Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
2FnvReiPU6.exe

Overview

General Information

Sample name:2FnvReiPU6.exe
renamed because original name is a hash value
Original sample name:6c2b21f0366b3942ae23d428155856a3deedccf6dcd00f3e27652a625455367d.exe
Analysis ID:1508089
MD5:38497df5caa858a3e65f3946bb0e28bf
SHA1:2446e498831b099bc15c37c295387e1c049fc702
SHA256:6c2b21f0366b3942ae23d428155856a3deedccf6dcd00f3e27652a625455367d
Tags:exe
Infos:

Detection

Tofsee
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Tofsee
AI detected suspicious sample
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious New Service Creation
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: Windows Defender Exclusions Added - Registry
Uses SMTP (mail sending)
Yara signature match

Classification

  • System is w10x64
  • 2FnvReiPU6.exe (PID: 7480 cmdline: "C:\Users\user\Desktop\2FnvReiPU6.exe" MD5: 38497DF5CAA858A3E65F3946BB0E28BF)
    • cmd.exe (PID: 7528 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\crxslmyv\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7580 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\upwtsplm.exe" C:\Windows\SysWOW64\crxslmyv\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7644 cmdline: "C:\Windows\System32\sc.exe" create crxslmyv binPath= "C:\Windows\SysWOW64\crxslmyv\upwtsplm.exe /d\"C:\Users\user\Desktop\2FnvReiPU6.exe\"" type= own start= auto DisplayName= "wifi support" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 7652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7704 cmdline: "C:\Windows\System32\sc.exe" description crxslmyv "wifi internet conection" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 7712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7768 cmdline: "C:\Windows\System32\sc.exe" start crxslmyv MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 7792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 7876 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 7884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • upwtsplm.exe (PID: 7836 cmdline: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exe /d"C:\Users\user\Desktop\2FnvReiPU6.exe" MD5: 61C4C37954B064097FFBF48D1D960C6E)
    • svchost.exe (PID: 7856 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
TofseeAccording to PCrisk, Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various account credentials, updating itself, and more.Cyber criminals mainly use this program as an email-oriented tool (they target users' email accounts), however, having Tofsee installed can also lead to many other problems.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee
No configs have been found
SourceRuleDescriptionAuthorStrings
00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
  • 0x1544:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
  • 0xde95:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
    0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
      0000000B.00000002.1736760587.0000000000EB0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
        0000000B.00000002.1736760587.0000000000EB0000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
        • 0x2544:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
        • 0xee95:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
        Click to see the 14 entries
        SourceRuleDescriptionAuthorStrings
        12.2.svchost.exe.620000.0.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
          12.2.svchost.exe.620000.0.raw.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
          • 0x2544:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
          • 0xee95:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
          12.2.svchost.exe.620000.0.raw.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
          • 0x1123e:$s1: n%systemroot%\system32\cmd.exe
          • 0x10310:$s2: loader_id
          • 0x10340:$s3: start_srv
          • 0x10370:$s4: lid_file_upd
          • 0x10364:$s5: localcfg
          • 0x10a94:$s6: Incorrect respons
          • 0x10b74:$s7: mx connect error
          • 0x10af0:$s8: Error sending command (sent = %d/%d)
          • 0x10c28:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
          11.2.upwtsplm.exe.eb0000.1.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
            11.2.upwtsplm.exe.eb0000.1.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
            • 0x1944:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
            • 0xe295:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
            Click to see the 23 entries

            System Summary

            barindex
            Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exe /d"C:\Users\user\Desktop\2FnvReiPU6.exe", ParentImage: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exe, ParentProcessId: 7836, ParentProcessName: upwtsplm.exe, ProcessCommandLine: svchost.exe, ProcessId: 7856, ProcessName: svchost.exe
            Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\sc.exe" create crxslmyv binPath= "C:\Windows\SysWOW64\crxslmyv\upwtsplm.exe /d\"C:\Users\user\Desktop\2FnvReiPU6.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create crxslmyv binPath= "C:\Windows\SysWOW64\crxslmyv\upwtsplm.exe /d\"C:\Users\user\Desktop\2FnvReiPU6.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\2FnvReiPU6.exe", ParentImage: C:\Users\user\Desktop\2FnvReiPU6.exe, ParentProcessId: 7480, ParentProcessName: 2FnvReiPU6.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create crxslmyv binPath= "C:\Windows\SysWOW64\crxslmyv\upwtsplm.exe /d\"C:\Users\user\Desktop\2FnvReiPU6.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 7644, ProcessName: sc.exe
            Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 52.101.11.9, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\SysWOW64\svchost.exe, Initiated: true, ProcessId: 7856, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49731
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exe /d"C:\Users\user\Desktop\2FnvReiPU6.exe", ParentImage: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exe, ParentProcessId: 7836, ParentProcessName: upwtsplm.exe, ProcessCommandLine: svchost.exe, ProcessId: 7856, ProcessName: svchost.exe
            Source: Registry Key setAuthor: Christian Burkard (Nextron Systems): Data: Details: 0, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 7856, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\crxslmyv
            Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\sc.exe" create crxslmyv binPath= "C:\Windows\SysWOW64\crxslmyv\upwtsplm.exe /d\"C:\Users\user\Desktop\2FnvReiPU6.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create crxslmyv binPath= "C:\Windows\SysWOW64\crxslmyv\upwtsplm.exe /d\"C:\Users\user\Desktop\2FnvReiPU6.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\2FnvReiPU6.exe", ParentImage: C:\Users\user\Desktop\2FnvReiPU6.exe, ParentProcessId: 7480, ParentProcessName: 2FnvReiPU6.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create crxslmyv binPath= "C:\Windows\SysWOW64\crxslmyv\upwtsplm.exe /d\"C:\Users\user\Desktop\2FnvReiPU6.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 7644, ProcessName: sc.exe
            No Suricata rule has matched

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: 2FnvReiPU6.exeAvira: detected
            Source: C:\Users\user\AppData\Local\Temp\upwtsplm.exeAvira: detection malicious, Label: HEUR/AGEN.1315385
            Source: 2FnvReiPU6.exeReversingLabs: Detection: 89%
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.5% probability
            Source: C:\Users\user\AppData\Local\Temp\upwtsplm.exeJoe Sandbox ML: detected
            Source: 2FnvReiPU6.exeJoe Sandbox ML: detected

            Compliance

            barindex
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeUnpacked PE file: 0.2.2FnvReiPU6.exe.400000.0.unpack
            Source: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exeUnpacked PE file: 11.2.upwtsplm.exe.400000.0.unpack

            Change of critical system settings

            barindex
            Source: C:\Windows\SysWOW64\svchost.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\crxslmyvJump to behavior

            Networking

            barindex
            Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.11.9 25Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 98.136.96.91 25Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 94.100.180.31 25Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 173.194.76.27 25Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 43.231.4.7 443Jump to behavior
            Source: Joe Sandbox ViewIP Address: 98.136.96.91 98.136.96.91
            Source: Joe Sandbox ViewIP Address: 43.231.4.7 43.231.4.7
            Source: Joe Sandbox ViewIP Address: 94.100.180.31 94.100.180.31
            Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
            Source: Joe Sandbox ViewASN Name: YAHOO-NE1US YAHOO-NE1US
            Source: Joe Sandbox ViewASN Name: GIGABIT-MYGigabitHostingSdnBhdMY GIGABIT-MYGigabitHostingSdnBhdMY
            Source: Joe Sandbox ViewASN Name: MAILRU-ASMailRuRU MAILRU-ASMailRuRU
            Source: global trafficTCP traffic: 192.168.2.4:49731 -> 52.101.11.9:25
            Source: global trafficTCP traffic: 192.168.2.4:49739 -> 98.136.96.91:25
            Source: global trafficTCP traffic: 192.168.2.4:49740 -> 173.194.76.27:25
            Source: global trafficTCP traffic: 192.168.2.4:49743 -> 94.100.180.31:25
            Source: unknownTCP traffic detected without corresponding DNS query: 43.231.4.7
            Source: unknownTCP traffic detected without corresponding DNS query: 43.231.4.7
            Source: unknownTCP traffic detected without corresponding DNS query: 43.231.4.7
            Source: unknownTCP traffic detected without corresponding DNS query: 43.231.4.7
            Source: unknownTCP traffic detected without corresponding DNS query: 43.231.4.7
            Source: unknownTCP traffic detected without corresponding DNS query: 43.231.4.7
            Source: unknownTCP traffic detected without corresponding DNS query: 43.231.4.7
            Source: unknownTCP traffic detected without corresponding DNS query: 43.231.4.7
            Source: unknownTCP traffic detected without corresponding DNS query: 43.231.4.7
            Source: unknownTCP traffic detected without corresponding DNS query: 43.231.4.7
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeCode function: 0_2_00402A62 GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,socket,htons,select,recv,htons,htons,htons,GetProcessHeap,HeapAlloc,htons,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree,0_2_00402A62
            Source: global trafficDNS traffic detected: DNS query: microsoft-com.mail.protection.outlook.com
            Source: global trafficDNS traffic detected: DNS query: yahoo.com
            Source: global trafficDNS traffic detected: DNS query: mta7.am0.yahoodns.net
            Source: global trafficDNS traffic detected: DNS query: google.com
            Source: global trafficDNS traffic detected: DNS query: smtp.google.com
            Source: global trafficDNS traffic detected: DNS query: mail.ru
            Source: global trafficDNS traffic detected: DNS query: mxs.mail.ru
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
            Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443

            Spam, unwanted Advertisements and Ransom Demands

            barindex
            Source: Yara matchFile source: 12.2.svchost.exe.620000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.upwtsplm.exe.eb0000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.2FnvReiPU6.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.upwtsplm.exe.eb0000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.3.upwtsplm.exe.d50000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.svchost.exe.620000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.2FnvReiPU6.exe.720000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.upwtsplm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.1736760587.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000003.1735876774.0000000000D50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.1707509611.0000000000720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 2FnvReiPU6.exe PID: 7480, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: upwtsplm.exe PID: 7836, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7856, type: MEMORYSTR

            System Summary

            barindex
            Source: 12.2.svchost.exe.620000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
            Source: 12.2.svchost.exe.620000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
            Source: 11.2.upwtsplm.exe.eb0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
            Source: 11.2.upwtsplm.exe.eb0000.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
            Source: 0.2.2FnvReiPU6.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
            Source: 0.2.2FnvReiPU6.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
            Source: 11.2.upwtsplm.exe.eb0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
            Source: 11.2.upwtsplm.exe.eb0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
            Source: 11.3.upwtsplm.exe.d50000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
            Source: 11.3.upwtsplm.exe.d50000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
            Source: 11.3.upwtsplm.exe.d50000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
            Source: 11.3.upwtsplm.exe.d50000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
            Source: 12.2.svchost.exe.620000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
            Source: 12.2.svchost.exe.620000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
            Source: 0.3.2FnvReiPU6.exe.720000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
            Source: 0.3.2FnvReiPU6.exe.720000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
            Source: 0.3.2FnvReiPU6.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
            Source: 0.3.2FnvReiPU6.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
            Source: 11.2.upwtsplm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
            Source: 11.2.upwtsplm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
            Source: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
            Source: 0000000B.00000002.1736760587.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
            Source: 0000000B.00000002.1736760587.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
            Source: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
            Source: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
            Source: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
            Source: 0000000B.00000003.1735876774.0000000000D50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
            Source: 0000000B.00000003.1735876774.0000000000D50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
            Source: 00000000.00000003.1707509611.0000000000720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
            Source: 00000000.00000003.1707509611.0000000000720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeCode function: 0_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,0_2_00408E26
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeCode function: 0_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,0_2_00401280
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\crxslmyv\Jump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeCode function: 0_2_0040C9130_2_0040C913
            Source: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exeCode function: 11_2_0040C91311_2_0040C913
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0062C91312_2_0062C913
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeCode function: String function: 0040EE2A appears 40 times
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeCode function: String function: 00402544 appears 53 times
            Source: 12.2.svchost.exe.620000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
            Source: 12.2.svchost.exe.620000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
            Source: 11.2.upwtsplm.exe.eb0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
            Source: 11.2.upwtsplm.exe.eb0000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
            Source: 0.2.2FnvReiPU6.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
            Source: 0.2.2FnvReiPU6.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
            Source: 11.2.upwtsplm.exe.eb0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
            Source: 11.2.upwtsplm.exe.eb0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
            Source: 11.3.upwtsplm.exe.d50000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
            Source: 11.3.upwtsplm.exe.d50000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
            Source: 11.3.upwtsplm.exe.d50000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
            Source: 11.3.upwtsplm.exe.d50000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
            Source: 12.2.svchost.exe.620000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
            Source: 12.2.svchost.exe.620000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
            Source: 0.3.2FnvReiPU6.exe.720000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
            Source: 0.3.2FnvReiPU6.exe.720000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
            Source: 0.3.2FnvReiPU6.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
            Source: 0.3.2FnvReiPU6.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
            Source: 11.2.upwtsplm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
            Source: 11.2.upwtsplm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
            Source: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
            Source: 0000000B.00000002.1736760587.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
            Source: 0000000B.00000002.1736760587.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
            Source: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
            Source: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
            Source: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
            Source: 0000000B.00000003.1735876774.0000000000D50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
            Source: 0000000B.00000003.1735876774.0000000000D50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
            Source: 00000000.00000003.1707509611.0000000000720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
            Source: 00000000.00000003.1707509611.0000000000720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
            Source: classification engineClassification label: mal100.troj.evad.winEXE@22/3@8/5
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeCode function: 0_2_00406A60 lstrcatA,CreateFileA,GetDiskFreeSpaceA,GetLastError,CloseHandle,CloseHandle,CloseHandle,GetLastError,CloseHandle,DeleteFileA,GetLastError,0_2_00406A60
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
            Source: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exeCode function: 11_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,11_2_00409A6B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00629A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,12_2_00629A6B
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7652:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7712:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7884:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7792:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7588:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7536:120:WilError_03
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeFile created: C:\Users\user\AppData\Local\Temp\upwtsplm.exeJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: 2FnvReiPU6.exeReversingLabs: Detection: 89%
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeFile read: C:\Users\user\Desktop\2FnvReiPU6.exeJump to behavior
            Source: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_11-6915
            Source: unknownProcess created: C:\Users\user\Desktop\2FnvReiPU6.exe "C:\Users\user\Desktop\2FnvReiPU6.exe"
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\crxslmyv\
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\upwtsplm.exe" C:\Windows\SysWOW64\crxslmyv\
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create crxslmyv binPath= "C:\Windows\SysWOW64\crxslmyv\upwtsplm.exe /d\"C:\Users\user\Desktop\2FnvReiPU6.exe\"" type= own start= auto DisplayName= "wifi support"
            Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description crxslmyv "wifi internet conection"
            Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start crxslmyv
            Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exe C:\Windows\SysWOW64\crxslmyv\upwtsplm.exe /d"C:\Users\user\Desktop\2FnvReiPU6.exe"
            Source: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
            Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\crxslmyv\Jump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\upwtsplm.exe" C:\Windows\SysWOW64\crxslmyv\Jump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create crxslmyv binPath= "C:\Windows\SysWOW64\crxslmyv\upwtsplm.exe /d\"C:\Users\user\Desktop\2FnvReiPU6.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description crxslmyv "wifi internet conection"Jump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start crxslmyvJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
            Source: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeSection loaded: modemui.dllJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeSection loaded: uniplat.dllJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeSection loaded: ??????.dllJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeSection loaded: ewqzafg.dllJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeSection loaded: eappcfg.dllJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeSection loaded: dbghelp.dllJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exeSection loaded: modemui.dllJump to behavior
            Source: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exeSection loaded: uniplat.dllJump to behavior
            Source: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exeSection loaded: ??????.dllJump to behavior
            Source: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exeSection loaded: ewqzafg.dllJump to behavior
            Source: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exeSection loaded: eappcfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exeSection loaded: dbghelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dbghelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
            Source: 2FnvReiPU6.exeStatic file information: File size 14534144 > 1048576

            Data Obfuscation

            barindex
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeUnpacked PE file: 0.2.2FnvReiPU6.exe.400000.0.unpack .text:ER;.pdata:W;.bdata:W;.rsrc:W;.relos:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
            Source: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exeUnpacked PE file: 11.2.upwtsplm.exe.400000.0.unpack .text:ER;.pdata:W;.bdata:W;.rsrc:W;.relos:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeUnpacked PE file: 0.2.2FnvReiPU6.exe.400000.0.unpack
            Source: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exeUnpacked PE file: 11.2.upwtsplm.exe.400000.0.unpack
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069

            Persistence and Installation Behavior

            barindex
            Source: unknownExecutable created and started: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exe
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeFile created: C:\Users\user\AppData\Local\Temp\upwtsplm.exeJump to dropped file
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exe (copy)Jump to dropped file
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exe (copy)Jump to dropped file
            Source: C:\Windows\SysWOW64\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\crxslmyvJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create crxslmyv binPath= "C:\Windows\SysWOW64\crxslmyv\upwtsplm.exe /d\"C:\Users\user\Desktop\2FnvReiPU6.exe\"" type= own start= auto DisplayName= "wifi support"

            Hooking and other Techniques for Hiding and Protection

            barindex
            Source: C:\Windows\SysWOW64\svchost.exeFile deleted: c:\users\user\desktop\2fnvreipu6.exeJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeCode function: 0_2_00401000 LoadLibraryA,CloseHandle,GetShortPathNameW,GetProcAddress,CloseHandle,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00401000
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: inet_addr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetBestInterface,GetProcessHeap,HeapAlloc,GetAdaptersInfo,HeapReAlloc,GetAdaptersInfo,HeapFree,FreeLibrary,FreeLibrary,12_2_0062199C
            Source: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_11-7342
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-7240
            Source: C:\Windows\SysWOW64\svchost.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_12-7854
            Source: C:\Windows\SysWOW64\svchost.exeEvaded block: after key decisiongraph_12-6142
            Source: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_11-7300
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-7229
            Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_12-7331
            Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_12-7434
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-6799
            Source: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_11-6930
            Source: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exeAPI coverage: 8.5 %
            Source: C:\Windows\SysWOW64\svchost.exe TID: 7860Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exe TID: 7952Thread sleep count: 38 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exe TID: 7952Thread sleep time: -38000s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeCode function: 0_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,0_2_00401D96
            Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 30000Jump to behavior
            Source: svchost.exe, 0000000C.00000002.2951512356.0000000000A00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllf
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeAPI call chain: ExitProcess graph end nodegraph_0-7231
            Source: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exeAPI call chain: ExitProcess graph end nodegraph_11-7302

            Anti Debugging

            barindex
            Source: C:\Windows\SysWOW64\svchost.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_12-7669
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeCode function: 0_2_006F007E push dword ptr fs:[00000030h]0_2_006F007E
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeCode function: 0_2_006F03CC push dword ptr fs:[00000030h]0_2_006F03CC
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeCode function: 0_2_0071007E push dword ptr fs:[00000030h]0_2_0071007E
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeCode function: 0_2_007103CC push dword ptr fs:[00000030h]0_2_007103CC
            Source: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exeCode function: 11_2_0098007E push dword ptr fs:[00000030h]11_2_0098007E
            Source: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exeCode function: 11_2_009803CC push dword ptr fs:[00000030h]11_2_009803CC
            Source: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exeCode function: 11_2_00D4007E push dword ptr fs:[00000030h]11_2_00D4007E
            Source: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exeCode function: 11_2_00D403CC push dword ptr fs:[00000030h]11_2_00D403CC
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeCode function: 0_2_0040EC2E GetProcessHeap,RtlFreeHeap,0_2_0040EC2E
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
            Source: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exeCode function: 11_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,11_2_00409A6B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00629A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,12_2_00629A6B

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.11.9 25Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 98.136.96.91 25Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 94.100.180.31 25Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 173.194.76.27 25Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 43.231.4.7 443Jump to behavior
            Source: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 620000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 620000 value starts with: 4D5AJump to behavior
            Source: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 620000Jump to behavior
            Source: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 43A008Jump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\crxslmyv\Jump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\upwtsplm.exe" C:\Windows\SysWOW64\crxslmyv\Jump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create crxslmyv binPath= "C:\Windows\SysWOW64\crxslmyv\upwtsplm.exe /d\"C:\Users\user\Desktop\2FnvReiPU6.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description crxslmyv "wifi internet conection"Jump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start crxslmyvJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
            Source: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeCode function: 0_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00406EDD
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeCode function: 0_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,0_2_0040405E
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeCode function: 0_2_0040EC54 GetSystemTimeAsFileTime,GetVolumeInformationA,GetTickCount,0_2_0040EC54
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeCode function: 0_2_0040B211 FileTimeToSystemTime,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,SystemTimeToFileTime,FileTimeToSystemTime,GetTimeZoneInformation,wsprintfA,0_2_0040B211
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeCode function: 0_2_00409326 GetVersionExA,GetModuleHandleA,GetModuleFileNameA,wsprintfA,wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,0_2_00409326

