                                                                                                            APIs
                                                                                                            • RegCreateKeyExA.ADVAPI32(80000001,0050E2A3,00000000,00000000,00000000,00020106,00000000,0050E2A3,00000000,000000E4), ref: 0050E0B2
                                                                                                            • RegSetValueExA.ADVAPI32(0050E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,005122F8), ref: 0050E127
                                                                                                            • RegDeleteValueA.ADVAPI32(0050E2A3,?,?,?,?,?,000000C8,005122F8), ref: 0050E158
                                                                                                            • RegCloseKey.ADVAPI32(0050E2A3,?,?,?,?,000000C8,005122F8,?,?,?,?,?,?,?,?,0050E2A3), ref: 0050E161
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Value$CloseCreateDelete
                                                                                                            • String ID:
                                                                                                            • API String ID: 2667537340-0
                                                                                                            • Opcode ID: e0fa3d5aca5cb69d29c976432d5554a448f48c70ec6de5583c167c394b6ec4c9
                                                                                                            • Instruction ID: dcda7b92ab7fa883371e452f1960e56b9fe898f3ab5ecbac522da17cfcc2b157
                                                                                                            • Opcode Fuzzy Hash: e0fa3d5aca5cb69d29c976432d5554a448f48c70ec6de5583c167c394b6ec4c9
                                                                                                            • Instruction Fuzzy Hash: B0215C72A00219BBDF219FA4DC8AEDE7FB9EF09750F108461F904A6191E6718A54DBA0
                                                                                                            APIs
                                                                                                            • WriteFile.KERNEL32(00000000,00000000,0050A3C7,00000000,00000000,000007D0,00000001), ref: 00503F44
                                                                                                            • GetLastError.KERNEL32 ref: 00503F4E
                                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 00503F5F
                                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00503F72
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 3373104450-0
                                                                                                            • Opcode ID: 764e96fecd26c034c2d32a18019a3cdd7d6206e41de3c4ed4874326ff2680b91
                                                                                                            • Instruction ID: 9a565f295a261b1122a7a7b89db363ec0deaea5643c5f9c3f6172b59938e7dce
                                                                                                            • Opcode Fuzzy Hash: 764e96fecd26c034c2d32a18019a3cdd7d6206e41de3c4ed4874326ff2680b91
                                                                                                            • Instruction Fuzzy Hash: 4101D37291110AABDB01DF90DE88BEE7BBCFB18365F504465FA01E2090D7749A949BA2
                                                                                                            APIs
                                                                                                            • ReadFile.KERNEL32(00000000,00000000,0050A3C7,00000000,00000000,000007D0,00000001), ref: 00503FB8
                                                                                                            • GetLastError.KERNEL32 ref: 00503FC2
                                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 00503FD3
                                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00503FE6
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                                            • String ID:
                                                                                                            • API String ID: 888215731-0
                                                                                                            • Opcode ID: 162c62233a66b1e57cff7223f31ccf0c0640928bb061ad2f04021e28675ec2f8
                                                                                                            • Instruction ID: d577c26da3636d5241d52e0624d65b0eb921399a037071314ac9eb9dcfa8bd5b
                                                                                                            • Opcode Fuzzy Hash: 162c62233a66b1e57cff7223f31ccf0c0640928bb061ad2f04021e28675ec2f8
                                                                                                            • Instruction Fuzzy Hash: A801177291010AAFDF01DF90DD4ABEE3BBCFF18355F404451F906E2090D7749A549BA1
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 0050A4D1
                                                                                                            • GetTickCount.KERNEL32 ref: 0050A4E4
                                                                                                            • Sleep.KERNEL32(00000000,?,0050C2E9,0050C4E0,00000000,localcfg,?,0050C4E0,00513588,00508810), ref: 0050A4F1
                                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 0050A4FA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                            • String ID:
                                                                                                            • API String ID: 2207858713-0
                                                                                                            • Opcode ID: a612fadf5be9e05ce177bc5af7207b5c0865e4e9647faff3cff572b51c1d41d3