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: 12.2.svchost.exe.620000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.upwtsplm.exe.eb0000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.2FnvReiPU6.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.upwtsplm.exe.eb0000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.3.upwtsplm.exe.d50000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.svchost.exe.620000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.2FnvReiPU6.exe.720000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.upwtsplm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.1736760587.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000003.1735876774.0000000000D50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.1707509611.0000000000720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 2FnvReiPU6.exe PID: 7480, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: upwtsplm.exe PID: 7836, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7856, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: 12.2.svchost.exe.620000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.upwtsplm.exe.eb0000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.2FnvReiPU6.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.upwtsplm.exe.eb0000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.3.upwtsplm.exe.d50000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.svchost.exe.620000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.2FnvReiPU6.exe.720000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.upwtsplm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.1736760587.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000003.1735876774.0000000000D50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.1707509611.0000000000720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 2FnvReiPU6.exe PID: 7480, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: upwtsplm.exe PID: 7836, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7856, type: MEMORYSTR
            Source: C:\Users\user\Desktop\2FnvReiPU6.exeCode function: 0_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,0_2_004088B0
            Source: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exeCode function: 11_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,11_2_004088B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_006288B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,12_2_006288B0
            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure1
            Valid Accounts
            41
            Native API
            1
            DLL Side-Loading
            1
            DLL Side-Loading
            3
            Disable or Modify Tools
            OS Credential Dumping2
            System Time Discovery
            Remote Services1
            Archive Collected Data
            1
            Ingress Tool Transfer
            Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts2
            Command and Scripting Interpreter
            1
            Valid Accounts
            1
            Valid Accounts
            1
            Deobfuscate/Decode Files or Information
            LSASS Memory1
            Account Discovery
            Remote Desktop ProtocolData from Removable Media12
            Encrypted Channel
            Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts3
            Service Execution
            14
            Windows Service
            1
            Access Token Manipulation
            1
            Obfuscated Files or Information
            Security Account Manager1
            File and Directory Discovery
            SMB/Windows Admin SharesData from Network Shared Drive1
            Non-Application Layer Protocol
            Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook14
            Windows Service
            2
            Software Packing
            NTDS15
            System Information Discovery
            Distributed Component Object ModelInput Capture12
            Application Layer Protocol
            Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script412
            Process Injection
            1
            DLL Side-Loading
            LSA Secrets111
            Security Software Discovery
            SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            File Deletion
            Cached Domain Credentials111
            Virtualization/Sandbox Evasion
            VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
            Masquerading
            DCSync1
            System Owner/User Discovery
            Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Valid Accounts
            Proc Filesystem1
            System Network Configuration Discovery
            Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            Access Token Manipulation
            /etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron111
            Virtualization/Sandbox Evasion
            Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
            Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd412
            Process Injection
            Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1508089 Sample: 2FnvReiPU6.exe Startdate: 09/09/2024 Architecture: WINDOWS Score: 100 43 yahoo.com 2->43 45 mxs.mail.ru 2->45 47 5 other IPs or domains 2->47 55 Malicious sample detected (through community Yara rule) 2->55 57 Antivirus detection for dropped file 2->57 59 Antivirus / Scanner detection for submitted sample 2->59 61 8 other signatures 2->61 8 upwtsplm.exe 2->8         started        11 2FnvReiPU6.exe 2 2->11         started        signatures3 process4 file5 63 Detected unpacking (changes PE section rights) 8->63 65 Detected unpacking (overwrites its own PE header) 8->65 67 Writes to foreign memory regions 8->67 73 2 other signatures 8->73 14 svchost.exe 1 8->14         started        41 C:\Users\user\AppData\Local\...\upwtsplm.exe, PE32 11->41 dropped 69 Uses netsh to modify the Windows network and firewall settings 11->69 71 Modifies the windows firewall 11->71 18 cmd.exe 1 11->18         started        21 netsh.exe 2 11->21         started        23 cmd.exe 2 11->23         started        25 3 other processes 11->25 signatures6 process7 dnsIp8 49 mta7.am0.yahoodns.net 98.136.96.91, 25 YAHOO-NE1US United States 14->49 51 microsoft-com.mail.protection.outlook.com 52.101.11.9, 25 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 14->51 53 3 other IPs or domains 14->53 75 System process connects to network (likely due to code injection or exploit) 14->75 77 Found API chain indicative of debugger detection 14->77 79 Deletes itself after installation 14->79 81 Adds extensions / path to Windows Defender exclusion list (Registry) 14->81 39 C:\Windows\SysWOW64\...\upwtsplm.exe (copy), PE32 18->39 dropped 27 conhost.exe 18->27         started        29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        35 conhost.exe 25->35         started        37 conhost.exe 25->37         started        file9 signatures10 process11

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            SourceDetectionScannerLabelLink
            2FnvReiPU6.exe89%ReversingLabsWin32.Trojan.Emotet
            2FnvReiPU6.exe100%AviraHEUR/AGEN.1315385
            2FnvReiPU6.exe100%Joe Sandbox ML
            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\upwtsplm.exe100%AviraHEUR/AGEN.1315385
            C:\Users\user\AppData\Local\Temp\upwtsplm.exe100%Joe Sandbox ML
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches
            NameIPActiveMaliciousAntivirus DetectionReputation
            mxs.mail.ru
            94.100.180.31
            truetrue
              unknown
              mta7.am0.yahoodns.net
              98.136.96.91
              truetrue
                unknown
                microsoft-com.mail.protection.outlook.com
                52.101.11.9
                truetrue
                  unknown
                  smtp.google.com
                  173.194.76.27
                  truefalse
                    unknown
                    google.com
                    unknown
                    unknowntrue
                      unknown
                      yahoo.com
                      unknown
                      unknowntrue
                        unknown
                        mail.ru
                        unknown
                        unknowntrue
                          unknown
                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs
                          IPDomainCountryFlagASNASN NameMalicious
                          173.194.76.27
                          smtp.google.comUnited States
                          15169GOOGLEUSfalse
                          52.101.11.9
                          microsoft-com.mail.protection.outlook.comUnited States
                          8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                          98.136.96.91
                          mta7.am0.yahoodns.netUnited States
                          36646YAHOO-NE1UStrue
                          43.231.4.7
                          unknownMalaysia
                          55720GIGABIT-MYGigabitHostingSdnBhdMYtrue
                          94.100.180.31
                          mxs.mail.ruRussian Federation
                          47764MAILRU-ASMailRuRUtrue
                          Joe Sandbox version:40.0.0 Tourmaline
                          Analysis ID:1508089
                          Start date and time:2024-09-09 17:02:11 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 5m 0s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:19
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:2FnvReiPU6.exe
                          renamed because original name is a hash value
                          Original Sample Name:6c2b21f0366b3942ae23d428155856a3deedccf6dcd00f3e27652a625455367d.exe
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@22/3@8/5
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 67
                          • Number of non-executed functions: 175
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                          • Excluded IPs from analysis (whitelisted): 20.236.44.162, 20.76.201.171, 20.112.250.133, 20.70.246.20, 20.231.239.246
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, microsoft.com, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtEnumerateKey calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • VT rate limit hit for: 2FnvReiPU6.exe
                          TimeTypeDescription
                          11:03:52API Interceptor11x Sleep call for process: svchost.exe modified
                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          98.136.96.91SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeGet hashmaliciousTofseeBrowse
                            lYWiDKe1In.exeGet hashmaliciousTofseeBrowse
                              rpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                                newtpp.exeGet hashmaliciousPhorpiexBrowse
                                  gEkl9O5tiu.exeGet hashmaliciousPhorpiexBrowse
                                    file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                      .exeGet hashmaliciousUnknownBrowse
                                        l3Qj8QhTYZ.exeGet hashmaliciousPhorpiexBrowse
                                          message.txt.exeGet hashmaliciousUnknownBrowse
                                            test.dat.exeGet hashmaliciousUnknownBrowse
                                              43.231.4.7W4KtaS5yf1.exeGet hashmaliciousTofseeBrowse
                                                1.exeGet hashmaliciousTofseeBrowse
                                                  PyIi6pkq8F.exeGet hashmaliciousTofseeBrowse
                                                    fJQWVp3S5r.exeGet hashmaliciousTofseeBrowse
                                                      3gsDd2imbR.exeGet hashmaliciousTofseeBrowse
                                                        4MFtS7taNzGet hashmaliciousTofseeBrowse
                                                          fuZcDWJRoP.exeGet hashmaliciousTofseeBrowse
                                                            verybig.exeGet hashmaliciousTofseeBrowse
                                                              mycoolnewscreensaver.exeGet hashmaliciousTofseeBrowse
                                                                W7TVCSXI5O.exeGet hashmaliciousTofseeBrowse
                                                                  94.100.180.31qkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                                    vekvtia.exeGet hashmaliciousTofseeBrowse
                                                                      UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                        igvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                          fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                            rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                              setup.exeGet hashmaliciousTofseeBrowse
                                                                                m4Jp2TLBHJ.exeGet hashmaliciousTofseeBrowse
                                                                                  SecuriteInfo.com.Trojan-Ransom.StopCrypt.22110.437.exeGet hashmaliciousTofseeBrowse
                                                                                    vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      mxs.mail.ru874A7cigvX.exeGet hashmaliciousTofseeBrowse
                                                                                      • 217.69.139.150
                                                                                      RSno9EH0K9.exeGet hashmaliciousTofseeBrowse
                                                                                      • 217.69.139.150
                                                                                      ODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                                                                                      • 217.69.139.150
                                                                                      Uc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                                      • 217.69.139.150
                                                                                      qkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                                                      • 94.100.180.31
                                                                                      vekvtia.exeGet hashmaliciousTofseeBrowse
                                                                                      • 94.100.180.31
                                                                                      knkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                      • 217.69.139.150
                                                                                      foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                      • 217.69.139.150
                                                                                      UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                      • 94.100.180.31
                                                                                      bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                      • 217.69.139.150
                                                                                      microsoft-com.mail.protection.outlook.com874A7cigvX.exeGet hashmaliciousTofseeBrowse
                                                                                      • 52.101.42.0
                                                                                      RSno9EH0K9.exeGet hashmaliciousTofseeBrowse
                                                                                      • 52.101.8.49
                                                                                      ODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                                                                                      • 52.101.11.0
                                                                                      Uc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                                      • 52.101.8.49
                                                                                      qkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                                                      • 52.101.42.0
                                                                                      vekvtia.exeGet hashmaliciousTofseeBrowse
                                                                                      • 52.101.8.49
                                                                                      knkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                      • 52.101.11.0
                                                                                      foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                      • 52.101.40.26
                                                                                      UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                      • 52.101.40.26
                                                                                      bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                      • 52.101.11.0
                                                                                      mta7.am0.yahoodns.net874A7cigvX.exeGet hashmaliciousTofseeBrowse
                                                                                      • 67.195.204.74
                                                                                      RSno9EH0K9.exeGet hashmaliciousTofseeBrowse
                                                                                      • 67.195.228.111
                                                                                      Uc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                                      • 67.195.228.109
                                                                                      bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                      • 67.195.204.77
                                                                                      Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                      • 67.195.228.109
                                                                                      setup.exeGet hashmaliciousTofseeBrowse
                                                                                      • 98.136.96.76
                                                                                      m4Jp2TLBHJ.exeGet hashmaliciousTofseeBrowse
                                                                                      • 67.195.204.77
                                                                                      SecuriteInfo.com.Trojan-Ransom.StopCrypt.22110.437.exeGet hashmaliciousTofseeBrowse
                                                                                      • 67.195.204.74
                                                                                      AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                      • 67.195.228.94
                                                                                      dIg0MWRViP.exeGet hashmaliciousTofseeBrowse
                                                                                      • 67.195.228.94
                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      GIGABIT-MYGigabitHostingSdnBhdMYhttp://www.3659ggg.net/Get hashmaliciousUnknownBrowse
                                                                                      • 103.198.200.7
                                                                                      SecuriteInfo.com.Linux.Siggen.9999.17528.22528.elfGet hashmaliciousMiraiBrowse
                                                                                      • 172.93.165.119
                                                                                      win1.exeGet hashmaliciousUnknownBrowse
                                                                                      • 103.144.139.186
                                                                                      94.156.67.132-skid.mpsl-2024-07-30T18_34_38.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                      • 172.93.165.113
                                                                                      6ddrUd6iQo.exeGet hashmaliciousFormBookBrowse
                                                                                      • 103.71.177.176
                                                                                      http://oveman-austral.com/Get hashmaliciousUnknownBrowse
                                                                                      • 103.198.200.1
                                                                                      http://capitalhillblue.com/Get hashmaliciousUnknownBrowse
                                                                                      • 103.198.200.1
                                                                                      http://3115ll.me/Get hashmaliciousUnknownBrowse
                                                                                      • 103.198.200.1
                                                                                      LisectAVT_2403002B_22.exeGet hashmaliciousYoung LotusBrowse
                                                                                      • 202.9.39.96
                                                                                      LisectAVT_2403002B_22.exeGet hashmaliciousYoung LotusBrowse
                                                                                      • 202.9.39.96
                                                                                      MICROSOFT-CORP-MSN-AS-BLOCKUShttps://b00gjbzv.r.us-west-2.awstrack.me/L0/https://www.tiktok.com/////link/v2?aid=1988&lang=enpihd7s&scene=bio_url&target=google.com.////amp/s/karlandrade.com/dayo/apmvx/%5B$%E3%80%82/YWNhYmVyb0BidXJuc21jZC5jb20=/1/01010191d7358f23-01744765-7af5-4eed-8446-de1b584459e4-000000/m-sFuLTWhbEYMC52sHOqVlTWLLE=391Get hashmaliciousHTMLPhisherBrowse
                                                                                      • 52.97.189.98
                                                                                      https://1drv.ms/o/s!BDwGtOL3Ob0ShF7R9UYMfic1EmBo?e=xcw67NPIpE-D6DjdNd9CDg&at=9Get hashmaliciousHTMLPhisherBrowse
                                                                                      • 52.108.11.12
                                                                                      https://myworkspace10fa5.myclickfunnels.com/onlinereview--00e63?preview=trueGet hashmaliciousUnknownBrowse
                                                                                      • 150.171.28.10
                                                                                      https://imperosolutions-my.sharepoint.com/personal/jdoyle_imperosoftware_com/_layouts/15/onedrive.aspx?id=%2Fpersonal%2Fjdoyle%5Fimperosoftware%5Fcom%2FDocuments%2FEd%20Pro%20MSIs%2FClassMgt%5FRIO%20RANCHO%20PUBLIC%20SCHOOL%20DIST%5FImperoClientSetup8626%2Emsi&parent=%2Fpersonal%2Fjdoyle%5Fimperosoftware%5Fcom%2FDocuments%2FEd%20Pro%20MSIs&ga=1Get hashmaliciousHTMLPhisherBrowse
                                                                                      • 13.107.136.10
                                                                                      Ln3Yc2X66g.exeGet hashmaliciousDBatLoaderBrowse
                                                                                      • 13.107.137.11
                                                                                      https://emea.dcv.ms/y0CiMKVFMDGet hashmaliciousUnknownBrowse
                                                                                      • 13.107.246.60
                                                                                      https://navexglobal.navexone.com/content/dotNet/documents/?docid=9960&public=trueGet hashmaliciousUnknownBrowse
                                                                                      • 52.108.8.12
                                                                                      Play_VM-Now(Motcasereviewteam)CQDM.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                      • 13.107.246.60
                                                                                      Zen Desk Follow Up-20240905_140238-Meeting Recording.mp4.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                      • 13.107.253.42
                                                                                      https://skalldyr-my.sharepoint.com/:o:/p/post/EtdITQs4FcRGgNgd61rFkBIBoV1oMjyUbwcDJQUAXGgzAA?e=dpLrAeGet hashmaliciousUnknownBrowse
                                                                                      • 52.108.10.12
                                                                                      YAHOO-NE1USqkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                                                      • 98.136.96.74
                                                                                      knkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                      • 98.136.96.75
                                                                                      foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                      • 98.136.96.76
                                                                                      .exeGet hashmaliciousUnknownBrowse
                                                                                      • 98.136.96.76
                                                                                      VvlYJBzLuW.elfGet hashmaliciousMiraiBrowse
                                                                                      • 216.252.107.64
                                                                                      rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                      • 98.136.96.74
                                                                                      setup.exeGet hashmaliciousTofseeBrowse
                                                                                      • 98.136.96.76
                                                                                      botx.arm.elfGet hashmaliciousMiraiBrowse
                                                                                      • 98.138.56.151
                                                                                      SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeGet hashmaliciousTofseeBrowse
                                                                                      • 98.136.96.91
                                                                                      AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                      • 98.136.96.75
                                                                                      MAILRU-ASMailRuRUOuZGkt7xKK.exeGet hashmaliciousCoinhive, XmrigBrowse
                                                                                      • 178.237.20.50
                                                                                      OuZGkt7xKK.exeGet hashmaliciousCoinhive, XmrigBrowse
                                                                                      • 178.237.20.50
                                                                                      874A7cigvX.exeGet hashmaliciousTofseeBrowse
                                                                                      • 217.69.139.150
                                                                                      RSno9EH0K9.exeGet hashmaliciousTofseeBrowse
                                                                                      • 217.69.139.150
                                                                                      ODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                                                                                      • 217.69.139.150
                                                                                      Uc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                                      • 217.69.139.150
                                                                                      qkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                                                      • 94.100.180.31
                                                                                      vekvtia.exeGet hashmaliciousTofseeBrowse
                                                                                      • 94.100.180.31
                                                                                      knkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                      • 217.69.139.150
                                                                                      foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                      • 217.69.139.150
                                                                                      No context
                                                                                      No context
                                                                                      Process:C:\Users\user\Desktop\2FnvReiPU6.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):13543424
                                                                                      Entropy (8bit):6.756597985941956
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:vzpKS0FRvqPKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK:dMS
                                                                                      MD5:61C4C37954B064097FFBF48D1D960C6E
                                                                                      SHA1:09C10E4C4C796D36DD9B42F8ECCF3685612D28B5
                                                                                      SHA-256:A9BC78D9B70AB33DF1AF6180D4B3E9389BF2E4309E12A864AA41700E87529D31
                                                                                      SHA-512:E2467EC816119E6ACAA39FADDE6965A64C5816E00DC209C740125E09DE662833FF6E5FB26B8B631880E615FD3CC669C3CDAC6642996A50AA3CA6745D453FC3F9
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......P.................F...@...............`....@..................................t....@.................................<...P.......`...........................................................................................................text....D.......F.....................`.pdata...)...`...*...J..............@....bdata...............t..............@....rsrc...`............z...................relos...........(.....................B........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                      Process:C:\Windows\SysWOW64\cmd.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):13543424
                                                                                      Entropy (8bit):6.756597985941956
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:vzpKS0FRvqPKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK:dMS
                                                                                      MD5:61C4C37954B064097FFBF48D1D960C6E
                                                                                      SHA1:09C10E4C4C796D36DD9B42F8ECCF3685612D28B5
                                                                                      SHA-256:A9BC78D9B70AB33DF1AF6180D4B3E9389BF2E4309E12A864AA41700E87529D31
                                                                                      SHA-512:E2467EC816119E6ACAA39FADDE6965A64C5816E00DC209C740125E09DE662833FF6E5FB26B8B631880E615FD3CC669C3CDAC6642996A50AA3CA6745D453FC3F9
                                                                                      Malicious:true
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......P.................F...@...............`....@..................................t....@.................................<...P.......`...........................................................................................................text....D.......F.....................`.pdata...)...`...*...J..............@....bdata...............t..............@....rsrc...`............z...................relos...........(.....................B........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                      Process:C:\Windows\SysWOW64\netsh.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):3773
                                                                                      Entropy (8bit):4.7109073551842435
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
                                                                                      MD5:DA3247A302D70819F10BCEEBAF400503
                                                                                      SHA1:2857AA198EE76C86FC929CC3388A56D5FD051844
                                                                                      SHA-256:5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
                                                                                      SHA-512:48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
                                                                                      Malicious:false
                                                                                      Preview:..A specified value is not valid.....Usage: add rule name=<string>.. dir=in|out.. action=allow|block|bypass.. [program=<program path>].. [service=<service short name>|any].. [description=<string>].. [enable=yes|no (default=yes)].. [profile=public|private|domain|any[,...]].. [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|.. <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)].. [remoteport=0-65535|<port range>[,...]|any (default=any)].. [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|.. tcp|udp|any (default=any)].. [interfacetype=wireless|lan|ras|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes|deferapp|deferuser|no (default=no)].. [security=authenticate|authenc|authdynenc|authnoencap|
                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Entropy (8bit):6.755672206082449
                                                                                      TrID:
                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                      File name:2FnvReiPU6.exe
                                                                                      File size:14'534'144 bytes
                                                                                      MD5:38497df5caa858a3e65f3946bb0e28bf
                                                                                      SHA1:2446e498831b099bc15c37c295387e1c049fc702
                                                                                      SHA256:6c2b21f0366b3942ae23d428155856a3deedccf6dcd00f3e27652a625455367d
                                                                                      SHA512:a172f7b7b005a72069cab497a0b3dfb79badf1b899e990c959eb0b830db4a91250c137e8e5fdf74920ca59a2ede93de39a7f85b774fe7342c1f228ab4b15bf86
                                                                                      SSDEEP:12288:KzpKS0FRvqPKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKn:oMS
                                                                                      TLSH:15E65B56847EAB73D5000D3D90DBFFD7122CFAE053588A53AE4640C36E5C6294AF786B
                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......P.................F...@...............`....@..................................t....@................................
                                                                                      Icon Hash:90cececece8e8eb0
                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Sep 9, 2024 17:03:10.944856882 CEST4973125192.168.2.452.101.11.9
                                                                                      Sep 9, 2024 17:03:11.950920105 CEST4973125192.168.2.452.101.11.9
                                                                                      Sep 9, 2024 17:03:13.670233011 CEST49732443192.168.2.443.231.4.7
                                                                                      Sep 9, 2024 17:03:13.670273066 CEST4434973243.231.4.7192.168.2.4
                                                                                      Sep 9, 2024 17:03:13.670399904 CEST49732443192.168.2.443.231.4.7
                                                                                      Sep 9, 2024 17:03:13.950895071 CEST4973125192.168.2.452.101.11.9
                                                                                      Sep 9, 2024 17:03:17.966559887 CEST4973125192.168.2.452.101.11.9
                                                                                      Sep 9, 2024 17:03:25.982269049 CEST4973125192.168.2.452.101.11.9
                                                                                      Sep 9, 2024 17:03:30.967506886 CEST4973925192.168.2.498.136.96.91
                                                                                      Sep 9, 2024 17:03:31.982279062 CEST4973925192.168.2.498.136.96.91
                                                                                      Sep 9, 2024 17:03:33.982255936 CEST4973925192.168.2.498.136.96.91
                                                                                      Sep 9, 2024 17:03:37.982223988 CEST4973925192.168.2.498.136.96.91
                                                                                      Sep 9, 2024 17:03:45.982304096 CEST4973925192.168.2.498.136.96.91
                                                                                      Sep 9, 2024 17:03:50.999453068 CEST4974025192.168.2.4173.194.76.27
                                                                                      Sep 9, 2024 17:03:51.997958899 CEST4974025192.168.2.4173.194.76.27
                                                                                      Sep 9, 2024 17:03:53.685575962 CEST49732443192.168.2.443.231.4.7
                                                                                      Sep 9, 2024 17:03:53.685647964 CEST4434973243.231.4.7192.168.2.4
                                                                                      Sep 9, 2024 17:03:53.685715914 CEST49732443192.168.2.443.231.4.7
                                                                                      Sep 9, 2024 17:03:53.795072079 CEST49741443192.168.2.443.231.4.7
                                                                                      Sep 9, 2024 17:03:53.795120955 CEST4434974143.231.4.7192.168.2.4
                                                                                      Sep 9, 2024 17:03:53.795303106 CEST49741443192.168.2.443.231.4.7
                                                                                      Sep 9, 2024 17:03:54.013524055 CEST4974025192.168.2.4173.194.76.27
                                                                                      Sep 9, 2024 17:03:58.029043913 CEST4974025192.168.2.4173.194.76.27
                                                                                      Sep 9, 2024 17:04:06.029083014 CEST4974025192.168.2.4173.194.76.27
                                                                                      Sep 9, 2024 17:04:11.023190975 CEST4974325192.168.2.494.100.180.31
                                                                                      Sep 9, 2024 17:04:12.031671047 CEST4974325192.168.2.494.100.180.31
                                                                                      Sep 9, 2024 17:04:14.044939041 CEST4974325192.168.2.494.100.180.31
                                                                                      Sep 9, 2024 17:04:18.044831991 CEST4974325192.168.2.494.100.180.31
                                                                                      Sep 9, 2024 17:04:26.060358047 CEST4974325192.168.2.494.100.180.31
                                                                                      Sep 9, 2024 17:04:33.795005083 CEST49741443192.168.2.443.231.4.7
                                                                                      Sep 9, 2024 17:04:33.795089960 CEST4434974143.231.4.7192.168.2.4
                                                                                      Sep 9, 2024 17:04:33.795155048 CEST49741443192.168.2.443.231.4.7
                                                                                      Sep 9, 2024 17:04:33.904696941 CEST49744443192.168.2.443.231.4.7
                                                                                      Sep 9, 2024 17:04:33.904752970 CEST4434974443.231.4.7192.168.2.4
                                                                                      Sep 9, 2024 17:04:33.905046940 CEST49744443192.168.2.443.231.4.7
                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Sep 9, 2024 17:03:10.696655035 CEST6425553192.168.2.41.1.1.1
                                                                                      Sep 9, 2024 17:03:10.944004059 CEST53642551.1.1.1192.168.2.4
                                                                                      Sep 9, 2024 17:03:30.951937914 CEST5109053192.168.2.41.1.1.1
                                                                                      Sep 9, 2024 17:03:30.958936930 CEST53510901.1.1.1192.168.2.4
                                                                                      Sep 9, 2024 17:03:30.959556103 CEST5521353192.168.2.41.1.1.1
                                                                                      Sep 9, 2024 17:03:30.966983080 CEST53552131.1.1.1192.168.2.4
                                                                                      Sep 9, 2024 17:03:50.982918978 CEST6163453192.168.2.41.1.1.1
                                                                                      Sep 9, 2024 17:03:50.990212917 CEST53616341.1.1.1192.168.2.4
                                                                                      Sep 9, 2024 17:03:50.991153955 CEST5210953192.168.2.41.1.1.1
                                                                                      Sep 9, 2024 17:03:50.998955965 CEST53521091.1.1.1192.168.2.4
                                                                                      Sep 9, 2024 17:04:10.998724937 CEST5271553192.168.2.41.1.1.1
                                                                                      Sep 9, 2024 17:04:11.006895065 CEST53527151.1.1.1192.168.2.4
                                                                                      Sep 9, 2024 17:04:11.007623911 CEST5352353192.168.2.41.1.1.1
                                                                                      Sep 9, 2024 17:04:11.022620916 CEST53535231.1.1.1192.168.2.4
                                                                                      Sep 9, 2024 17:05:11.348786116 CEST5872053192.168.2.41.1.1.1
                                                                                      Sep 9, 2024 17:05:11.383241892 CEST53587201.1.1.1192.168.2.4
                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                      Sep 9, 2024 17:03:10.696655035 CEST192.168.2.41.1.1.10x96a9Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                      Sep 9, 2024 17:03:30.951937914 CEST192.168.2.41.1.1.10x6222Standard query (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                      Sep 9, 2024 17:03:30.959556103 CEST192.168.2.41.1.1.10x4140Standard query (0)mta7.am0.yahoodns.netA (IP address)IN (0x0001)false
                                                                                      Sep 9, 2024 17:03:50.982918978 CEST192.168.2.41.1.1.10x140aStandard query (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                      Sep 9, 2024 17:03:50.991153955 CEST192.168.2.41.1.1.10x789cStandard query (0)smtp.google.comA (IP address)IN (0x0001)false
                                                                                      Sep 9, 2024 17:04:10.998724937 CEST192.168.2.41.1.1.10x9f31Standard query (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                      Sep 9, 2024 17:04:11.007623911 CEST192.168.2.41.1.1.10xa793Standard query (0)mxs.mail.ruA (IP address)IN (0x0001)false
                                                                                      Sep 9, 2024 17:05:11.348786116 CEST192.168.2.41.1.1.10xf99bStandard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                      Sep 9, 2024 17:03:10.944004059 CEST1.1.1.1192.168.2.40x96a9No error (0)microsoft-com.mail.protection.outlook.com52.101.11.9A (IP address)IN (0x0001)false
                                                                                      Sep 9, 2024 17:03:10.944004059 CEST1.1.1.1192.168.2.40x96a9No error (0)microsoft-com.mail.protection.outlook.com52.101.40.0A (IP address)IN (0x0001)false
                                                                                      Sep 9, 2024 17:03:10.944004059 CEST1.1.1.1192.168.2.40x96a9No error (0)microsoft-com.mail.protection.outlook.com52.101.41.22A (IP address)IN (0x0001)false
                                                                                      Sep 9, 2024 17:03:10.944004059 CEST1.1.1.1192.168.2.40x96a9No error (0)microsoft-com.mail.protection.outlook.com52.101.11.7A (IP address)IN (0x0001)false
                                                                                      Sep 9, 2024 17:03:30.958936930 CEST1.1.1.1192.168.2.40x6222No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                      Sep 9, 2024 17:03:30.958936930 CEST1.1.1.1192.168.2.40x6222No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                      Sep 9, 2024 17:03:30.958936930 CEST1.1.1.1192.168.2.40x6222No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                      Sep 9, 2024 17:03:30.966983080 CEST1.1.1.1192.168.2.40x4140No error (0)mta7.am0.yahoodns.net98.136.96.91A (IP address)IN (0x0001)false
                                                                                      Sep 9, 2024 17:03:30.966983080 CEST1.1.1.1192.168.2.40x4140No error (0)mta7.am0.yahoodns.net67.195.228.106A (IP address)IN (0x0001)false
                                                                                      Sep 9, 2024 17:03:30.966983080 CEST1.1.1.1192.168.2.40x4140No error (0)mta7.am0.yahoodns.net67.195.204.74A (IP address)IN (0x0001)false
                                                                                      Sep 9, 2024 17:03:30.966983080 CEST1.1.1.1192.168.2.40x4140No error (0)mta7.am0.yahoodns.net67.195.204.73A (IP address)IN (0x0001)false
                                                                                      Sep 9, 2024 17:03:30.966983080 CEST1.1.1.1192.168.2.40x4140No error (0)mta7.am0.yahoodns.net67.195.228.94A (IP address)IN (0x0001)false
                                                                                      Sep 9, 2024 17:03:30.966983080 CEST1.1.1.1192.168.2.40x4140No error (0)mta7.am0.yahoodns.net67.195.204.79A (IP address)IN (0x0001)false
                                                                                      Sep 9, 2024 17:03:30.966983080 CEST1.1.1.1192.168.2.40x4140No error (0)mta7.am0.yahoodns.net67.195.228.110A (IP address)IN (0x0001)false
                                                                                      Sep 9, 2024 17:03:30.966983080 CEST1.1.1.1192.168.2.40x4140No error (0)mta7.am0.yahoodns.net67.195.204.72A (IP address)IN (0x0001)false
                                                                                      Sep 9, 2024 17:03:50.990212917 CEST1.1.1.1192.168.2.40x140aNo error (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                      Sep 9, 2024 17:03:50.998955965 CEST1.1.1.1192.168.2.40x789cNo error (0)smtp.google.com173.194.76.27A (IP address)IN (0x0001)false
                                                                                      Sep 9, 2024 17:03:50.998955965 CEST1.1.1.1192.168.2.40x789cNo error (0)smtp.google.com74.125.133.26A (IP address)IN (0x0001)false
                                                                                      Sep 9, 2024 17:03:50.998955965 CEST1.1.1.1192.168.2.40x789cNo error (0)smtp.google.com74.125.133.27A (IP address)IN (0x0001)false
                                                                                      Sep 9, 2024 17:03:50.998955965 CEST1.1.1.1192.168.2.40x789cNo error (0)smtp.google.com108.177.15.26A (IP address)IN (0x0001)false
                                                                                      Sep 9, 2024 17:03:50.998955965 CEST1.1.1.1192.168.2.40x789cNo error (0)smtp.google.com108.177.15.27A (IP address)IN (0x0001)false
                                                                                      Sep 9, 2024 17:04:11.006895065 CEST1.1.1.1192.168.2.40x9f31No error (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                      Sep 9, 2024 17:04:11.022620916 CEST1.1.1.1192.168.2.40xa793No error (0)mxs.mail.ru94.100.180.31A (IP address)IN (0x0001)false
                                                                                      Sep 9, 2024 17:04:11.022620916 CEST1.1.1.1192.168.2.40xa793No error (0)mxs.mail.ru217.69.139.150A (IP address)IN (0x0001)false
                                                                                      Sep 9, 2024 17:05:11.383241892 CEST1.1.1.1192.168.2.40xf99bNo error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false
                                                                                      Sep 9, 2024 17:05:11.383241892 CEST1.1.1.1192.168.2.40xf99bNo error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false
                                                                                      Sep 9, 2024 17:05:11.383241892 CEST1.1.1.1192.168.2.40xf99bNo error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false
                                                                                      Sep 9, 2024 17:05:11.383241892 CEST1.1.1.1192.168.2.40xf99bNo error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false