                                                                                                            • Instruction ID: abd71985298e4024aee3ee270a9c7aa7823c7eda1f144aac8c1103a1c6e7a164
                                                                                                            • Opcode Fuzzy Hash: a612fadf5be9e05ce177bc5af7207b5c0865e4e9647faff3cff572b51c1d41d3
                                                                                                            • Instruction Fuzzy Hash: 3FE0263720131457CE006BA5AC88FAE3B88BB5D761F424021FA08D31C1C696A88551B3
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 00504E9E
                                                                                                            • GetTickCount.KERNEL32 ref: 00504EAD
                                                                                                            • Sleep.KERNEL32(0000000A,?,00000001), ref: 00504EBA
                                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 00504EC3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                            • String ID:
                                                                                                            • API String ID: 2207858713-0
                                                                                                            • Opcode ID: ef3ef7cf8c6118170cd9c2365f95e5060782240f381a9d97f2bb964baae40923
                                                                                                            • Instruction ID: a0d0504d9fc1f4a768398dfa6abe423ed74d6c35f34e129b3f74df2b05b9bdc8
                                                                                                            • Opcode Fuzzy Hash: ef3ef7cf8c6118170cd9c2365f95e5060782240f381a9d97f2bb964baae40923
                                                                                                            • Instruction Fuzzy Hash: 8FE086B620121457D61027B9EC88F9A6A4DBB69361F410531F709D21C1C596989659B2
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 00504BDD
                                                                                                            • GetTickCount.KERNEL32 ref: 00504BEC
                                                                                                            • Sleep.KERNEL32(00000000,?,?,?,02A1B0CC,005050F2), ref: 00504BF9
                                                                                                            • InterlockedExchange.KERNEL32(02A1B0C0,00000001), ref: 00504C02
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                            • String ID:
                                                                                                            • API String ID: 2207858713-0
                                                                                                            • Opcode ID: 0bdb6645f7672f553c345a6a31b225197fb1d99f00df01cd05ffb7e755dddb4d
                                                                                                            • Instruction ID: 9d83d4f098a021be69d3e561ab6f365ab61e4539a49461020041984fa7964d9d
                                                                                                            • Opcode Fuzzy Hash: 0bdb6645f7672f553c345a6a31b225197fb1d99f00df01cd05ffb7e755dddb4d
                                                                                                            • Instruction Fuzzy Hash: 89E0267220121457CA0027A65C84FAA7B58BB69361F424022F708C21C0C992D88049B1
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 00503103
                                                                                                            • GetTickCount.KERNEL32 ref: 0050310F
                                                                                                            • Sleep.KERNEL32(00000000), ref: 0050311C
                                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 00503128
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                            • String ID:
                                                                                                            • API String ID: 2207858713-0
                                                                                                            • Opcode ID: c893aed44c859764cf88928354ccb0cc3bdb8c1667b406c27f8e704efad8946e
                                                                                                            • Instruction ID: 3e3b027f794a02f9f8c2ef6cc0f0a86b5c3ad083656edcd9fd1c441beb637a0e
                                                                                                            • Opcode Fuzzy Hash: c893aed44c859764cf88928354ccb0cc3bdb8c1667b406c27f8e704efad8946e
                                                                                                            • Instruction Fuzzy Hash: 20E0C235200215ABDB006B75AD88B8D6E5EEFAC761F015431F205D20E0C9E04D55D971
                                                                                                            APIs
                                                                                                            • WriteFile.KERNEL32(00509A60,?,?,00000000,00000000,00509A60,?,00000000), ref: 005069F9
                                                                                                            • WriteFile.KERNEL32(00509A60,?,00509A60,00000000,00000000), ref: 00506A27
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FileWrite
                                                                                                            • String ID: ,kP
                                                                                                            • API String ID: 3934441357-594838798
                                                                                                            • Opcode ID: ecf6e040614badb56fd998f2c7e0ea8ce6be220224be893435c226d96ebfa18d
                                                                                                            • Instruction ID: 727459fda8b6e9d1d2ffadca7310ea63b079006a37d02efc195f5cc49bce23b3