                                                                                      Click to jump to process

                                                                                      Click to jump to process

                                                                                      Click to dive into process behavior distribution

                                                                                      Click to jump to process

                                                                                      Target ID:0
                                                                                      Start time:11:03:05
                                                                                      Start date:09/09/2024
                                                                                      Path:C:\Users\user\Desktop\2FnvReiPU6.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\Desktop\2FnvReiPU6.exe"
                                                                                      Imagebase:0x400000
                                                                                      File size:14'534'144 bytes
                                                                                      MD5 hash:38497DF5CAA858A3E65F3946BB0E28BF
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000003.1707509611.0000000000720000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000003.1707509611.0000000000720000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000003.1707509611.0000000000720000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      Target ID:1
                                                                                      Start time:11:03:06
                                                                                      Start date:09/09/2024
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\crxslmyv\
                                                                                      Imagebase:0x240000
                                                                                      File size:236'544 bytes
                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Target ID:2
                                                                                      Start time:11:03:06
                                                                                      Start date:09/09/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7699e0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Target ID:3
                                                                                      Start time:11:03:06
                                                                                      Start date:09/09/2024
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\upwtsplm.exe" C:\Windows\SysWOW64\crxslmyv\
                                                                                      Imagebase:0x240000
                                                                                      File size:236'544 bytes
                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Target ID:4
                                                                                      Start time:11:03:06
                                                                                      Start date:09/09/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7699e0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Target ID:5
                                                                                      Start time:11:03:07
                                                                                      Start date:09/09/2024
                                                                                      Path:C:\Windows\SysWOW64\sc.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\sc.exe" create crxslmyv binPath= "C:\Windows\SysWOW64\crxslmyv\upwtsplm.exe /d\"C:\Users\user\Desktop\2FnvReiPU6.exe\"" type= own start= auto DisplayName= "wifi support"
                                                                                      Imagebase:0xd30000
                                                                                      File size:61'440 bytes
                                                                                      MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:moderate
                                                                                      Has exited:true

                                                                                      Target ID:6
                                                                                      Start time:11:03:07
                                                                                      Start date:09/09/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7699e0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Target ID:7
                                                                                      Start time:11:03:08
                                                                                      Start date:09/09/2024
                                                                                      Path:C:\Windows\SysWOW64\sc.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\sc.exe" description crxslmyv "wifi internet conection"
                                                                                      Imagebase:0xd30000
                                                                                      File size:61'440 bytes
                                                                                      MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:moderate
                                                                                      Has exited:true

                                                                                      Target ID:8
                                                                                      Start time:11:03:08
                                                                                      Start date:09/09/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x890000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Target ID:9
                                                                                      Start time:11:03:08
                                                                                      Start date:09/09/2024
                                                                                      Path:C:\Windows\SysWOW64\sc.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\sc.exe" start crxslmyv
                                                                                      Imagebase:0xd30000
                                                                                      File size:61'440 bytes
                                                                                      MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:moderate
                                                                                      Has exited:true

                                                                                      Target ID:10
                                                                                      Start time:11:03:08
                                                                                      Start date:09/09/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7699e0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Target ID:11
                                                                                      Start time:11:03:08
                                                                                      Start date:09/09/2024
                                                                                      Path:C:\Windows\SysWOW64\crxslmyv\upwtsplm.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\crxslmyv\upwtsplm.exe /d"C:\Users\user\Desktop\2FnvReiPU6.exe"
                                                                                      Imagebase:0x400000
                                                                                      File size:13'543'424 bytes
                                                                                      MD5 hash:61C4C37954B064097FFBF48D1D960C6E
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000002.1736760587.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000B.00000002.1736760587.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000B.00000002.1736760587.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                      • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Author: unknown
                                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000003.1735876774.0000000000D50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000B.00000003.1735876774.0000000000D50000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000B.00000003.1735876774.0000000000D50000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      Target ID:12
                                                                                      Start time:11:03:08
                                                                                      Start date:09/09/2024
                                                                                      Path:C:\Windows\SysWOW64\svchost.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:svchost.exe
                                                                                      Imagebase:0xf80000
                                                                                      File size:46'504 bytes
                                                                                      MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                      Reputation:high
                                                                                      Has exited:false

                                                                                      Target ID:13
                                                                                      Start time:11:03:09
                                                                                      Start date:09/09/2024
                                                                                      Path:C:\Windows\SysWOW64\netsh.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                                      Imagebase:0x1560000
                                                                                      File size:82'432 bytes
                                                                                      MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Target ID:14
                                                                                      Start time:11:03:09
                                                                                      Start date:09/09/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7699e0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      Reset < >