                                                                                                            • Opcode Fuzzy Hash: ecf6e040614badb56fd998f2c7e0ea8ce6be220224be893435c226d96ebfa18d
                                                                                                            • Instruction Fuzzy Hash: 7E311A72A00209EFDB24DF58D984BAE7BF4FB54315F11886AE805E7280D370EE64DB61
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CountTick
                                                                                                            • String ID: localcfg
                                                                                                            • API String ID: 536389180-1857712256
                                                                                                            • Opcode ID: 60a2fed91fbc37d683a3c07fc9dd1c5913ea7a331a19d1beac4631b851c7fe65
                                                                                                            • Instruction ID: 2da3f13e4b4a7540889b15183d9ee71711df8f67e0bbc8737000d3f9dc2c8790
                                                                                                            • Opcode Fuzzy Hash: 60a2fed91fbc37d683a3c07fc9dd1c5913ea7a331a19d1beac4631b851c7fe65
                                                                                                            • Instruction Fuzzy Hash: EC21C033A10611AFCB108B64DD95ABEBFB9FB20310B294699E481DB1D1DF20E944D754
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0050C057
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CountTickwsprintf
                                                                                                            • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                                            • API String ID: 2424974917-1012700906
                                                                                                            • Opcode ID: 0faeddf6528487d2da3d4130104458f11789d6c6823779565a9c266a5295271a
                                                                                                            • Instruction ID: 86de24b04bf29f7d201c93326693455e48a48db248c55157cf3f35110cb537ff
                                                                                                            • Opcode Fuzzy Hash: 0faeddf6528487d2da3d4130104458f11789d6c6823779565a9c266a5295271a
                                                                                                            • Instruction Fuzzy Hash: 60118672100100FFDB429BA9DD48E567FA6FB88318B34919CF6188A166D633D863EB50
                                                                                                            APIs
                                                                                                              • Part of subcall function 005030FA: GetTickCount.KERNEL32 ref: 00503103
                                                                                                              • Part of subcall function 005030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00503128
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00503929
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00503939
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                                            • String ID: %FROM_EMAIL
                                                                                                            • API String ID: 3716169038-2903620461
                                                                                                            • Opcode ID: 6157a6749d502b6fba5ade650dce58fa126c4e5b48032cdeb4fb72115fd649cd
                                                                                                            • Instruction ID: 216e3537e187e547f39ed97aa2d34706198b01525b712a9665e4866a4d363072
                                                                                                            • Opcode Fuzzy Hash: 6157a6749d502b6fba5ade650dce58fa126c4e5b48032cdeb4fb72115fd649cd
                                                                                                            • Instruction Fuzzy Hash: EA116675900209EFD720DF0AD585AACFBF8FB49715F10891EE84497281C7B0AB84DFA0
                                                                                                            APIs
                                                                                                            • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0050BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0050ABB9
                                                                                                            • InterlockedIncrement.KERNEL32(00513640), ref: 0050ABE1
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: IncrementInterlockedlstrcpyn
                                                                                                            • String ID: %FROM_EMAIL
                                                                                                            • API String ID: 224340156-2903620461
                                                                                                            • Opcode ID: 6fd8fdd1662622d7da6ed461b6665011a4e92180615597c482897ca7779c5c29
                                                                                                            • Instruction ID: 37e0486412031c7344a7dc90b80ee476b0733c39302909c337f0ae5f4579f402
                                                                                                            • Opcode Fuzzy Hash: 6fd8fdd1662622d7da6ed461b6665011a4e92180615597c482897ca7779c5c29
                                                                                                            • Instruction Fuzzy Hash: 75019E315083C4AFDB11CF18D885E9A7FA6BF55314F144885F5808B293C3B0EA84CB92
                                                                                                            APIs
                                                                                                            • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 005026C3