                                                                                        Execution Graph

                                                                                        Execution Coverage:7.9%
                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                        Signature Coverage:21.9%
                                                                                        Total number of Nodes:1852
                                                                                        Total number of Limit Nodes:20
                                                                                        execution_graph 8747 40f483 WSAStartup 8748 40f304 8751 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 8748->8751 8750 40f312 8751->8750 8752 405b84 IsBadWritePtr 8753 405b99 8752->8753 8754 405b9d 8752->8754 8755 404bd1 4 API calls 8754->8755 8756 405bcc 8755->8756 8757 405472 18 API calls 8756->8757 8758 405be5 8757->8758 8759 405c05 IsBadWritePtr 8760 405c24 IsBadWritePtr 8759->8760 8767 405ca6 8759->8767 8761 405c32 8760->8761 8760->8767 8762 405c82 8761->8762 8764 404bd1 4 API calls 8761->8764 8763 404bd1 4 API calls 8762->8763 8765 405c90 8763->8765 8764->8762 8766 405472 18 API calls 8765->8766 8766->8767 8597 40e749 8598 40dd05 6 API calls 8597->8598 8599 40e751 8598->8599 8600 40e799 8599->8600 8601 40e781 lstrcmpA 8599->8601 8601->8599 8602 40444a 8603 404458 8602->8603 8604 40446a 8603->8604 8606 401940 8603->8606 8607 40ec2e codecvt 4 API calls 8606->8607 8608 401949 8607->8608 8608->8604 8609 405e4d 8614 405048 8609->8614 8615 404bd1 4 API calls 8614->8615 8617 405056 8615->8617 8616 40508b 8617->8616 8618 40ec2e codecvt 4 API calls 8617->8618 8618->8616 8781 405e0d 8784 4050dc 8781->8784 8783 405e20 8785 404bd1 4 API calls 8784->8785 8786 4050f2 8785->8786 8787 404ae6 8 API calls 8786->8787 8793 4050ff 8787->8793 8788 405130 8790 404ae6 8 API calls 8788->8790 8789 404ae6 8 API calls 8791 405110 lstrcmpA 8789->8791 8792 405138 8790->8792 8791->8788 8791->8793 8794 40516e 8792->8794 8796 404ae6 8 API calls 8792->8796 8826 40513e 8792->8826 8793->8788 8793->8789 8795 404ae6 8 API calls 8793->8795 8798 404ae6 8 API calls 8794->8798 8794->8826 8795->8793 8797 40515e 8796->8797 8797->8794 8801 404ae6 8 API calls 8797->8801 8799 4051b6 8798->8799 8800 404a3d 10 API calls 8799->8800 8802 4051bd 8800->8802 8801->8794 8803 404ae6 8 API calls 8802->8803 8804 4051c7 8803->8804 8805 404ae6 8 API calls 8804->8805 8806 4051d7 8805->8806 8807 404ae6 8 API calls 8806->8807 8808 4051e7 8807->8808 8809 404ae6 8 API calls 8808->8809 8808->8826 8810 405219 8809->8810 8811 404ae6 8 API calls 8810->8811 8812 405227 8811->8812 8813 404ae6 8 API calls 8812->8813 8814 40524f lstrcpyA 8813->8814 8815 404ae6 8 API calls 8814->8815 8819 405263 8815->8819 8816 404ae6 8 API calls 8817 405315 8816->8817 8818 404ae6 8 API calls 8817->8818 8820 405323 8818->8820 8819->8816 8821 404ae6 8 API calls 8820->8821 8823 405331 8821->8823 8822 404ae6 8 API calls 8822->8823 8823->8822 8824 404ae6 8 API calls 8823->8824 8823->8826 8825 405351 lstrcmpA 8824->8825 8825->8823 8825->8826 8826->8783 8827 404c0d 8828 404ae6 8 API calls 8827->8828 8829 404c17 8828->8829 8573 71007e 8574 710083 8573->8574 8586 7105d0 VirtualAlloc 8574->8586 8576 710093 8577 7100bb VirtualProtect VirtualProtect 8576->8577 8582 7100ed 8577->8582 8578 71013d 8587 7101d1 8578->8587 8579 710104 VirtualProtect 8581 710133 VirtualProtect 8579->8581 8579->8582 8581->8582 8582->8578 8582->8579 8582->8581 8583 710147 8584 710198 VirtualFree 8583->8584 8585 7101a0 8584->8585 8586->8576 8588 710254 8587->8588 8589 7101e1 8587->8589 8588->8583 8589->8588 8590 7101f4 LoadLibraryA 8589->8590 8591 710206 VirtualProtect 8589->8591 8592 710243 VirtualProtect 8589->8592 8590->8589 8591->8589 8592->8589 8619 408c51 8620 408c86 8619->8620 8621 408c5d 8619->8621 8622 408c8b lstrcmpA 8620->8622 8632 408c7b 8620->8632 8625 408c7d 8621->8625 8626 408c6e 8621->8626 8624 408c9e 8622->8624 8622->8632 8623 408cad 8631 40ebcc 4 API calls 8623->8631 8623->8632 8624->8623 8627 40ec2e codecvt 4 API calls 8624->8627 8641 408bb3 8625->8641 8633 408be7 8626->8633 8627->8623 8631->8632 8634 408bf2 8633->8634 8635 408c2a 8633->8635 8636 408bb3 6 API calls 8634->8636 8635->8632 8637 408bf8 8636->8637 8645 406410 8637->8645 8639 408c01 8639->8635 8660 406246 8639->8660 8642 408bbc 8641->8642 8644 408be4 8641->8644 8643 406246 6 API calls 8642->8643 8642->8644 8643->8644 8646 40641e 8645->8646 8648 406421 8645->8648 8646->8639 8647 40643a 8647->8639 8648->8647 8649 40643e VirtualAlloc 8648->8649 8650 406472 8649->8650 8651 40645b VirtualAlloc 8649->8651 8652 40ebcc 4 API calls 8650->8652 8651->8650 8659 4064fb 8651->8659 8653 406479 8652->8653 8653->8659 8670 406069 8653->8670 8656 4064da 8658 406246 6 API calls 8656->8658 8656->8659 8658->8659 8659->8639 8661 4062b3 8660->8661 8663 406252 8660->8663 8661->8635 8662 406297 8665 4062a0 VirtualFree 8662->8665 8666 4062ad 8662->8666 8663->8662 8664 40628f 8663->8664 8667 406281 FreeLibrary 8663->8667 8668 40ec2e codecvt 4 API calls 8664->8668 8665->8666 8669 40ec2e codecvt 4 API calls 8666->8669 8667->8663 8668->8662 8669->8661 8671 406090 IsBadReadPtr 8670->8671 8672 406089 8670->8672 8671->8672 8677 4060aa 8671->8677 8672->8656 8680 405f3f 8672->8680 8673 4060c0 LoadLibraryA 8673->8672 8673->8677 8674 40ebed 8 API calls 8674->8677 8675 40ebcc 4 API calls 8675->8677 8676 406191 IsBadReadPtr 8676->8672 8676->8677 8677->8672 8677->8673 8677->8674 8677->8675 8677->8676 8678 406141 GetProcAddress 8677->8678 8679 406155 GetProcAddress 8677->8679 8678->8677 8679->8677 8681 405fe6 8680->8681 8683 405f61 8680->8683 8681->8656 8682 405fbf VirtualProtect 8682->8681 8682->8683 8683->8681 8683->8682 8830 406511 wsprintfA IsBadReadPtr 8831 40656a htonl htonl wsprintfA wsprintfA 8830->8831 8832 40674e 8830->8832 8837 4065f3 8831->8837 8833 40e318 23 API calls 8832->8833 8834 406753 ExitProcess 8833->8834 8835 40668a GetCurrentProcess StackWalk64 8836 4066a0 wsprintfA 8835->8836 8835->8837 8838 4066ba 8836->8838 8837->8835 8837->8836 8839 406652 wsprintfA 8837->8839 8840 406712 wsprintfA 8838->8840 8841 4066da wsprintfA 8838->8841 8842 4066ed wsprintfA 8838->8842 8839->8837 8843 40e8a1 30 API calls 8840->8843 8841->8842 8842->8838 8844 406739 8843->8844 8845 40e318 23 API calls 8844->8845 8846 406741 8845->8846 8684 4043d2 8685 4043e0 8684->8685 8686 4043ef 8685->8686 8687 401940 4 API calls 8685->8687 8687->8686 8847 404e92 GetTickCount 8848 404ec0 InterlockedExchange 8847->8848 8849 404ec9 8848->8849 8850 404ead GetTickCount 8848->8850 8850->8849 8851 404eb8 Sleep 8850->8851 8851->8848 8688 405453 8693 40543a 8688->8693 8694 405048 8 API calls 8693->8694 8695 40544b 8694->8695 8696 404ed3 8701 404c9a 8696->8701 8702 404ca9 8701->8702 8704 404cd8 8701->8704 8703 40ec2e codecvt 4 API calls 8702->8703 8703->8704 8852 405d93 IsBadWritePtr 8853 405da8 8852->8853 8855 405ddc 8852->8855 8853->8855 8856 405389 8853->8856 8857 404bd1 4 API calls 8856->8857 8858 4053a5 8857->8858 8859 404ae6 8 API calls 8858->8859 8862 4053ad 8859->8862 8860 405407 8860->8855 8861 404ae6 8 API calls 8861->8862 8862->8860 8862->8861 8863 408314 8864 40675c 21 API calls 8863->8864 8865 408324 8864->8865 8866 405099 8867 404bd1 4 API calls 8866->8867 8868 4050a2 8867->8868 8705 40195b 8706 401971 8705->8706 8707 40196b 8705->8707 8708 40ec2e codecvt 4 API calls 8707->8708 8708->8706 8519 4050dc 8520 404bd1 4 API calls 8519->8520 8521 4050f2 8520->8521 8522 404ae6 8 API calls 8521->8522 8528 4050ff 8522->8528 8523 405130 8525 404ae6 8 API calls 8523->8525 8524 404ae6 8 API calls 8526 405110 lstrcmpA 8524->8526 8527 405138 8525->8527 8526->8523 8526->8528 8529 40516e 8527->8529 8531 404ae6 8 API calls 8527->8531 8561 40513e 8527->8561 8528->8523 8528->8524 8530 404ae6 8 API calls 8528->8530 8533 404ae6 8 API calls 8529->8533 8529->8561 8530->8528 8532 40515e 8531->8532 8532->8529 8536 404ae6 8 API calls 8532->8536 8534 4051b6 8533->8534 8562 404a3d 8534->8562 8536->8529 8538 404ae6 8 API calls 8539 4051c7 8538->8539 8540 404ae6 8 API calls 8539->8540 8541 4051d7 8540->8541 8542 404ae6 8 API calls 8541->8542 8543 4051e7 8542->8543 8544 404ae6 8 API calls 8543->8544 8543->8561 8545 405219 8544->8545 8546 404ae6 8 API calls 8545->8546 8547 405227 8546->8547 8548 404ae6 8 API calls 8547->8548 8549 40524f lstrcpyA 8548->8549 8550 404ae6 8 API calls 8549->8550 8554 405263 8550->8554 8551 404ae6 8 API calls 8552 405315 8551->8552 8553 404ae6 8 API calls 8552->8553 8555 405323 8553->8555 8554->8551 8556 404ae6 8 API calls 8555->8556 8558 405331 8556->8558 8557 404ae6 8 API calls 8557->8558 8558->8557 8559 404ae6 8 API calls 8558->8559 8558->8561 8560 405351 lstrcmpA 8559->8560 8560->8558 8560->8561 8563 404a53 8562->8563 8564 404a4a 8562->8564 8566 40ebed 8 API calls 8563->8566 8570 404a78 8563->8570 8565 40ebed 8 API calls 8564->8565 8565->8563 8566->8570 8567 404a8e 8568 404a9b 8567->8568 8571 40ec2e codecvt 4 API calls 8567->8571 8568->8538 8569 404aa3 8569->8568 8572 40ebed 8 API calls 8569->8572 8570->8567 8570->8569 8571->8568 8572->8568 8709 404960 8710 40496d 8709->8710 8712 40497d 8709->8712 8711 40ebed 8 API calls 8710->8711 8711->8712 8713 404861 IsBadWritePtr 8714 404876 8713->8714 8715 409961 RegisterServiceCtrlHandlerA 8716 40997d 8715->8716 8723 4099cb 8715->8723 8725 409892 8716->8725 8718 40999a 8719 4099ba 8718->8719 8720 409892 SetServiceStatus 8718->8720 8721 409892 SetServiceStatus 8719->8721 8719->8723 8722 4099aa 8720->8722 8721->8723 8722->8719 8724 4098f2 41 API calls 8722->8724 8724->8719 8726 4098c2 SetServiceStatus 8725->8726 8726->8718 8869 405e21 8870 405e36 8869->8870 8871 405e29 8869->8871 8872 4050dc 17 API calls 8871->8872 8872->8870 8873 4035a5 8874 4030fa 4 API calls 8873->8874 8875 4035b3 8874->8875 8879 4035ea 8875->8879 8880 40355d 8875->8880 8877 4035da 8878 40355d 4 API calls 8877->8878 8877->8879 8878->8879 8881 40f04e 4 API calls 8880->8881 8882 40356a 8881->8882 8882->8877 8883 405029 8888 404a02 8883->8888 8889 404a12 8888->8889 8890 404a18 8888->8890 8891 40ec2e codecvt 4 API calls 8889->8891 8892 404a26 8890->8892 8893 40ec2e codecvt 4 API calls 8890->8893 8891->8890 8894 40ec2e codecvt 4 API calls 8892->8894 8895 404a34 8892->8895 8893->8892 8894->8895 6769 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 6887 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6769->6887 6771 409a95 6772 409aa3 GetModuleHandleA GetModuleFileNameA 6771->6772 6778 40a3c7 6771->6778 6786 409ac4 6772->6786 6773 40a41c CreateThread WSAStartup 7056 40e52e 6773->7056 7936 40405e CreateEventA 6773->7936 6775 409afd GetCommandLineA 6784 409b22 6775->6784 6776 40a406 DeleteFileA 6776->6778 6779 40a40d 6776->6779 6777 40a445 7075 40eaaf 6777->7075 6778->6773 6778->6776 6778->6779 6781 40a3ed GetLastError 6778->6781 6779->6773 6781->6779 6783 40a3f8 Sleep 6781->6783 6782 40a44d 7079 401d96 6782->7079 6783->6776 6789 409c0c 6784->6789 6798 409b47 6784->6798 6786->6775 6787 40a457 7127 4080c9 6787->7127 6888 4096aa 6789->6888 6795 40a1d2 6805 40a1e3 GetCommandLineA 6795->6805 6796 409c39 6799 40a167 GetModuleHandleA GetModuleFileNameA 6796->6799 6894 404280 CreateEventA 6796->6894 6801 409b96 lstrlenA 6798->6801 6804 409b58 6798->6804 6802 409c05 ExitProcess 6799->6802 6803 40a189 6799->6803 6801->6804 6803->6802 6813 40a1b2 GetDriveTypeA 6803->6813 6804->6802 6811 40675c 21 API calls 6804->6811 6830 40a205 6805->6830 6814 409be3 6811->6814 6813->6802 6815 40a1c5 6813->6815 6814->6802 6993 406a60 CreateFileA 6814->6993 7037 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 6815->7037 6821 40a491 6822 40a49f GetTickCount 6821->6822 6824 40a4be Sleep 6821->6824 6829 40a4b7 GetTickCount 6821->6829 7173 40c913 6821->7173 6822->6821 6822->6824 6824->6821 6826 409ca0 GetTempPathA 6827 409e3e 6826->6827 6828 409cba 6826->6828 6833 409e6b GetEnvironmentVariableA 6827->6833 6837 409e04 6827->6837 6949 4099d2 lstrcpyA 6828->6949 6829->6824 6834 40a285 lstrlenA 6830->6834 6846 40a239 6830->6846 6833->6837 6838 409e7d 6833->6838 6834->6846 7032 40ec2e 6837->7032 6839 4099d2 16 API calls 6838->6839 6840 409e9d 6839->6840 6840->6837 6845 409eb0 lstrcpyA lstrlenA 6840->6845 6843 409d5f 7012 406cc9 6843->7012 6844 40a3c2 7049 4098f2 6844->7049 6849 409ef4 6845->6849 7045 406ec3 6846->7045 6853 406dc2 6 API calls 6849->6853 6854 409f03 6849->6854 6850 40a39d StartServiceCtrlDispatcherA 6850->6844 6852 40a35f 6852->6844 6852->6852 6858 40a37b 6852->6858 6853->6854 6856 409f32 RegOpenKeyExA 6854->6856 6855 409cf6 6956 409326 6855->6956 6857 409f48 RegSetValueExA RegCloseKey 6856->6857 6861 409f70 6856->6861 6857->6861 6858->6850 6867 409f9d GetModuleHandleA GetModuleFileNameA 6861->6867 6862 409e0c DeleteFileA 6862->6827 6863 409dde GetFileAttributesExA 6863->6862 6865 409df7 6863->6865 6865->6837 6866 409dff 6865->6866 7022 4096ff 6866->7022 6869 409fc2 6867->6869 6870 40a093 6867->6870 6869->6870 6875 409ff1 GetDriveTypeA 6869->6875 6871 40a103 CreateProcessA 6870->6871 6874 40a0a4 wsprintfA 6870->6874 6872 40a13a 6871->6872 6873 40a12a DeleteFileA 6871->6873 6872->6837 6880 4096ff 3 API calls 6872->6880 6873->6872 7028 402544 6874->7028 6875->6870 6878 40a00d 6875->6878 6882 40a02d lstrcatA 6878->6882 6880->6837 6883 40a046 6882->6883 6884 40a052 lstrcatA 6883->6884 6885 40a064 lstrcatA 6883->6885 6884->6885 6885->6870 6886 40a081 lstrcatA 6885->6886 6886->6870 6887->6771 6889 4096b9 6888->6889 7276 4073ff 6889->7276 6891 4096e2 6892 4096f7 6891->6892 7296 40704c 6891->7296 6892->6795 6892->6796 6895 4042a5 6894->6895 6896 40429d 6894->6896 7323 403ecd 6895->7323 6896->6799 6921 40675c 6896->6921 6898 4042b0 7327 404000 6898->7327 6901 4043c1 CloseHandle 6901->6896 6902 4042ce 7333 403f18 WriteFile 6902->7333 6907 4043ba CloseHandle 6907->6901 6908 404318 6909 403f18 4 API calls 6908->6909 6910 404331 6909->6910 6911 403f18 4 API calls 6910->6911 6912 40434a 6911->6912 7341 40ebcc GetProcessHeap RtlAllocateHeap 6912->7341 6915 403f18 4 API calls 6916 404389 6915->6916 6917 40ec2e codecvt 4 API calls 6916->6917 6918 40438f 6917->6918 6919 403f8c 4 API calls 6918->6919 6920 40439f CloseHandle CloseHandle 6919->6920 6920->6896 6922 406784 CreateFileA 6921->6922 6923 40677a SetFileAttributesA 6921->6923 6924 4067a4 CreateFileA 6922->6924 6925 4067b5 6922->6925 6923->6922 6924->6925 6926 4067c5 6925->6926 6927 4067ba SetFileAttributesA 6925->6927 6928 406977 6926->6928 6929 4067cf GetFileSize 6926->6929 6927->6926 6928->6799 6928->6826 6928->6827 6930 4067e5 6929->6930 6931 406965 6929->6931 6930->6931 6933 4067ed ReadFile 6930->6933 6932 40696e CloseHandle 6931->6932 6932->6928 6933->6931 6934 406811 SetFilePointer 6933->6934 6934->6931 6935 40682a ReadFile 6934->6935 6935->6931 6936 406848 SetFilePointer 6935->6936 6936->6931 6937 406867 6936->6937 6938 4068d5 6937->6938 6939 406878 ReadFile 6937->6939 6938->6932 6941 40ebcc 4 API calls 6938->6941 6940 4068d0 6939->6940 6942 406891 6939->6942 6940->6938 6943 4068f8 6941->6943 6942->6939 6942->6940 6943->6931 6944 406900 SetFilePointer 6943->6944 6945 40695a 6944->6945 6946 40690d ReadFile 6944->6946 6948 40ec2e codecvt 4 API calls 6945->6948 6946->6945 6947 406922 6946->6947 6947->6932 6948->6931 6950 4099eb 6949->6950 6951 409a2f lstrcatA 6950->6951 6952 40ee2a 6951->6952 6953 409a4b lstrcatA 6952->6953 6954 406a60 13 API calls 6953->6954 6955 409a60 6954->6955 6955->6827 6955->6855 7006 406dc2 6955->7006 7347 401910 6956->7347 6959 40934a GetModuleHandleA GetModuleFileNameA 6961 40937f 6959->6961 6962 4093a4 6961->6962 6963 4093d9 6961->6963 6965 4093c3 wsprintfA 6962->6965 6964 409401 wsprintfA 6963->6964 6966 409415 6964->6966 6965->6966 6969 406cc9 5 API calls 6966->6969 6989 4094a0 6966->6989 6968 4094ac 6970 40962f 6968->6970 6971 4094e8 RegOpenKeyExA 6968->6971 6975 409439 6969->6975 6976 409646 6970->6976 7357 401820 6970->7357 6973 409502 6971->6973 6974 4094fb 6971->6974 6979 40951f RegQueryValueExA 6973->6979 6974->6970 6978 40958a 6974->6978 7368 40ef1e lstrlenA 6975->7368 6983 4095d6 6976->6983 7363 4091eb 6976->7363 6978->6976 6984 409593 6978->6984 6981 409539 6979->6981 6988 409530 6979->6988 6986 409556 RegQueryValueExA 6981->6986 6982 409462 6987 40947e wsprintfA 6982->6987 6983->6862 6983->6863 6984->6983 7370 40f0e4 6984->7370 6985 40956e RegCloseKey 6985->6974 6986->6985 6986->6988 6987->6989 6988->6985 7349 406edd 6989->7349 6991 4095bb 6991->6983 7377 4018e0 6991->7377 6994 406b8c GetLastError 6993->6994 6995 406a8f GetDiskFreeSpaceA 6993->6995 6996 406b86 6994->6996 6997 406ac5 6995->6997 7005 406ad7 6995->7005 6996->6802 7425 40eb0e 6997->7425 7001 406b56 CloseHandle 7001->6996 7004 406b65 GetLastError CloseHandle 7001->7004 7002 406b36 GetLastError CloseHandle 7003 406b7f DeleteFileA 7002->7003 7003->6996 7004->7003 7419 406987 7005->7419 7007 406dd7 7006->7007 7011 406e24 7006->7011 7008 406cc9 5 API calls 7007->7008 7009 406ddc 7008->7009 7009->7009 7010 406e02 GetVolumeInformationA 7009->7010 7009->7011 7010->7011 7011->6843 7013 406cdc GetModuleHandleA GetProcAddress 7012->7013 7014 406dbe lstrcpyA lstrcatA lstrcatA 7012->7014 7015 406d12 GetSystemDirectoryA 7013->7015 7016 406cfd 7013->7016 7014->6855 7017 406d27 GetWindowsDirectoryA 7015->7017 7018 406d1e 7015->7018 7016->7015 7019 406d8b 7016->7019 7020 406d42 7017->7020 7018->7017 7018->7019 7019->7014 7019->7019 7021 40ef1e lstrlenA 7020->7021 7021->7019 7023 402544 7022->7023 7024 40972d RegOpenKeyExA 7023->7024 7025 409740 7024->7025 7026 409765 7024->7026 7027 40974f RegDeleteValueA RegCloseKey 7025->7027 7026->6837 7027->7026 7029 402554 lstrcatA 7028->7029 7030 40ee2a 7029->7030 7031 40a0ec lstrcatA 7030->7031 7031->6871 7033 40ec37 7032->7033 7034 40a15d 7032->7034 7433 40eba0 7033->7433 7034->6799 7034->6802 7038 402544 7037->7038 7039 40919e wsprintfA 7038->7039 7040 4091bb 7039->7040 7436 409064 GetTempPathA 7040->7436 7043 4091d5 ShellExecuteA 7044 4091e7 7043->7044 7044->6802 7046 406ed5 7045->7046 7047 406ecc 7045->7047 7046->6852 7048 406e36 2 API calls 7047->7048 7048->7046 7050 4098f6 7049->7050 7051 404280 30 API calls 7050->7051 7052 409904 Sleep 7050->7052 7053 409915 7050->7053 7051->7050 7052->7050 7052->7053 7055 409947 7053->7055 7443 40977c 7053->7443 7055->6778 7465 40dd05 GetTickCount 7056->7465 7058 40e538 7472 40dbcf 7058->7472 7060 40e544 7061 40e555 GetFileSize 7060->7061 7065 40e5b8 7060->7065 7062 40e5b1 CloseHandle 7061->7062 7063 40e566 7061->7063 7062->7065 7482 40db2e 7063->7482 7491 40e3ca RegOpenKeyExA 7065->7491 7067 40e576 ReadFile 7067->7062 7069 40e58d 7067->7069 7486 40e332 7069->7486 7072 40e5f2 7073 40e3ca 19 API calls 7072->7073 7074 40e629 7072->7074 7073->7074 7074->6777 7076 40eabe 7075->7076 7078 40eaba 7075->7078 7077 40dd05 6 API calls 7076->7077 7076->7078 7077->7078 7078->6782 7080 40ee2a 7079->7080 7081 401db4 GetVersionExA 7080->7081 7082 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 7081->7082 7084 401e24 7082->7084 7085 401e16 GetCurrentProcess 7082->7085 7544 40e819 7084->7544 7085->7084 7087 401e3d 7088 40e819 11 API calls 7087->7088 7089 401e4e 7088->7089 7096 401e77 7089->7096 7551 40df70 7089->7551 7092 401e6c 7094 40df70 12 API calls 7092->7094 7094->7096 7095 40e819 11 API calls 7097 401e93 7095->7097 7560 40ea84 7096->7560 7564 40199c inet_addr LoadLibraryA 7097->7564 7100 40e819 11 API calls 7101 401eb9 7100->7101 7102 401ed8 7101->7102 7103 40f04e 4 API calls 7101->7103 7104 40e819 11 API calls 7102->7104 7105 401ec9 7103->7105 7106 401eee 7104->7106 7107 40ea84 30 API calls 7105->7107 7108 401f0a 7106->7108 7577 401b71 7106->7577 7107->7102 7110 40e819 11 API calls 7108->7110 7112 401f23 7110->7112 7111 401efd 7114 40ea84 30 API calls 7111->7114 7113 401f3f 7112->7113 7581 401bdf 7112->7581 7116 40e819 11 API calls 7113->7116 7114->7108 7118 401f5e 7116->7118 7120 401f77 7118->7120 7121 40ea84 30 API calls 7118->7121 7119 40ea84 30 API calls 7119->7113 7588 4030b5 7120->7588 7121->7120 7124 406ec3 2 API calls 7126 401f8e GetTickCount 7124->7126 7126->6787 7128 406ec3 2 API calls 7127->7128 7129 4080eb 7128->7129 7130 4080f9 7129->7130 7131 4080ef 7129->7131 7133 40704c 16 API calls 7130->7133 7636 407ee6 7131->7636 7134 408110 7133->7134 7137 408156 RegOpenKeyExA 7134->7137 7138 4080f4 7134->7138 7135 408269 CreateThread 7152 405e6c 7135->7152 7965 40877e 7135->7965 7136 40675c 21 API calls 7142 408244 7136->7142 7137->7138 7139 40816d RegQueryValueExA 7137->7139 7138->7135 7138->7136 7140 4081f7 7139->7140 7141 40818d 7139->7141 7143 40820d RegCloseKey 7140->7143 7145 40ec2e codecvt 4 API calls 7140->7145 7141->7140 7146 40ebcc 4 API calls 7141->7146 7142->7135 7144 40ec2e codecvt 4 API calls 7142->7144 7143->7138 7144->7135 7151 4081dd 7145->7151 7147 4081a0 7146->7147 7147->7143 7148 4081aa RegQueryValueExA 7147->7148 7148->7140 7149 4081c4 7148->7149 7150 40ebcc 4 API calls 7149->7150 7150->7151 7151->7143 7704 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 7152->7704 7154 405e71 7705 40e654 7154->7705 7156 405ec1 7157 403132 7156->7157 7158 40df70 12 API calls 7157->7158 7159 40313b 7158->7159 7160 40c125 7159->7160 7716 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 7160->7716 7162 40c12d 7163 40e654 13 API calls 7162->7163 7164 40c2bd 7163->7164 7165 40e654 13 API calls 7164->7165 7166 40c2c9 7165->7166 7167 40e654 13 API calls 7166->7167 7168 40a47a 7167->7168 7169 408db1 7168->7169 7170 408dbc 7169->7170 7171 40e654 13 API calls 7170->7171 7172 408dec Sleep 7171->7172 7172->6821 7174 40c92f 7173->7174 7175 40c93c 7174->7175 7717 40c517 7174->7717 7177 40ca2b 7175->7177 7178 40e819 11 API calls 7175->7178 7177->6821 7179 40c96a 7178->7179 7180 40e819 11 API calls 7179->7180 7181 40c97d 7180->7181 7182 40e819 11 API calls 7181->7182 7183 40c990 7182->7183 7184 40c9aa 7183->7184 7185 40ebcc 4 API calls 7183->7185 7184->7177 7734 402684 7184->7734 7185->7184 7190 40ca26 7741 40c8aa 7190->7741 7193 40ca44 7194 40ca4b closesocket 7193->7194 7195 40ca83 7193->7195 7194->7190 7196 40ea84 30 API calls 7195->7196 7197 40caac 7196->7197 7198 40f04e 4 API calls 7197->7198 7199 40cab2 7198->7199 7200 40ea84 30 API calls 7199->7200 7201 40caca 7200->7201 7202 40ea84 30 API calls 7201->7202 7203 40cad9 7202->7203 7749 40c65c 7203->7749 7206 40cb60 closesocket 7206->7177 7208 40dad2 closesocket 7209 40e318 23 API calls 7208->7209 7209->7177 7210 40df4c 20 API calls 7232 40cb70 7210->7232 7215 40e654 13 API calls 7215->7232 7221 40c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 7221->7232 7222 40ea84 30 API calls 7222->7232 7223 40cc1c GetTempPathA 7223->7232 7224 40d569 closesocket Sleep 7796 40e318 7224->7796 7225 40d815 wsprintfA 7225->7232 7226 407ead 6 API calls 7226->7232 7227 40c517 23 API calls 7227->7232 7229 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 7229->7232 7230 40e8a1 30 API calls 7230->7232 7231 40d582 ExitProcess 7232->7208 7232->7210 7232->7215 7232->7221 7232->7222 7232->7223 7232->7224 7232->7225 7232->7226 7232->7227 7232->7229 7232->7230 7233 40ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7232->7233 7234 40cfe3 GetSystemDirectoryA 7232->7234 7235 40675c 21 API calls 7232->7235 7236 40d027 GetSystemDirectoryA 7232->7236 7237 40cfad GetEnvironmentVariableA 7232->7237 7238 40d105 lstrcatA 7232->7238 7239 40ef1e lstrlenA 7232->7239 7240 40cc9f CreateFileA 7232->7240 7241 40d15b CreateFileA 7232->7241 7246 40d149 SetFileAttributesA 7232->7246 7248 40d36e GetEnvironmentVariableA 7232->7248 7249 40d1bf SetFileAttributesA 7232->7249 7250 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 7232->7250 7252 40d22d GetEnvironmentVariableA 7232->7252 7253 40d3af lstrcatA 7232->7253 7256 407fcf 64 API calls 7232->7256 7257 40d3f2 CreateFileA 7232->7257 7264 40d4b1 CreateProcessA 7232->7264 7265 40d3e0 SetFileAttributesA 7232->7265 7266 40d26e lstrcatA 7232->7266 7268 40d2b1 CreateFileA 7232->7268 7270 407ee6 64 API calls 7232->7270 7271 40d452 SetFileAttributesA 7232->7271 7273 40d29f SetFileAttributesA 7232->7273 7275 40d31d SetFileAttributesA 7232->7275 7757 40c75d 7232->7757 7769 407e2f 7232->7769 7791 407ead 7232->7791 7801 4031d0 7232->7801 7818 403c09 7232->7818 7828 403a00 7232->7828 7832 40e7b4 7232->7832 7835 40c06c 7232->7835 7841 406f5f GetUserNameA 7232->7841 7852 40e854 7232->7852 7862 407dd6 7232->7862 7233->7232 7234->7232 7235->7232 7236->7232 7237->7232 7238->7232 7239->7232 7240->7232 7242 40ccc6 WriteFile 7240->7242 7241->7232 7243 40d182 WriteFile CloseHandle 7241->7243 7244 40cdcc CloseHandle 7242->7244 7245 40cced CloseHandle 7242->7245 7243->7232 7244->7232 7251 40cd2f 7245->7251 7246->7241 7247 40cd16 wsprintfA 7247->7251 7248->7232 7249->7232 7250->7232 7251->7247 7778 407fcf 7251->7778 7252->7232 7253->7232 7253->7257 7256->7232 7257->7232 7260 40d415 WriteFile CloseHandle 7257->7260 7258 40cd81 WaitForSingleObject CloseHandle CloseHandle 7261 40f04e 4 API calls 7258->7261 7259 40cda5 7262 407ee6 64 API calls 7259->7262 7260->7232 7261->7259 7263 40cdbd DeleteFileA 7262->7263 7263->7232 7264->7232 7267 40d4e8 CloseHandle CloseHandle 7264->7267 7265->7257 7266->7232 7266->7268 7267->7232 7268->7232 7269 40d2d8 WriteFile CloseHandle 7268->7269 7269->7232 7270->7232 7271->7232 7273->7268 7275->7232 7277 40741b 7276->7277 7278 406dc2 6 API calls 7277->7278 7279 40743f 7278->7279 7280 407469 RegOpenKeyExA 7279->7280 7282 4077f9 7280->7282 7286 407487 ___ascii_stricmp 7280->7286 7281 407703 RegEnumKeyA 7283 407714 RegCloseKey 7281->7283 7281->7286 7282->6891 7283->7282 7284 40f1a5 lstrlenA 7284->7286 7285 4074d2 RegOpenKeyExA 7285->7286 7286->7281 7286->7284 7286->7285 7287 40772c 7286->7287 7288 407521 RegQueryValueExA 7286->7288 7292 4076e4 RegCloseKey 7286->7292 7294 40777e GetFileAttributesExA 7286->7294 7295 407769 7286->7295 7289 407742 RegCloseKey 7287->7289 7290 40774b 7287->7290 7288->7286 7289->7290 7291 4077ec RegCloseKey 7290->7291 7291->7282 7292->7286 7293 4077e3 RegCloseKey 7293->7291 7294->7295 7295->7293 7297 407073 7296->7297 7298 4070b9 RegOpenKeyExA 7297->7298 7299 4070d0 7298->7299 7314 4071b8 7298->7314 7300 406dc2 6 API calls 7299->7300 7303 4070d5 7300->7303 7301 40719b RegEnumValueA 7302 4071af RegCloseKey 7301->7302 7301->7303 7302->7314 7303->7301 7305 4071d0 7303->7305 7321 40f1a5 lstrlenA 7303->7321 7306 407205 RegCloseKey 7305->7306 7307 407227 7305->7307 7306->7314 7308 4072b8 ___ascii_stricmp 7307->7308 7309 40728e RegCloseKey 7307->7309 7310 4072cd RegCloseKey 7308->7310 7311 4072dd 7308->7311 7309->7314 7310->7314 7312 407311 RegCloseKey 7311->7312 7313 407335 7311->7313 7312->7314 7315 40f1a5 lstrlenA 7313->7315 7314->6892 7317 40733d 7315->7317 7316 4073d5 RegCloseKey 7318 4073e4 7316->7318 7317->7316 7319 40737e GetFileAttributesExA 7317->7319 7320 407397 7317->7320 7319->7320 7320->7316 7322 40f1c3 7321->7322 7322->7303 7324 403ee2 7323->7324 7325 403edc 7323->7325 7324->6898 7326 406dc2 6 API calls 7325->7326 7326->7324 7328 40400b CreateFileA 7327->7328 7329 40402c GetLastError 7328->7329 7330 404052 7328->7330 7329->7330 7331 404037 7329->7331 7330->6896 7330->6901 7330->6902 7331->7330 7332 404041 Sleep 7331->7332 7332->7328 7332->7330 7334 403f7c 7333->7334 7335 403f4e GetLastError 7333->7335 7337 403f8c ReadFile 7334->7337 7335->7334 7336 403f5b WaitForSingleObject GetOverlappedResult 7335->7336 7336->7334 7338 403ff0 7337->7338 7339 403fc2 GetLastError 7337->7339 7338->6907 7338->6908 7339->7338 7340 403fcf WaitForSingleObject GetOverlappedResult 7339->7340 7340->7338 7344 40eb74 7341->7344 7345 40eb7b GetProcessHeap HeapSize 7344->7345 7346 404350 7344->7346 7345->7346 7346->6915 7348 401924 GetVersionExA 7347->7348 7348->6959 7350 406f55 7349->7350 7351 406eef AllocateAndInitializeSid 7349->7351 7350->6968 7352 406f44 7351->7352 7353 406f1c CheckTokenMembership 7351->7353 7352->7350 7383 406e36 GetUserNameW 7352->7383 7354 406f3b FreeSid 7353->7354 7355 406f2e 7353->7355 7354->7352 7355->7354 7386 401000 7357->7386 7359 401839 7360 401851 GetCurrentProcess 7359->7360 7361 40183d 7359->7361 7362 401864 7360->7362 7361->6976 7362->6976 7365 40920e 7363->7365 7367 409308 7363->7367 7364 4092f1 Sleep 7364->7365 7365->7364 7365->7365 7366 4092bf ShellExecuteA 7365->7366 7365->7367 7366->7365 7366->7367 7367->6983 7369 40ef32 7368->7369 7369->6982 7371 40f0f1 7370->7371 7372 40f0ed 7370->7372 7373 40f119 7371->7373 7374 40f0fa lstrlenA SysAllocStringByteLen 7371->7374 7372->6991 7376 40f11c MultiByteToWideChar 7373->7376 7375 40f117 7374->7375 7374->7376 7375->6991 7376->7375 7378 401820 17 API calls 7377->7378 7379 4018f2 7378->7379 7380 4018f9 7379->7380 7407 401280 7379->7407 7380->6983 7382 401908 7382->6983 7384 406e97 7383->7384 7385 406e5f LookupAccountNameW 7383->7385 7384->7350 7385->7384 7387 40100d LoadLibraryA 7386->7387 7398 401023 7386->7398 7388 401021 7387->7388 7387->7398 7388->7359 7389 4010b5 CloseHandle 7390 4010d1 GetProcAddress 7389->7390 7391 40127b 7389->7391 7390->7391 7392 4010f0 GetProcAddress 7390->7392 7391->7359 7392->7391 7393 401110 GetProcAddress 7392->7393 7393->7391 7394 401130 GetProcAddress 7393->7394 7394->7391 7395 40114f GetProcAddress 7394->7395 7395->7391 7396 40116f GetProcAddress 7395->7396 7396->7391 7397 40118f GetProcAddress 7396->7397 7397->7391 7399 4011ae GetProcAddress 7397->7399 7398->7389 7406 4010ae 7398->7406 7399->7391 7400 4011ce GetProcAddress 7399->7400 7400->7391 7401 4011ee GetProcAddress 7400->7401 7401->7391 7402 401209 GetProcAddress 7401->7402 7402->7391 7403 401225 GetProcAddress 7402->7403 7403->7391 7404 401241 GetProcAddress 7403->7404 7404->7391 7405 40125c GetProcAddress 7404->7405 7405->7391 7406->7359 7408 4012e1 7407->7408 7409 4016f9 GetLastError 7408->7409 7416 4013a8 7408->7416 7410 401699 7409->7410 7410->7382 7411 401570 lstrlenW 7411->7416 7412 4015be GetStartupInfoW 7412->7416 7413 4015ff CreateProcessWithLogonW 7414 4016bf GetLastError 7413->7414 7415 40163f WaitForSingleObject 7413->7415 7414->7410 7415->7416 7417 401659 CloseHandle 7415->7417 7416->7410 7416->7411 7416->7412 7416->7413 7418 401668 CloseHandle 7416->7418 7417->7416 7418->7416 7421 4069b9 WriteFile 7419->7421 7422 406a3c 7421->7422 7424 4069ff 7421->7424 7422->7001 7422->7002 7423 406a10 WriteFile 7423->7422 7423->7424 7424->7422 7424->7423 7426 40eb17 7425->7426 7427 40eb21 7425->7427 7429 40eae4 7426->7429 7427->7005 7430 40eb02 GetProcAddress 7429->7430 7431 40eaed LoadLibraryA 7429->7431 7430->7427 7431->7430 7432 40eb01 7431->7432 7432->7427 7434 40eba7 GetProcessHeap HeapSize 7433->7434 7435 40ebbf GetProcessHeap RtlFreeHeap 7433->7435 7434->7435 7435->7034 7437 40908d 7436->7437 7438 4090e2 wsprintfA 7437->7438 7439 40ee2a 7438->7439 7440 4090fd CreateFileA 7439->7440 7441 40911a lstrlenA WriteFile CloseHandle 7440->7441 7442 40913f 7440->7442 7441->7442 7442->7043 7442->7044 7444 40ee2a 7443->7444 7445 409794 CreateProcessA 7444->7445 7446 4097c2 7445->7446 7447 4097bb 7445->7447 7448 4097d4 GetThreadContext 7446->7448 7447->7055 7449 409801 7448->7449 7450 4097f5 7448->7450 7457 40637c 7449->7457 7451 4097f6 TerminateProcess 7450->7451 7451->7447 7453 409816 7453->7451 7454 40981e WriteProcessMemory 7453->7454 7454->7450 7455 40983b SetThreadContext 7454->7455 7455->7450 7456 409858 ResumeThread 7455->7456 7456->7447 7458 406386 7457->7458 7459 40638a GetModuleHandleA VirtualAlloc 7457->7459 7458->7453 7460 4063f5 7459->7460 7461 4063b6 7459->7461 7460->7453 7462 4063be VirtualAllocEx 7461->7462 7462->7460 7463 4063d6 7462->7463 7464 4063df WriteProcessMemory 7463->7464 7464->7460 7466 40dd41 InterlockedExchange 7465->7466 7467 40dd20 GetCurrentThreadId 7466->7467 7468 40dd4a 7466->7468 7469 40dd53 GetCurrentThreadId 7467->7469 7470 40dd2e GetTickCount 7467->7470 7468->7469 7469->7058 7470->7468 7471 40dd39 Sleep 7470->7471 7471->7466 7473 40dbf0 7472->7473 7505 40db67 GetEnvironmentVariableA 7473->7505 7475 40dc19 7476 40dcda 7475->7476 7477 40db67 3 API calls 7475->7477 7476->7060 7478 40dc5c 7477->7478 7478->7476 7479 40db67 3 API calls 7478->7479 7480 40dc9b 7479->7480 7480->7476 7481 40db67 3 API calls 7480->7481 7481->7476 7483 40db55 7482->7483 7484 40db3a 7482->7484 7483->7062 7483->7067 7509 40ebed 7484->7509 7518 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 7486->7518 7488 40e3be 7488->7062 7489 40e342 7489->7488 7521 40de24 7489->7521 7492 40e3f4 7491->7492 7493 40e528 7491->7493 7494 40e434 RegQueryValueExA 7492->7494 7493->7072 7495 40e458 7494->7495 7496 40e51d RegCloseKey 7494->7496 7497 40e46e RegQueryValueExA 7495->7497 7496->7493 7497->7495 7498 40e488 7497->7498 7498->7496 7499 40db2e 8 API calls 7498->7499 7500 40e499 7499->7500 7500->7496 7501 40e4b9 RegQueryValueExA 7500->7501 7502 40e4e8 7500->7502 7501->7500 7501->7502 7502->7496 7503 40e332 14 API calls 7502->7503 7504 40e513 7503->7504 7504->7496 7506 40db89 lstrcpyA CreateFileA 7505->7506 7507 40dbca 7505->7507 7506->7475 7507->7475 7510 40ec01 7509->7510 7511 40ebf6 7509->7511 7513 40eba0 codecvt 2 API calls 7510->7513 7512 40ebcc 4 API calls 7511->7512 7514 40ebfe 7512->7514 7515 40ec0a GetProcessHeap HeapReAlloc 7513->7515 7514->7483 7516 40eb74 2 API calls 7515->7516 7517 40ec28 7516->7517 7517->7483 7532 40eb41 7518->7532 7522 40de3a 7521->7522 7528 40de4e 7522->7528 7536 40dd84 7522->7536 7525 40ebed 8 API calls 7530 40def6 7525->7530 7526 40de9e 7526->7525 7526->7528 7527 40de76 7540 40ddcf 7527->7540 7528->7489 7530->7528 7531 40ddcf lstrcmpA 7530->7531 7531->7528 7533 40eb4a 7532->7533 7535 40eb54 7532->7535 7534 40eae4 2 API calls 7533->7534 7534->7535 7535->7489 7537 40ddc5 7536->7537 7538 40dd96 7536->7538 7537->7526 7537->7527 7538->7537 7539 40ddad lstrcmpiA 7538->7539 7539->7537 7539->7538 7541 40dddd 7540->7541 7543 40de20 7540->7543 7542 40ddfa lstrcmpA 7541->7542 7541->7543 7542->7541 7543->7528 7545 40dd05 6 API calls 7544->7545 7546 40e821 7545->7546 7547 40dd84 lstrcmpiA 7546->7547 7548 40e82c 7547->7548 7549 40e844 7548->7549 7592 402480 7548->7592 7549->7087 7552 40dd05 6 API calls 7551->7552 7553 40df7c 7552->7553 7554 40dd84 lstrcmpiA 7553->7554 7556 40df89 7554->7556 7555 40dfc4 7555->7092 7556->7555 7557 40ddcf lstrcmpA 7556->7557 7558 40ec2e codecvt 4 API calls 7556->7558 7559 40dd84 lstrcmpiA 7556->7559 7557->7556 7558->7556 7559->7556 7561 40ea98 7560->7561 7601 40e8a1 7561->7601 7563 401e84 7563->7095 7565 4019d5 GetProcAddress GetProcAddress GetProcAddress 7564->7565 7566 4019ce 7564->7566 7567 401ab3 FreeLibrary 7565->7567 7568 401a04 7565->7568 7566->7100 7567->7566 7568->7567 7569 401a14 GetProcessHeap 7568->7569 7569->7566 7571 401a2e HeapAlloc 7569->7571 7571->7566 7572 401a42 7571->7572 7573 401a52 HeapReAlloc 7572->7573 7575 401a62 7572->7575 7573->7575 7574 401aa1 FreeLibrary 7574->7566 7575->7574 7576 401a96 HeapFree 7575->7576 7576->7574 7629 401ac3 LoadLibraryA 7577->7629 7580 401bcf 7580->7111 7582 401ac3 12 API calls 7581->7582 7583 401c09 7582->7583 7584 401c0d GetComputerNameA 7583->7584 7587 401c41 7583->7587 7585 401c45 GetVolumeInformationA 7584->7585 7586 401c1f 7584->7586 7585->7587 7586->7585 7586->7587 7587->7119 7589 40ee2a 7588->7589 7590 4030d0 gethostname gethostbyname 7589->7590 7591 401f82 7590->7591 7591->7124 7591->7126 7595 402419 lstrlenA 7592->7595 7594 402491 7594->7549 7596 402474 7595->7596 7597 40243d lstrlenA 7595->7597 7596->7594 7598 402464 lstrlenA 7597->7598 7599 40244e lstrcmpiA 7597->7599 7598->7596 7598->7597 7599->7598 7600 40245c 7599->7600 7600->7596 7600->7598 7602 40dd05 6 API calls 7601->7602 7603 40e8b4 7602->7603 7604 40dd84 lstrcmpiA 7603->7604 7605 40e8c0 7604->7605 7606 40e90a 7605->7606 7607 40e8c8 lstrcpynA 7605->7607 7609 402419 4 API calls 7606->7609 7617 40ea27 7606->7617 7608 40e8f5 7607->7608 7622 40df4c 7608->7622 7610 40e926 lstrlenA lstrlenA 7609->7610 7612 40e96a 7610->7612 7613 40e94c lstrlenA 7610->7613 7616 40ebcc 4 API calls 7612->7616 7612->7617 7613->7612 7614 40e901 7615 40dd84 lstrcmpiA 7614->7615 7615->7606 7618 40e98f 7616->7618 7617->7563 7618->7617 7619 40df4c 20 API calls 7618->7619 7620 40ea1e 7619->7620 7621 40ec2e codecvt 4 API calls 7620->7621 7621->7617 7623 40dd05 6 API calls 7622->7623 7624 40df51 7623->7624 7625 40f04e 4 API calls 7624->7625 7626 40df58 7625->7626 7627 40de24 10 API calls 7626->7627 7628 40df63 7627->7628 7628->7614 7630 401ae2 GetProcAddress 7629->7630 7635 401b68 GetComputerNameA GetVolumeInformationA 7629->7635 7631 401af5 7630->7631 7630->7635 7632 40ebed 8 API calls 7631->7632 7633 401b29 7631->7633 7632->7631 7633->7633 7634 40ec2e codecvt 4 API calls 7633->7634 7633->7635 7634->7635 7635->7580 7637 406ec3 2 API calls 7636->7637 7638 407ef4 7637->7638 7639 4073ff 17 API calls 7638->7639 7648 407fc9 7638->7648 7640 407f16 7639->7640 7640->7648 7649 407809 GetUserNameA 7640->7649 7642 407f63 7643 40ef1e lstrlenA 7642->7643 7642->7648 7644 407fa6 7643->7644 7645 40ef1e lstrlenA 7644->7645 7646 407fb7 7645->7646 7673 407a95 RegOpenKeyExA 7646->7673 7648->7138 7650 40783d LookupAccountNameA 7649->7650 7651 407a8d 7649->7651 7650->7651 7652 407874 GetLengthSid GetFileSecurityA 7650->7652 7651->7642 7652->7651 7653 4078a8 GetSecurityDescriptorOwner 7652->7653 7654 4078c5 EqualSid 7653->7654 7655 40791d GetSecurityDescriptorDacl 7653->7655 7654->7655 7656 4078dc LocalAlloc 7654->7656 7655->7651 7663 407941 7655->7663 7656->7655 7657 4078ef InitializeSecurityDescriptor 7656->7657 7659 407916 LocalFree 7657->7659 7660 4078fb SetSecurityDescriptorOwner 7657->7660 7658 40795b GetAce 7658->7663 7659->7655 7660->7659 7661 40790b SetFileSecurityA 7660->7661 7661->7659 7662 407980 EqualSid 7662->7663 7663->7651 7663->7658 7663->7662 7664 407a3d 7663->7664 7665 4079be EqualSid 7663->7665 7666 40799d DeleteAce 7663->7666 7664->7651 7667 407a43 LocalAlloc 7664->7667 7665->7663 7666->7663 7667->7651 7668 407a56 InitializeSecurityDescriptor 7667->7668 7669 407a62 SetSecurityDescriptorDacl 7668->7669 7670 407a86 LocalFree 7668->7670 7669->7670 7671 407a73 SetFileSecurityA 7669->7671 7670->7651 7671->7670 7672 407a83 7671->7672 7672->7670 7674 407ac4 7673->7674 7675 407acb GetUserNameA 7673->7675 7674->7648 7676 407da7 RegCloseKey 7675->7676 7677 407aed LookupAccountNameA 7675->7677 7676->7674 7677->7676 7678 407b24 RegGetKeySecurity 7677->7678 7678->7676 7679 407b49 GetSecurityDescriptorOwner 7678->7679 7680 407b63 EqualSid 7679->7680 7681 407bb8 GetSecurityDescriptorDacl 7679->7681 7680->7681 7682 407b74 LocalAlloc 7680->7682 7683 407da6 7681->7683 7694 407bdc 7681->7694 7682->7681 7684 407b8a InitializeSecurityDescriptor 7682->7684 7683->7676 7686 407bb1 LocalFree 7684->7686 7687 407b96 SetSecurityDescriptorOwner 7684->7687 7685 407bf8 GetAce 7685->7694 7686->7681 7687->7686 7688 407ba6 RegSetKeySecurity 7687->7688 7688->7686 7689 407c1d EqualSid 7689->7694 7690 407cd9 7690->7683 7693 407d5a LocalAlloc 7690->7693 7695 407cf2 RegOpenKeyExA 7690->7695 7691 407c5f EqualSid 7691->7694 7692 407c3a DeleteAce 7692->7694 7693->7683 7696 407d70 InitializeSecurityDescriptor 7693->7696 7694->7683 7694->7685 7694->7689 7694->7690 7694->7691 7694->7692 7695->7693 7701 407d0f 7695->7701 7697 407d7c SetSecurityDescriptorDacl 7696->7697 7698 407d9f LocalFree 7696->7698 7697->7698 7699 407d8c RegSetKeySecurity 7697->7699 7698->7683 7699->7698 7700 407d9c 7699->7700 7700->7698 7702 407d43 RegSetValueExA 7701->7702 7702->7693 7703 407d54 7702->7703 7703->7693 7704->7154 7706 40dd05 6 API calls 7705->7706 7709 40e65f 7706->7709 7707 40e6a5 7708 40ebcc 4 API calls 7707->7708 7712 40e6f5 7707->7712 7711 40e6b0 7708->7711 7709->7707 7710 40e68c lstrcmpA 7709->7710 7710->7709 7711->7712 7714 40e6b7 7711->7714 7715 40e6e0 lstrcpynA 7711->7715 7713 40e71d lstrcmpA 7712->7713 7712->7714 7713->7712 7714->7156 7715->7712 7716->7162 7718 40c525 7717->7718 7719 40c532 7717->7719 7718->7719 7722 40ec2e codecvt 4 API calls 7718->7722 7720 40c548 7719->7720 7869 40e7ff 7719->7869 7723 40e7ff lstrcmpiA 7720->7723 7730 40c54f 7720->7730 7722->7719 7724 40c615 7723->7724 7725 40ebcc 4 API calls 7724->7725 7724->7730 7725->7730 7726 40c5d1 7728 40ebcc 4 API calls 7726->7728 7728->7730 7729 40e819 11 API calls 7731 40c5b7 7729->7731 7730->7175 7732 40f04e 4 API calls 7731->7732 7733 40c5bf 7732->7733 7733->7720 7733->7726 7735 402692 inet_addr 7734->7735 7736 40268e 7734->7736 7735->7736 7737 40269e gethostbyname 7735->7737 7738 40f428 7736->7738 7737->7736 7872 40f315 7738->7872 7743 40c8d2 7741->7743 7742 40c907 7742->7177 7743->7742 7744 40c517 23 API calls 7743->7744 7744->7742 7745 40f43e 7746 40f473 recv 7745->7746 7747 40f458 7746->7747 7748 40f47c 7746->7748 7747->7746 7747->7748 7748->7193 7750 40c670 7749->7750 7751 40c67d 7749->7751 7752 40ebcc 4 API calls 7750->7752 7753 40ebcc 4 API calls 7751->7753 7754 40c699 7751->7754 7752->7751 7753->7754 7755 40c6f3 7754->7755 7756 40c73c send 7754->7756 7755->7206 7755->7232 7756->7755 7758 40c770 7757->7758 7759 40c77d 7757->7759 7760 40ebcc 4 API calls 7758->7760 7761 40c799 7759->7761 7762 40ebcc 4 API calls 7759->7762 7760->7759 7763 40c7b5 7761->7763 7765 40ebcc 4 API calls 7761->7765 7762->7761 7764 40f43e recv 7763->7764 7766 40c7cb 7764->7766 7765->7763 7767 40f43e recv 7766->7767 7768 40c7d3 7766->7768 7767->7768 7768->7232 7885 407db7 7769->7885 7772 407e70 7773 407e96 7772->7773 7776 40f04e 4 API calls 7772->7776 7773->7232 7774 40f04e 4 API calls 7775 407e4c 7774->7775 7775->7772 7777 40f04e 4 API calls 7775->7777 7776->7773 7777->7772 7779 406ec3 2 API calls 7778->7779 7780 407fdd 7779->7780 7781 4073ff 17 API calls 7780->7781 7790 4080c2 CreateProcessA 7780->7790 7782 407fff 7781->7782 7783 407809 21 API calls 7782->7783 7782->7790 7784 40804d 7783->7784 7785 40ef1e lstrlenA 7784->7785 7784->7790 7786 40809e 7785->7786 7787 40ef1e lstrlenA 7786->7787 7788 4080af 7787->7788 7789 407a95 24 API calls 7788->7789 7789->7790 7790->7258 7790->7259 7792 407db7 2 API calls 7791->7792 7793 407eb8 7792->7793 7794 40f04e 4 API calls 7793->7794 7795 407ece DeleteFileA 7794->7795 7795->7232 7797 40dd05 6 API calls 7796->7797 7798 40e31d 7797->7798 7889 40e177 7798->7889 7800 40e326 7800->7231 7802 4031f3 7801->7802 7803 4031ec 7801->7803 7804 40ebcc 4 API calls 7802->7804 7803->7232 7817 4031fc 7804->7817 7805 40344b 7806 403459 7805->7806 7807 40349d 7805->7807 7808 40f04e 4 API calls 7806->7808 7809 40ec2e codecvt 4 API calls 7807->7809 7810 40345f 7808->7810 7809->7803 7811 4030fa 4 API calls 7810->7811 7811->7803 7812 40ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 7812->7817 7813 40344d 7814 40ec2e codecvt 4 API calls 7813->7814 7814->7805 7816 403141 lstrcmpiA 7816->7817 7817->7803 7817->7805 7817->7812 7817->7813 7817->7816 7915 4030fa GetTickCount 7817->7915 7819 4030fa 4 API calls 7818->7819 7820 403c1a 7819->7820 7821 403ce6 7820->7821 7920 403a72 7820->7920 7821->7232 7824 403a72 9 API calls 7825 403c5e 7824->7825 7825->7821 7826 403a72 9 API calls 7825->7826 7827 40ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7825->7827 7826->7825 7827->7825 7829 403a10 7828->7829 7830 4030fa 4 API calls 7829->7830 7831 403a1a 7830->7831 7831->7232 7833 40dd05 6 API calls 7832->7833 7834 40e7be 7833->7834 7834->7232 7836 40c105 7835->7836 7837 40c07e wsprintfA 7835->7837 7836->7232 7929 40bfce GetTickCount wsprintfA 7837->7929 7839 40c0ef 7930 40bfce GetTickCount wsprintfA 7839->7930 7842 407047 7841->7842 7843 406f88 LookupAccountNameA 7841->7843 7842->7232 7845 407025 7843->7845 7846 406fcb 7843->7846 7847 406edd 5 API calls 7845->7847 7849 406fdb ConvertSidToStringSidA 7846->7849 7848 40702a wsprintfA 7847->7848 7848->7842 7849->7845 7850 406ff1 7849->7850 7850->7850 7851 407013 LocalFree 7850->7851 7851->7845 7853 40dd05 6 API calls 7852->7853 7854 40e85c 7853->7854 7855 40dd84 lstrcmpiA 7854->7855 7857 40e867 7855->7857 7856 40e885 lstrcpyA 7934 40dd69 7856->7934 7857->7856 7931 4024a5 7857->7931 7863 407db7 2 API calls 7862->7863 7864 407de1 7863->7864 7865 40f04e 4 API calls 7864->7865 7868 407e16 7864->7868 7866 407df2 7865->7866 7867 40f04e 4 API calls 7866->7867 7866->7868 7867->7868 7868->7232 7870 40dd84 lstrcmpiA 7869->7870 7871 40c58e 7870->7871 7871->7720 7871->7726 7871->7729 7873 40ca1d 7872->7873 7874 40f33b 7872->7874 7873->7190 7873->7745 7875 40f347 htons socket 7874->7875 7876 40f382 ioctlsocket 7875->7876 7877 40f374 closesocket 7875->7877 7878 40f3aa connect select 7876->7878 7879 40f39d 7876->7879 7877->7873 7878->7873 7881 40f3f2 __WSAFDIsSet 7878->7881 7880 40f39f closesocket 7879->7880 7880->7873 7881->7880 7882 40f403 ioctlsocket 7881->7882 7884 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 7882->7884 7884->7873 7886 407dc8 InterlockedExchange 7885->7886 7887 407dc0 Sleep 7886->7887 7888 407dd4 7886->7888 7887->7886 7888->7772 7888->7774 7890 40e184 7889->7890 7891 40e223 7890->7891 7903 40e2e4 7890->7903 7905 40dfe2 7890->7905 7893 40dfe2 8 API calls 7891->7893 7891->7903 7897 40e23c 7893->7897 7894 40e1be 7894->7891 7895 40dbcf 3 API calls 7894->7895 7898 40e1d6 7895->7898 7896 40e21a CloseHandle 7896->7891 7897->7903 7909 40e095 RegCreateKeyExA 7897->7909 7898->7891 7898->7896 7899 40e1f9 WriteFile 7898->7899 7899->7896 7900 40e213 7899->7900 7900->7896 7902 40e2a3 7902->7903 7904 40e095 4 API calls 7902->7904 7903->7800 7904->7903 7906 40dffc 7905->7906 7908 40e024 7905->7908 7907 40db2e 8 API calls 7906->7907 7906->7908 7907->7908 7908->7894 7910 40e172 7909->7910 7913 40e0c0 7909->7913 7910->7902 7911 40e13d 7912 40e14e RegDeleteValueA RegCloseKey 7911->7912 7912->7910 7913->7911 7914 40e115 RegSetValueExA 7913->7914 7914->7911 7914->7913 7916 403122 InterlockedExchange 7915->7916 7917 40312e 7916->7917 7918 40310f GetTickCount 7916->7918 7917->7817 7918->7917 7919 40311a Sleep 7918->7919 7919->7916 7921 40f04e 4 API calls 7920->7921 7923 403a83 7921->7923 7922 403be6 7927 40ec2e codecvt 4 API calls 7922->7927 7924 403ac1 7923->7924 7926 403bc0 7923->7926 7928 403b66 lstrlenA 7923->7928 7924->7821 7924->7824 7925 40ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7925->7926 7926->7922 7926->7925 7927->7924 7928->7923 7928->7924 7929->7839 7930->7836 7932 402419 4 API calls 7931->7932 7933 4024b6 7932->7933 7933->7856 7935 40dd79 lstrlenA 7934->7935 7935->7232 7937 404084 7936->7937 7938 40407d 7936->7938 7939 403ecd 6 API calls 7937->7939 7940 40408f 7939->7940 7941 404000 3 API calls 7940->7941 7943 404095 7941->7943 7942 404130 7944 403ecd 6 API calls 7942->7944 7943->7942 7948 403f18 4 API calls 7943->7948 7945 404159 CreateNamedPipeA 7944->7945 7946 404167 Sleep 7945->7946 7947 404188 ConnectNamedPipe 7945->7947 7946->7942 7949 404176 CloseHandle 7946->7949 7951 404195 GetLastError 7947->7951 7960 4041ab 7947->7960 7950 4040da 7948->7950 7949->7947 7952 403f8c 4 API calls 7950->7952 7953 40425e DisconnectNamedPipe 7951->7953 7951->7960 7954 4040ec 7952->7954 7953->7947 7955 404127 CloseHandle 7954->7955 7956 404101 7954->7956 7955->7942 7957 403f18 4 API calls 7956->7957 7958 40411c ExitProcess 7957->7958 7959 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 7959->7960 7960->7947 7960->7953 7960->7959 7961 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 7960->7961 7962 40426a CloseHandle CloseHandle 7960->7962 7961->7960 7963 40e318 23 API calls 7962->7963 7964 40427b 7963->7964 7964->7964 7966 408791 7965->7966 7967 40879f 7965->7967 7968 40f04e 4 API calls 7966->7968 7969 4087bc 7967->7969 7970 40f04e 4 API calls 7967->7970 7968->7967 7971 40e819 11 API calls 7969->7971 7970->7969 7972 4087d7 7971->7972 7978 408803 7972->7978 7986 4026b2 gethostbyaddr 7972->7986 7974 4087eb 7976 40e8a1 30 API calls 7974->7976 7974->7978 7976->7978 7980 40e819 11 API calls 7978->7980 7981 4088a0 Sleep 7978->7981 7983 4026b2 2 API calls 7978->7983 7984 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 7978->7984 7985 40e8a1 30 API calls 7978->7985 7991 40c4d6 7978->7991 7994 40c4e2 7978->7994 7997 402011 7978->7997 8032 408328 7978->8032 7980->7978 7981->7978 7983->7978 7984->7978 7985->7978 7987 4026fb 7986->7987 7988 4026cd 7986->7988 7987->7974 7989 4026e1 inet_ntoa 7988->7989 7990 4026de 7988->7990 7989->7990 7990->7974 8084 40c2dc 7991->8084 7995 40c2dc 141 API calls 7994->7995 7996 40c4ec 7995->7996 7996->7978 7998 402020 7997->7998 7999 40202e 7997->7999 8000 40f04e 4 API calls 7998->8000 8001 40204b 7999->8001 8003 40f04e 4 API calls 7999->8003 8000->7999 8002 40206e GetTickCount 8001->8002 8004 40f04e 4 API calls 8001->8004 8005 402090 8002->8005 8006 4020db GetTickCount 8002->8006 8003->8001 8009 402068 8004->8009 8010 4020d4 GetTickCount 8005->8010 8013 402684 2 API calls 8005->8013 8022 4020ce 8005->8022 8419 401978 8005->8419 8007 402132 GetTickCount GetTickCount 8006->8007 8008 4020e7 8006->8008 8012 40f04e 4 API calls 8007->8012 8011 40212b GetTickCount 8008->8011 8024 401978 15 API calls 8008->8024 8025 402125 8008->8025 8424 402ef8 8008->8424 8009->8002 8010->8006 8011->8007 8014 402159 8012->8014 8013->8005 8015 4021b4 8014->8015 8017 40e854 13 API calls 8014->8017 8018 40f04e 4 API calls 8015->8018 8019 40218e 8017->8019 8021 4021d1 8018->8021 8023 40e819 11 API calls 8019->8023 8026 4021f2 8021->8026 8028 40ea84 30 API calls 8021->8028 8022->8010 8027 40219c 8023->8027 8024->8008 8025->8011 8026->7978 8027->8015 8432 401c5f 8027->8432 8029 4021ec 8028->8029 8030 40f04e 4 API calls 8029->8030 8030->8026 8033 407dd6 6 API calls 8032->8033 8034 40833c 8033->8034 8035 406ec3 2 API calls 8034->8035 8058 408340 8034->8058 8036 40834f 8035->8036 8037 40835c 8036->8037 8041 40846b 8036->8041 8038 4073ff 17 API calls 8037->8038 8060 408373 8038->8060 8039 4085df 8042 408626 GetTempPathA 8039->8042 8050 408762 8039->8050 8059 408638 8039->8059 8040 40675c 21 API calls 8040->8039 8043 4084a7 RegOpenKeyExA 8041->8043 8056 408450 8041->8056 8042->8059 8045 4084c0 RegQueryValueExA 8043->8045 8046 40852f 8043->8046 8048 408521 RegCloseKey 8045->8048 8049 4084dd 8045->8049 8051 408564 RegOpenKeyExA 8046->8051 8066 4085a5 8046->8066 8047 4086ad 8047->8050 8052 407e2f 6 API calls 8047->8052 8048->8046 8049->8048 8057 40ebcc 4 API calls 8049->8057 8055 40ec2e codecvt 4 API calls 8050->8055 8050->8058 8053 408573 RegSetValueExA RegCloseKey 8051->8053 8051->8066 8063 4086bb 8052->8063 8053->8066 8054 40875b DeleteFileA 8054->8050 8055->8058 8056->8039 8056->8040 8062 4084f0 8057->8062 8058->7978 8504 406ba7 IsBadCodePtr 8059->8504 8060->8056 8060->8058 8064 4083ea RegOpenKeyExA 8060->8064 8062->8048 8065 4084f8 RegQueryValueExA 8062->8065 8063->8054 8070 4086e0 lstrcpyA lstrlenA 8063->8070 8064->8056 8067 4083fd RegQueryValueExA 8064->8067 8065->8048 8068 408515 8065->8068 8066->8056 8069 40ec2e codecvt 4 API calls 8066->8069 8071 40842d RegSetValueExA 8067->8071 8072 40841e 8067->8072 8073 40ec2e codecvt 4 API calls 8068->8073 8069->8056 8075 407fcf 64 API calls 8070->8075 8076 408447 RegCloseKey 8071->8076 8072->8071 8072->8076 8074 40851d 8073->8074 8074->8048 8077 408719 CreateProcessA 8075->8077 8076->8056 8078 40873d CloseHandle CloseHandle 8077->8078 8079 40874f 8077->8079 8078->8050 8080 407ee6 64 API calls 8079->8080 8081 408754 8080->8081 8082 407ead 6 API calls 8081->8082 8083 40875a 8082->8083 8083->8054 8100 40a4c7 GetTickCount 8084->8100 8087 40c300 GetTickCount 8089 40c337 8087->8089 8088 40c326 8088->8089 8090 40c32b GetTickCount 8088->8090 8094 40c363 GetTickCount 8089->8094 8099 40c45e 8089->8099 8090->8089 8091 40c4d2 8091->7978 8092 40c4ab InterlockedIncrement CreateThread 8092->8091 8093 40c4cb CloseHandle 8092->8093 8105 40b535 8092->8105 8093->8091 8095 40c373 8094->8095 8094->8099 8096 40c378 GetTickCount 8095->8096 8097 40c37f 8095->8097 8096->8097 8098 40c43b GetTickCount 8097->8098 8098->8099 8099->8091 8099->8092 8101 40a4f7 InterlockedExchange 8100->8101 8102 40a500 8101->8102 8103 40a4e4 GetTickCount 8101->8103 8102->8087 8102->8088 8102->8099 8103->8102 8104 40a4ef Sleep 8103->8104 8104->8101 8106 40b566 8105->8106 8107 40ebcc 4 API calls 8106->8107 8108 40b587 8107->8108 8109 40ebcc 4 API calls 8108->8109 8158 40b590 8109->8158 8110 40bdcd InterlockedDecrement 8111 40bde2 8110->8111 8113 40ec2e codecvt 4 API calls 8111->8113 8114 40bdea 8113->8114 8116 40ec2e codecvt 4 API calls 8114->8116 8115 40bdb7 Sleep 8115->8158 8117 40bdf2 8116->8117 8119 40be05 8117->8119 8120 40ec2e codecvt 4 API calls 8117->8120 8118 40bdcc 8118->8110 8120->8119 8121 40ebed 8 API calls 8121->8158 8124 40b6b6 lstrlenA 8124->8158 8125 4030b5 2 API calls 8125->8158 8126 40e819 11 API calls 8126->8158 8127 40b6ed lstrcpyA 8180 405ce1 8127->8180 8130 40b731 lstrlenA 8130->8158 8131 40b71f lstrcmpA 8131->8130 8131->8158 8132 40b772 GetTickCount 8132->8158 8133 40bd49 InterlockedIncrement 8277 40a628 8133->8277 8136 40b7ce InterlockedIncrement 8190 40acd7 8136->8190 8137 4038f0 6 API calls 8137->8158 8138 40bc5b InterlockedIncrement 8138->8158 8141 40b912 GetTickCount 8141->8158 8142 40b826 InterlockedIncrement 8142->8132 8143 40b932 GetTickCount 8145 40bc6d InterlockedIncrement 8143->8145 8143->8158 8144 40bcdc closesocket 8144->8158 8145->8158 8147 40bba6 InterlockedIncrement 8147->8158 8150 40a7c1 22 API calls 8150->8158 8151 40bc4c closesocket 8151->8158 8153 40ba71 wsprintfA 8211 40a7c1 8153->8211 8154 40ab81 lstrcpynA InterlockedIncrement 8154->8158 8156 405ce1 22 API calls 8156->8158 8158->8110 8158->8115 8158->8118 8158->8121 8158->8124 8158->8125 8158->8126 8158->8127 8158->8130 8158->8131 8158->8132 8158->8133 8158->8136 8158->8137 8158->8138 8158->8141 8158->8142 8158->8143 8158->8144 8158->8147 8158->8150 8158->8151 8158->8153 8158->8154 8158->8156 8159 40ef1e lstrlenA 8158->8159 8160 405ded 12 API calls 8158->8160 8162 403e10 8158->8162 8165 403e4f 8158->8165 8168 40384f 8158->8168 8188 40a7a3 inet_ntoa 8158->8188 8195 40abee 8158->8195 8207 401feb GetTickCount 8158->8207 8208 40a688 8158->8208 8231 403cfb 8158->8231 8234 40b3c5 8158->8234 8265 40ab81 8158->8265 8159->8158 8160->8158 8163 4030fa 4 API calls 8162->8163 8164 403e1d 8163->8164 8164->8158 8166 4030fa 4 API calls 8165->8166 8167 403e5c 8166->8167 8167->8158 8169 4030fa 4 API calls 8168->8169 8170 403863 8169->8170 8171 4038b9 8170->8171 8172 403889 8170->8172 8179 4038b2 8170->8179 8286 4035f9 8171->8286 8280 403718 8172->8280 8177 403718 6 API calls 8177->8179 8178 4035f9 6 API calls 8178->8179 8179->8158 8181 405cf4 8180->8181 8182 405cec 8180->8182 8184 404bd1 4 API calls 8181->8184 8292 404bd1 GetTickCount 8182->8292 8185 405d02 8184->8185 8297 405472 8185->8297 8189 40a7b9 8188->8189 8189->8158 8191 40f315 14 API calls 8190->8191 8192 40aceb 8191->8192 8193 40acff 8192->8193 8194 40f315 14 API calls 8192->8194 8193->8158 8194->8193 8196 40abfb 8195->8196 8199 40ac65 8196->8199 8360 402f22 8196->8360 8198 40f315 14 API calls 8198->8199 8199->8198 8200 40ac6f 8199->8200 8201 40ac8a 8199->8201 8203 40ab81 2 API calls 8200->8203 8201->8158 8202 40ac23 8202->8199 8205 402684 2 API calls 8202->8205 8204 40ac81 8203->8204 8368 4038f0 8204->8368 8205->8202 8207->8158 8382 40a63d 8208->8382 8210 40a696 8210->8158 8212 40a87d lstrlenA send 8211->8212 8213 40a7df 8211->8213 8214 40a899 8212->8214 8215 40a8bf 8212->8215 8213->8212 8220 40a7fa wsprintfA 8213->8220 8221 40a80a 8213->8221 8223 40a8f2 8213->8223 8218 40a8a5 wsprintfA 8214->8218 8224 40a89e 8214->8224 8216 40a8c4 send 8215->8216 8215->8223 8219 40a8d8 wsprintfA 8216->8219 8216->8223 8217 40a978 recv 8217->8223 8225 40a982 8217->8225 8218->8224 8219->8224 8220->8221 8221->8212 8222 40a9b0 wsprintfA 8222->8224 8223->8217 8223->8222 8223->8225 8224->8158 8225->8224 8226 4030b5 2 API calls 8225->8226 8227 40ab05 8226->8227 8228 40e819 11 API calls 8227->8228 8229 40ab17 8228->8229 8230 40a7a3 inet_ntoa 8229->8230 8230->8224 8232 4030fa 4 API calls 8231->8232 8233 403d0b 8232->8233 8233->8158 8235 405ce1 22 API calls 8234->8235 8236 40b3e6 8235->8236 8237 405ce1 22 API calls 8236->8237 8239 40b404 8237->8239 8238 40b440 8241 40ef7c 3 API calls 8238->8241 8239->8238 8240 40ef7c 3 API calls 8239->8240 8242 40b42b 8240->8242 8243 40b458 wsprintfA 8241->8243 8244 40ef7c 3 API calls 8242->8244 8245 40ef7c 3 API calls 8243->8245 8244->8238 8246 40b480 8245->8246 8247 40ef7c 3 API calls 8246->8247 8248 40b493 8247->8248 8249 40ef7c 3 API calls 8248->8249 8250 40b4bb 8249->8250 8387 40ad89 GetLocalTime SystemTimeToFileTime 8250->8387 8254 40b4cc 8255 40ef7c 3 API calls 8254->8255 8256 40b4dd 8255->8256 8257 40b211 7 API calls 8256->8257 8258 40b4ec 8257->8258 8259 40ef7c 3 API calls 8258->8259 8260 40b4fd 8259->8260 8261 40b211 7 API calls 8260->8261 8262 40b509 8261->8262 8263 40ef7c 3 API calls 8262->8263 8264 40b51a 8263->8264 8264->8158 8266 40abe9 GetTickCount 8265->8266 8268 40ab8c 8265->8268 8270 40a51d 8266->8270 8267 40aba8 lstrcpynA 8267->8268 8268->8266 8268->8267 8269 40abe1 InterlockedIncrement 8268->8269 8269->8268 8271 40a4c7 4 API calls 8270->8271 8272 40a52c 8271->8272 8273 40a542 GetTickCount 8272->8273 8275 40a539 GetTickCount 8272->8275 8273->8275 8276 40a56c 8275->8276 8276->8158 8278 40a4c7 4 API calls 8277->8278 8279 40a633 8278->8279 8279->8158 8281 40f04e 4 API calls 8280->8281 8283 40372a 8281->8283 8282 403847 8282->8177 8282->8179 8283->8282 8284 4037b3 GetCurrentThreadId 8283->8284 8284->8283 8285 4037c8 GetCurrentThreadId 8284->8285 8285->8283 8287 40f04e 4 API calls 8286->8287 8291 40360c 8287->8291 8288 4036f1 8288->8178 8288->8179 8289 4036da GetCurrentThreadId 8289->8288 8290 4036e5 GetCurrentThreadId 8289->8290 8290->8288 8291->8288 8291->8289 8293 404bff InterlockedExchange 8292->8293 8294 404c08 8293->8294 8295 404bec GetTickCount 8293->8295 8294->8181 8295->8294 8296 404bf7 Sleep 8295->8296 8296->8293 8316 404763 8297->8316 8299 405b58 8326 404699 8299->8326 8302 404763 lstrlenA 8303 405b6e 8302->8303 8347 404f9f 8303->8347 8305 405b79 8305->8158 8307 405549 lstrlenA 8315 40548a 8307->8315 8309 40558d lstrcpynA 8309->8315 8310 405a9f lstrcpyA 8310->8315 8311 405472 13 API calls 8311->8315 8312 404ae6 8 API calls 8312->8315 8313 405935 lstrcpynA 8313->8315 8314 4058e7 lstrcpyA 8314->8315 8315->8299 8315->8309 8315->8310 8315->8311 8315->8312 8315->8313 8315->8314 8320 404ae6 8315->8320 8324 40ef7c lstrlenA lstrlenA lstrlenA 8315->8324 8318 40477a 8316->8318 8317 404859 8317->8315 8318->8317 8319 40480d lstrlenA 8318->8319 8319->8318 8321 404af3 8320->8321 8323 404b03 8320->8323 8322 40ebed 8 API calls 8321->8322 8322->8323 8323->8307 8325 40efb4 8324->8325 8325->8315 8352 4045b3 8326->8352 8329 4045b3 7 API calls 8330 4046c6 8329->8330 8331 4045b3 7 API calls 8330->8331 8332 4046d8 8331->8332 8333 4045b3 7 API calls 8332->8333 8334 4046ea 8333->8334 8335 4045b3 7 API calls 8334->8335 8336 4046ff 8335->8336 8337 4045b3 7 API calls 8336->8337 8338 404711 8337->8338 8339 4045b3 7 API calls 8338->8339 8340 404723 8339->8340 8341 40ef7c 3 API calls 8340->8341 8342 404735 8341->8342 8343 40ef7c 3 API calls 8342->8343 8344 40474a 8343->8344 8345 40ef7c 3 API calls 8344->8345 8346 40475c 8345->8346 8346->8302 8348 404fac 8347->8348 8351 404fb0 8347->8351 8348->8305 8349 404ffd 8349->8305 8350 404fd5 IsBadCodePtr 8350->8351 8351->8349 8351->8350 8353 4045c1 8352->8353 8354 4045c8 8352->8354 8355 40ebcc 4 API calls 8353->8355 8356 40ebcc 4 API calls 8354->8356 8358 4045e1 8354->8358 8355->8354 8356->8358 8357 404691 8357->8329 8358->8357 8359 40ef7c 3 API calls 8358->8359 8359->8358 8375 402d21 GetModuleHandleA 8360->8375 8363 402f44 8363->8202 8364 402fcf GetProcessHeap HeapFree 8364->8363 8365 402f4f 8367 402f6b GetProcessHeap HeapFree 8365->8367 8366 402f85 8366->8364 8366->8366 8367->8363 8369 403900 8368->8369 8370 403980 8368->8370 8371 4030fa 4 API calls 8369->8371 8370->8201 8374 40390a 8371->8374 8372 40391b GetCurrentThreadId 8372->8374 8373 403939 GetCurrentThreadId 8373->8374 8374->8370 8374->8372 8374->8373 8376 402d46 LoadLibraryA 8375->8376 8377 402d5b GetProcAddress 8375->8377 8376->8377 8378 402d54 8376->8378 8377->8378 8380 402d6b 8377->8380 8378->8363 8378->8365 8378->8366 8379 402d97 GetProcessHeap HeapAlloc 8379->8378 8379->8380 8380->8378 8380->8379 8381 402db5 lstrcpynA 8380->8381 8381->8380 8383 40a645 8382->8383 8384 40a64d 8382->8384 8383->8210 8385 40a66e 8384->8385 8386 40a65e GetTickCount 8384->8386 8385->8210 8386->8385 8388 40adbf 8387->8388 8412 40ad08 gethostname 8388->8412 8391 4030b5 2 API calls 8392 40add3 8391->8392 8393 40a7a3 inet_ntoa 8392->8393 8396 40ade4 8392->8396 8393->8396 8394 40ae85 wsprintfA 8395 40ef7c 3 API calls 8394->8395 8397 40aebb 8395->8397 8396->8394 8398 40ae36 wsprintfA wsprintfA 8396->8398 8399 40ef7c 3 API calls 8397->8399 8400 40ef7c 3 API calls 8398->8400 8401 40aed2 8399->8401 8400->8396 8402 40b211 8401->8402 8403 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 8402->8403 8404 40b2af GetLocalTime 8402->8404 8405 40b2d2 8403->8405 8404->8405 8406 40b2d9 SystemTimeToFileTime 8405->8406 8407 40b31c GetTimeZoneInformation 8405->8407 8408 40b2ec 8406->8408 8409 40b33a wsprintfA 8407->8409 8410 40b312 FileTimeToSystemTime 8408->8410 8409->8254 8410->8407 8413 40ad71 8412->8413 8418 40ad26 lstrlenA 8412->8418 8415 40ad85 8413->8415 8416 40ad79 lstrcpyA 8413->8416 8415->8391 8416->8415 8417 40ad68 lstrlenA 8417->8413 8418->8413 8418->8417 8420 40f428 14 API calls 8419->8420 8421 40198a 8420->8421 8422 401990 closesocket 8421->8422 8423 401998 8421->8423 8422->8423 8423->8005 8425 402d21 6 API calls 8424->8425 8426 402f01 8425->8426 8429 402f0f 8426->8429 8440 402df2 GetModuleHandleA 8426->8440 8428 402684 2 API calls 8430 402f1d 8428->8430 8429->8428 8431 402f1f 8429->8431 8430->8008 8431->8008 8436 401c80 8432->8436 8433 401d1c 8433->8433 8437 401d47 wsprintfA 8433->8437 8434 401cc2 wsprintfA 8435 402684 2 API calls 8434->8435 8435->8436 8436->8433 8436->8434 8439 401d79 8436->8439 8438 402684 2 API calls 8437->8438 8438->8439 8439->8015 8441 402e10 LoadLibraryA 8440->8441 8442 402e0b 8440->8442 8443 402e17 8441->8443 8442->8441 8442->8443 8444 402ef1 8443->8444 8445 402e28 GetProcAddress 8443->8445 8444->8429 8445->8444 8446 402e3e GetProcessHeap HeapAlloc 8445->8446 8449 402e62 8446->8449 8447 402ede GetProcessHeap HeapFree 8447->8444 8448 402e7f htons inet_addr 8448->8449 8450 402ea5 gethostbyname 8448->8450 8449->8444 8449->8447 8449->8448 8449->8450 8452 402ceb 8449->8452 8450->8449 8453 402cf2 8452->8453 8455 402d1c 8453->8455 8456 402d0e Sleep 8453->8456 8457 402a62 GetProcessHeap HeapAlloc 8453->8457 8455->8449 8456->8453 8456->8455 8458 402a92 8457->8458 8459 402a99 socket 8457->8459 8458->8453 8460 402cd3 GetProcessHeap HeapFree 8459->8460 8461 402ab4 8459->8461 8460->8458 8461->8460 8466 402abd 8461->8466 8462 402adb htons 8477 4026ff 8462->8477 8464 402b04 select 8464->8466 8465 402ca4 8467 402cb3 GetProcessHeap HeapFree closesocket 8465->8467 8466->8462 8466->8464 8466->8465 8466->8467 8468 402b3f recv 8466->8468 8469 402b66 htons 8466->8469 8470 402b87 htons 8466->8470 8473 402bf3 GetProcessHeap HeapAlloc 8466->8473 8474 402c17 htons 8466->8474 8476 402c4d GetProcessHeap HeapFree 8466->8476 8484 402923 8466->8484 8496 402904 8466->8496 8467->8458 8468->8466 8469->8465 8469->8466 8470->8465 8470->8466 8473->8466 8492 402871 8474->8492 8476->8466 8478 40271d 8477->8478 8479 402717 8477->8479 8481 40272b GetTickCount htons 8478->8481 8480 40ebcc 4 API calls 8479->8480 8480->8478 8482 4027cc htons htons sendto 8481->8482 8483 40278a 8481->8483 8482->8466 8483->8482 8485 402944 8484->8485 8488 40293d 8484->8488 8500 402816 htons 8485->8500 8487 402950 8487->8488 8489 402871 htons 8487->8489 8490 4029bd htons htons htons 8487->8490 8488->8466 8489->8487 8490->8488 8491 4029f6 GetProcessHeap HeapAlloc 8490->8491 8491->8487 8491->8488 8493 4028e3 8492->8493 8495 402889 8492->8495 8493->8466 8494 4028c3 htons 8494->8493 8494->8495 8495->8493 8495->8494 8497 402921 8496->8497 8498 402908 8496->8498 8497->8466 8499 402909 GetProcessHeap HeapFree 8498->8499 8499->8497 8499->8499 8501 402836 8500->8501 8502 40286b 8500->8502 8501->8502 8503 40285c htons 8501->8503 8502->8487 8503->8501 8503->8502 8505 406bc0 8504->8505 8506 406bbc 8504->8506 8507 40ebcc 4 API calls 8505->8507 8509 406bd4 8505->8509 8506->8047 8508 406be4 8507->8508 8508->8509 8510 406c07 CreateFileA 8508->8510 8511 406bfc 8508->8511 8509->8047 8512 406c34 WriteFile 8510->8512 8513 406c2a 8510->8513 8514 40ec2e codecvt 4 API calls 8511->8514 8516 406c49 CloseHandle DeleteFileA 8512->8516 8517 406c5a CloseHandle 8512->8517 8515 40ec2e codecvt 4 API calls 8513->8515 8514->8509 8515->8509 8516->8513 8518 40ec2e codecvt 4 API calls 8517->8518 8518->8509 8593 6f0000 8595 6f000a 8593->8595 8594 6f0030 8595->8594 8596 6f0054 VirtualAlloc 8595->8596 8896 40be31 lstrcmpiA 8897 40be55 lstrcmpiA 8896->8897 8903 40be71 8896->8903 8898 40be61 lstrcmpiA 8897->8898 8897->8903 8901 40bfc8 8898->8901 8898->8903 8899 40bf62 lstrcmpiA 8900 40bf77 lstrcmpiA 8899->8900 8904 40bf70 8899->8904 8902 40bf8c lstrcmpiA 8900->8902 8900->8904 8902->8904 8903->8899 8908 40ebcc 4 API calls 8903->8908 8904->8901 8905 40bfc2 8904->8905 8907 40ec2e codecvt 4 API calls 8904->8907 8906 40ec2e codecvt 4 API calls 8905->8906 8906->8901 8907->8904 8911 40beb6 8908->8911 8909 40bf5a 8909->8899 8910 40ebcc 4 API calls 8910->8911 8911->8899 8911->8901 8911->8909 8911->8910 8912 405d34 IsBadWritePtr 8913 405d47 8912->8913 8914 405d4a 8912->8914 8915 405389 12 API calls 8914->8915 8916 405d80 8915->8916 8736 40a677 8737 40a63d GetTickCount 8736->8737 8738 40a685 8737->8738
                                                                                        APIs
                                                                                        • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                        • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                          • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                          • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                          • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                        • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                        • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                        • ExitProcess.KERNEL32 ref: 00409C06
                                                                                        • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                        • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                        • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                        • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                        • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                        • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                        • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                        • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                        • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                        • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                        • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                        • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                        • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                        • wsprintfA.USER32 ref: 0040A0B6
                                                                                        • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                        • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                        • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                        • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                        • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                        • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                        • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                          • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                          • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                          • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                        • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                        • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                        • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                        • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                        • DeleteFileA.KERNEL32(004133D8), ref: 0040A407
                                                                                        • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                        • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                        • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                        • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                        • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                        • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                        • Sleep.KERNEL32(00007530), ref: 0040A4C3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                        • String ID: "$"$"$%X%08X$D$P$PromptOnSecureDesktop$\
                                                                                        • API String ID: 2089075347-2824936573
                                                                                        • Opcode ID: ee29fb71c8483b9b793647ea3264c5355c6b8cc509331a95fd3885054cfcc0e0
                                                                                        • Instruction ID: 3585989bbaedd28a73b270bd9bf1875f0a43ee57e8055613748a08816c1e76ab
                                                                                        • Opcode Fuzzy Hash: ee29fb71c8483b9b793647ea3264c5355c6b8cc509331a95fd3885054cfcc0e0
                                                                                        • Instruction Fuzzy Hash: 585292B1C40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6789E948B69