                                                                                                            • inet_ntoa.WS2_32(?), ref: 005026E4
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: gethostbyaddrinet_ntoa
                                                                                                            • String ID: localcfg
                                                                                                            • API String ID: 2112563974-1857712256
                                                                                                            • Opcode ID: 88433d4cc950dcda665bebd5364331da60ed58d6121d576d1554f525bdbba117
                                                                                                            • Instruction ID: 7d9ce15febc024a9877733db09c13cac403e9a2b8a042a9e3f34d7c23f3da5bf
                                                                                                            • Opcode Fuzzy Hash: 88433d4cc950dcda665bebd5364331da60ed58d6121d576d1554f525bdbba117
                                                                                                            • Instruction Fuzzy Hash: 0DF012361482096BEF016FA4EC0EE9E3B9CEB09750F248425F918DA0D0DFB1D9409798
                                                                                                            APIs
                                                                                                            • RegisterServiceCtrlHandlerA.ADVAPI32(gxtfamnt,Function_00009867), ref: 0050996C
                                                                                                              • Part of subcall function 00509892: SetServiceStatus.ADVAPI32(00513394), ref: 005098EB
                                                                                                              • Part of subcall function 005098F2: Sleep.KERNEL32(000003E8,00000100,005122F8,0050A3C7), ref: 00509909
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Service$CtrlHandlerRegisterSleepStatus
                                                                                                            • String ID: HvT$gxtfamnt
                                                                                                            • API String ID: 1317371667-3626281857
                                                                                                            • Opcode ID: 4fb0437b2fb6a595e7c5f460f54adcd08a73652a4b7e8decbb1a16d66dd66ddd
                                                                                                            • Instruction ID: 377b04cbb10218d24365c3fc29a0aa2bfaacbfa00ce6bd4fcceba93c923fc403
                                                                                                            • Opcode Fuzzy Hash: 4fb0437b2fb6a595e7c5f460f54adcd08a73652a4b7e8decbb1a16d66dd66ddd
                                                                                                            • Instruction Fuzzy Hash: C5F0B4E1540305AEE3005B501DDBB5A7948BB31344F08C828B514492DBEBB14D48D261
                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,0050EB54,_alldiv,0050F0B7,80000001,00000000,00989680,00000000,?,?,?,0050E342,00000000,75A8EA50,80000001,00000000), ref: 0050EAF2
                                                                                                            • GetProcAddress.KERNEL32(76E90000,00000000), ref: 0050EB07
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                            • String ID: ntdll.dll
                                                                                                            • API String ID: 2574300362-2227199552
                                                                                                            • Opcode ID: e4c70a5f4f2c4b72fffa95fa0a0ddc27f624f869136971b8e1358bb8ee309272
                                                                                                            • Instruction ID: 1175f53d64b63f21cefa6a675b2821a37a0d3b6a024d4677619784f6cbd3758b
                                                                                                            • Opcode Fuzzy Hash: e4c70a5f4f2c4b72fffa95fa0a0ddc27f624f869136971b8e1358bb8ee309272
                                                                                                            • Instruction Fuzzy Hash: B7D0C934A00302ABDF124F649D2FD897AACBB74741B90C455B406D11A0E778DA8CEA00
                                                                                                            APIs
                                                                                                              • Part of subcall function 00502D21: GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,00502F01,?,005020FF,00512000), ref: 00502D3A
                                                                                                              • Part of subcall function 00502D21: LoadLibraryA.KERNEL32(?), ref: 00502D4A
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00502F73
                                                                                                            • HeapFree.KERNEL32(00000000), ref: 00502F7A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.4128684901.0000000000500000.00000040.00000400.00020000.00000000.sdmp, Offset: 00500000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_500000_svchost.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 1017166417-0
                                                                                                            • Opcode ID: f5c0185bbda4c6ae9566809e5182013ac7bf4d7f2deac8604449e3ac309aabd9
                                                                                                            • Instruction ID: 9874002b6bb17a202e9cf6ca571def2b60571b9de6671c5ea14e37ff885826fb
                                                                                                            • Opcode Fuzzy Hash: f5c0185bbda4c6ae9566809e5182013ac7bf4d7f2deac8604449e3ac309aabd9
                                                                                                            • Instruction Fuzzy Hash: 5851BC7190020AAFDF069F64DC899FEBB79FF15304F204569EC96C7290E7329A59CB80