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 264 401000-40100b 265 401023-40102a 264->265 266 40100d-40101f LoadLibraryA 264->266 268 401030-401037 265->268 269 4010b5-4010cb CloseHandle 265->269 266->265 267 401021-401022 266->267 268->269 272 401039-401040 268->272 270 4010d1-4010ea GetProcAddress 269->270 271 40127b 269->271 270->271 274 4010f0-40110a GetProcAddress 270->274 273 40127d-40127f 271->273 272->269 275 401042-401049 272->275 274->271 276 401110-40112a GetProcAddress 274->276 275->269 277 40104b-401052 275->277 276->271 279 401130-401149 GetProcAddress 276->279 277->269 278 401054-40105b 277->278 278->269 281 40105d-401064 278->281 279->271 280 40114f-401169 GetProcAddress 279->280 280->271 282 40116f-401189 GetProcAddress 280->282 281->269 283 401066-40106d 281->283 282->271 284 40118f-4011a8 GetProcAddress 282->284 283->269 285 40106f-401076 283->285 284->271 286 4011ae-4011c8 GetProcAddress 284->286 285->269 287 401078-40107f 285->287 286->271 288 4011ce-4011e8 GetProcAddress 286->288 287->269 289 401081-401088 287->289 288->271 290 4011ee-401207 GetProcAddress 288->290 289->269 291 40108a-401091 289->291 290->271 292 401209-401223 GetProcAddress 290->292 291->269 293 401093-40109a 291->293 292->271 294 401225-40123f GetProcAddress 292->294 293->269 295 40109c-4010a3 293->295 294->271 296 401241-40125a GetProcAddress 294->296 295->269 297 4010a5-4010ac 295->297 296->271 298 40125c-401279 GetProcAddress 296->298 297->269 299 4010ae-4010b4 297->299 298->271 298->273
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                        • CloseHandle.KERNELBASE(?,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                        • GetProcAddress.KERNEL32(?,RtlSetLastWin32Error), ref: 004010E1
                                                                                        • GetProcAddress.KERNEL32(?,NtTerminateProcess), ref: 00401101
                                                                                        • GetProcAddress.KERNEL32(?,RtlFreeSid), ref: 00401121
                                                                                        • GetProcAddress.KERNEL32(?,RtlInitUnicodeString), ref: 00401140
                                                                                        • GetProcAddress.KERNEL32(?,NtSetInformationThread), ref: 00401160
                                                                                        • GetProcAddress.KERNEL32(?,NtSetInformationToken), ref: 00401180
                                                                                        • GetProcAddress.KERNEL32(?,RtlNtStatusToDosError), ref: 0040119F
                                                                                        • GetProcAddress.KERNEL32(?,NtClose), ref: 004011BF
                                                                                        • GetProcAddress.KERNEL32(?,NtOpenProcessToken), ref: 004011DF
                                                                                        • GetProcAddress.KERNEL32(?,NtDuplicateToken), ref: 004011FE
                                                                                        • GetProcAddress.KERNEL32(?,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressProc$CloseHandleLibraryLoad
                                                                                        • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                        • API String ID: 2326521279-3228201535
                                                                                        • Opcode ID: 4374d5bc11ca1c2fa60be4766612f3b99720bc46af73de5be8a6125bd1a76152
                                                                                        • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                        • Opcode Fuzzy Hash: 4374d5bc11ca1c2fa60be4766612f3b99720bc46af73de5be8a6125bd1a76152
                                                                                        • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 535 409326-409348 call 401910 GetVersionExA 538 409358-40935c 535->538 539 40934a-409356 535->539 540 409360-40937d GetModuleHandleA GetModuleFileNameA 538->540 539->540 541 409385-4093a2 540->541 542 40937f 540->542 543 4093a4-4093d7 call 402544 wsprintfA 541->543 544 4093d9-409412 call 402544 wsprintfA 541->544 542->541 549 409415-40942c call 40ee2a 543->549 544->549 552 4094a3-4094b3 call 406edd 549->552 553 40942e-409432 549->553 558 4094b9-4094f9 call 402544 RegOpenKeyExA 552->558 559 40962f-409632 552->559 553->552 555 409434-4094a0 call 406cc9 call 40ef00 call 402544 call 40ef1e call 402544 wsprintfA call 40ee2a 553->555 555->552 569 409502-40952e call 402544 RegQueryValueExA 558->569 570 4094fb-409500 558->570 561 409634-409637 559->561 564 409639-409641 call 401820 561->564 565 40967b-409682 561->565 573 409646-40964a 564->573 572 409683 call 4091eb 565->572 590 409530-409537 569->590 591 409539-409565 call 402544 RegQueryValueExA 569->591 574 40957a-40957f 570->574 578 409688-409690 572->578 581 40964c-409662 573->581 582 40966d-409679 573->582 579 409581-409584 574->579 580 40958a-40958d 574->580 585 409692 578->585 586 409698-4096a0 578->586 579->561 579->580 580->565 587 409593-40959a 580->587 588 409664-40966b 581->588 589 40962b-40962d 581->589 582->572 585->586 595 4096a2-4096a9 586->595 596 40961a-40961f 587->596 597 40959c-4095a1 587->597 588->589 589->595 598 40956e-409577 RegCloseKey 590->598 591->598 603 409567 591->603 601 409625 596->601 597->596 602 4095a3-4095c0 call 40f0e4 597->602 598->574 601->589 608 4095c2-4095db call 4018e0 602->608 609 40960c-409618 602->609 603->598 608->595 612 4095e1-4095f9 608->612 609->601 612->595 613 4095ff-409607 612->613 613->595
                                                                                        APIs
                                                                                        • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                        • wsprintfA.USER32 ref: 004093CE
                                                                                        • wsprintfA.USER32 ref: 0040940C
                                                                                        • wsprintfA.USER32 ref: 0040948D
                                                                                        • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                        • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                        • String ID: PromptOnSecureDesktop$runas
                                                                                        • API String ID: 3696105349-2220793183
                                                                                        • Opcode ID: f08e4a66b1d8eb56d3ad1f8584b36153d56304273cbc9e31910b95c3030bd838
                                                                                        • Instruction ID: e1b414ac2acd800f86155b9566517fe94806afef677b15be1bf33dae74c6658f
                                                                                        • Opcode Fuzzy Hash: f08e4a66b1d8eb56d3ad1f8584b36153d56304273cbc9e31910b95c3030bd838
                                                                                        • Instruction Fuzzy Hash: 33A181B2540208BBEB21DFA1DC45FDF3BACEB44744F104437FA05A2192D7B999848FA9

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 652 406a60-406a89 CreateFileA 653 406b8c-406ba1 GetLastError 652->653 654 406a8f-406ac3 GetDiskFreeSpaceA 652->654 655 406ba3-406ba6 653->655 656 406ac5-406adc call 40eb0e 654->656 657 406b1d-406b34 call 406987 654->657 656->657 662 406ade 656->662 663 406b56-406b63 CloseHandle 657->663 664 406b36-406b54 GetLastError CloseHandle 657->664 668 406ae0-406ae5 662->668 669 406ae7-406afb call 40eca5 662->669 666 406b65-406b7d GetLastError CloseHandle 663->666 667 406b86-406b8a 663->667 665 406b7f-406b80 DeleteFileA 664->665 665->667 666->665 667->655 668->669 670 406afd-406aff 668->670 669->657 670->657 673 406b01 670->673 674 406b03-406b08 673->674 675 406b0a-406b17 call 40eca5 673->675 674->657 674->675 675->657
                                                                                        APIs
                                                                                        • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,74DE8A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                        • GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                        • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                        • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                        • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 3188212458-2980165447
                                                                                        • Opcode ID: e3959d8a0c931ef24a73e9a1ea7033e807417735a7f73b2997be16ea63ab6e7a
                                                                                        • Instruction ID: 1851fce060154b14ea5ec5bf2ccd3ef97631883a8962a6cabbb456f8c1490fb9
                                                                                        • Opcode Fuzzy Hash: e3959d8a0c931ef24a73e9a1ea7033e807417735a7f73b2997be16ea63ab6e7a
                                                                                        • Instruction Fuzzy Hash: 4731F1B2900208BFDB00DFA09D44ADFBF79EF48310F158076E512F7291D674AA618F69

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 678 71007e-7100b1 call 71084d call 71058c call 7105d0 call 71052a 687 7100b3-7100b6 call 7105e3 678->687 688 7100bb-7100e9 VirtualProtect * 2 678->688 687->688 690 7100ed-7100f3 688->690 691 7100f5-710129 call 7105bc call 71038c VirtualProtect 690->691 692 710137-71013b 690->692 701 710133-710136 VirtualProtect 691->701 702 71012b-71012d 691->702 692->690 693 71013d-710168 call 710256 call 7101d1 call 71058c 692->693 707 71016a-71016d 693->707 701->692 702->701 704 71012f-710131 702->704 704->701 708 710173-71018a 707->708 709 71016f-710171 707->709 710 710198-71019b VirtualFree call 710442 708->710 711 71018c-710195 708->711 709->707 713 7101a0-7101be call 710506 call 7103cc call 71084d 710->713 711->710 720 7101c0-7101ce 713->720 721 7101cf 713->721 720->721 721->721
                                                                                        APIs
                                                                                          • Part of subcall function 007105D0: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00710093), ref: 007105DD
                                                                                        • VirtualProtect.KERNELBASE(?,?,00000004,?,?), ref: 007100C4
                                                                                        • VirtualProtect.KERNELBASE(?,?,00000002,?,?,?,00000004,?,?), ref: 007100D4
                                                                                        • VirtualProtect.KERNELBASE(?,?,00000004,?,?,?,?,00000000,?,00000000,?,00000002,?,?,?,00000004), ref: 0071011D
                                                                                        • VirtualProtect.KERNELBASE(00000004,?,?,?,?,00000000,?,00000000,?,00000002,?,?,?,00000004,?,?), ref: 00710133
                                                                                        • VirtualFree.KERNELBASE(?,00004000,00000002,?,?,?,00000004,?,?), ref: 00710198
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739553841.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_710000_2FnvReiPU6.jbxd
                                                                                        Similarity
                                                                                        • API ID: Virtual$Protect$AllocFree
                                                                                        • String ID:
                                                                                        • API String ID: 3729553426-0
                                                                                        • Opcode ID: b4ea57e9c5b474e0a01886bed018e1aaea45c2fe781a12c9dc45aeed4f903f47
                                                                                        • Instruction ID: 8050fa6227a20f08d191be4e4505a9502cafe0d54fdf228946a5ff393faed85c
                                                                                        • Opcode Fuzzy Hash: b4ea57e9c5b474e0a01886bed018e1aaea45c2fe781a12c9dc45aeed4f903f47
                                                                                        • Instruction Fuzzy Hash: BF418272200104EFD710AF28C849FEAB7A5EF44720F254519F8059B692C7B9ECC1DBE0

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 766 40ec2e-40ec35 767 40ec37-40ec48 call 40eba0 GetProcessHeap RtlFreeHeap 766->767 768 40ec4e-40ec4f 766->768 767->768
                                                                                        APIs
                                                                                          • Part of subcall function 0040EBA0: GetProcessHeap.KERNEL32(00000000,00000000,0040EC0A,00000000,80000001,?,0040DB55,7FFF0001), ref: 0040EBAD
                                                                                          • Part of subcall function 0040EBA0: HeapSize.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EBB4
                                                                                        • GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                        • RtlFreeHeap.NTDLL(00000000), ref: 0040EC48
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$Process$FreeSize
                                                                                        • String ID: '@
                                                                                        • API String ID: 1305341483-3530194223
                                                                                        • Opcode ID: 08c81c03a0a7108d9ac838324103417e26cacd08bf8f2d3cca78d1ae5343ebed
                                                                                        • Instruction ID: 2d0ac8bb9d02bc94818634b60920d143dc176b06b32ab47b2cd542b2b5f2599d
                                                                                        • Opcode Fuzzy Hash: 08c81c03a0a7108d9ac838324103417e26cacd08bf8f2d3cca78d1ae5343ebed
                                                                                        • Instruction Fuzzy Hash: 3AC012324062307BD5512751BC0DFDB7B28AF45711F0D481AF40576194C7BD588046ED

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                        • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                        • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$CountFileInformationSystemTickVolume
                                                                                        • String ID:
                                                                                        • API String ID: 1209300637-0
                                                                                        • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                        • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                        • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                        • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 300 4073ff-407419 301 40741b 300->301 302 40741d-407422 300->302 301->302 303 407424 302->303 304 407426-40742b 302->304 303->304 305 407430-407435 304->305 306 40742d 304->306 307 407437 305->307 308 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 305->308 306->305 307->308 313 407487-40749d call 40ee2a 308->313 314 4077f9-4077fe call 40ee2a 308->314 319 407703-40770e RegEnumKeyA 313->319 320 407801 314->320 321 4074a2-4074b1 call 406cad 319->321 322 407714-40771d RegCloseKey 319->322 323 407804-407808 320->323 326 4074b7-4074cc call 40f1a5 321->326 327 4076ed-407700 321->327 322->320 326->327 330 4074d2-4074f8 RegOpenKeyExA 326->330 327->319 331 407727-40772a 330->331 332 4074fe-407530 call 402544 RegQueryValueExA 330->332 333 407755-407764 call 40ee2a 331->333 334 40772c-407740 call 40ef00 331->334 332->331 341 407536-40753c 332->341 342 4076df-4076e2 333->342 343 407742-407745 RegCloseKey 334->343 344 40774b-40774e 334->344 345 40753f-407544 341->345 342->327 347 4076e4-4076e7 RegCloseKey 342->347 343->344 346 4077ec-4077f7 RegCloseKey 344->346 345->345 348 407546-40754b 345->348 346->323 347->327 348->333 349 407551-40756b call 40ee95 348->349 349->333 352 407571-407593 call 402544 call 40ee95 349->352 357 407753 352->357 358 407599-4075a0 352->358 357->333 359 4075a2-4075c6 call 40ef00 call 40ed03 358->359 360 4075c8-4075d7 call 40ed03 358->360 365 4075d8-4075da 359->365 360->365 367 4075dc 365->367 368 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 365->368 367->368 378 407626-40762b 368->378 378->378 379 40762d-407634 378->379 380 407637-40763c 379->380 380->380 381 40763e-407642 380->381 382 407644-407656 call 40ed77 381->382 383 40765c-407673 call 40ed23 381->383 382->383 388 407769-40777c call 40ef00 382->388 389 407680 383->389 390 407675-40767e 383->390 395 4077e3-4077e6 RegCloseKey 388->395 392 407683-40768e call 406cad 389->392 390->392 397 407722-407725 392->397 398 407694-4076bf call 40f1a5 call 406c96 392->398 395->346 399 4076dd 397->399 404 4076c1-4076c7 398->404 405 4076d8 398->405 399->342 404->405 406 4076c9-4076d2 404->406 405->399 406->405 407 40777e-407797 GetFileAttributesExA 406->407 408 407799 407->408 409 40779a-40779f 407->409 408->409 410 4077a1 409->410 411 4077a3-4077a8 409->411 410->411 412 4077c4-4077c8 411->412 413 4077aa-4077c0 call 40ee08 411->413 414 4077d7-4077dc 412->414 415 4077ca-4077d6 call 40ef00 412->415 413->412 418 4077e0-4077e2 414->418 419 4077de 414->419 415->414 418->395 419->418
                                                                                        APIs
                                                                                        • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,74DF0F10,00000000), ref: 00407472
                                                                                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00000101,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 004074F0
                                                                                        • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407528
                                                                                        • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 004076E7
                                                                                        • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                        • RegCloseKey.KERNELBASE(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407717
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407745
                                                                                        • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 004077EF
                                                                                          • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(00000000,00000000,PromptOnSecureDesktop,00000000,0040733D,00000000), ref: 0040F1AD
                                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 004077E6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                        • String ID: "$PromptOnSecureDesktop
                                                                                        • API String ID: 3433985886-3108538426
                                                                                        • Opcode ID: 293dfb801b0d4665576106c5a1887ea473dc781c8fdaf55f1d5b1f1ba08ffc92
                                                                                        • Instruction ID: 1fe726b284cde181daef39815de7f37c4bbd18f96b62320efe93ab81be9ef980
                                                                                        • Opcode Fuzzy Hash: 293dfb801b0d4665576106c5a1887ea473dc781c8fdaf55f1d5b1f1ba08ffc92
                                                                                        • Instruction Fuzzy Hash: FEC1F171D04209ABEB119BA5DC45BEF7BB9EF44310F1004B7F504B71D1EA78AE908B69

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 422 40704c-407071 423 407073 422->423 424 407075-40707a 422->424 423->424 425 40707c 424->425 426 40707e-407083 424->426 425->426 427 407085 426->427 428 407087-40708c 426->428 427->428 429 407090-4070ca call 402544 RegOpenKeyExA 428->429 430 40708e 428->430 433 4070d0-4070f6 call 406dc2 429->433 434 4071b8-4071c8 call 40ee2a 429->434 430->429 439 40719b-4071a9 RegEnumValueA 433->439 440 4071cb-4071cf 434->440 441 4070fb-4070fd 439->441 442 4071af-4071b2 RegCloseKey 439->442 443 40716e-407194 441->443 444 4070ff-407102 441->444 442->434 443->439 444->443 445 407104-407107 444->445 445->443 446 407109-40710d 445->446 446->443 447 40710f-407133 call 402544 call 40eed1 446->447 452 4071d0-407203 call 402544 call 40ee95 call 40ee2a 447->452 453 407139-407145 call 406cad 447->453 468 407205-407212 RegCloseKey 452->468 469 407227-40722e 452->469 459 407147-40715c call 40f1a5 453->459 460 40715e-40716b call 40ee2a 453->460 459->452 459->460 460->443 470 407222-407225 468->470 471 407214-407221 call 40ef00 468->471 472 407230-407256 call 40ef00 call 40ed23 469->472 473 40725b-40728c call 402544 call 40ee95 call 40ee2a 469->473 470->440 471->470 472->473 485 407258 472->485 487 4072b8-4072cb call 40ed77 473->487 488 40728e-40729a RegCloseKey 473->488 485->473 495 4072dd-4072f4 call 40ed23 487->495 496 4072cd-4072d8 RegCloseKey 487->496 489 4072aa-4072b3 488->489 490 40729c-4072a9 call 40ef00 488->490 489->440 490->489 499 407301 495->499 500 4072f6-4072ff 495->500 496->440 501 407304-40730f call 406cad 499->501 500->501 504 407311-40731d RegCloseKey 501->504 505 407335-40735d call 40f1a5 call 406c96 501->505 506 40732d-407330 504->506 507 40731f-40732c call 40ef00 504->507 514 4073d5-4073e2 RegCloseKey 505->514 515 40735f-407365 505->515 506->489 507->506 516 4073f2-4073f7 514->516 517 4073e4-4073f1 call 40ef00 514->517 515->514 518 407367-407370 515->518 517->516 518->514 519 407372-40737c 518->519 521 40739d-4073a2 519->521 522 40737e-407395 GetFileAttributesExA 519->522 525 4073a4 521->525 526 4073a6-4073a9 521->526 522->521 524 407397 522->524 524->521 525->526 527 4073b9-4073bc 526->527 528 4073ab-4073b8 call 40ef00 526->528 530 4073cb-4073cd 527->530 531 4073be-4073ca call 40ef00 527->531 528->527 530->514 531->530
                                                                                        APIs
                                                                                        • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000101,74DF0F10,?,74DF0F10,00000000), ref: 004070C2
                                                                                        • RegEnumValueA.KERNELBASE(74DF0F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,74DF0F10,00000000), ref: 0040719E
                                                                                        • RegCloseKey.KERNELBASE(74DF0F10,?,74DF0F10,00000000), ref: 004071B2
                                                                                        • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407208
                                                                                        • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407291
                                                                                        • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                        • RegCloseKey.ADVAPI32(74DF0F10), ref: 004072D0
                                                                                        • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407314
                                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                        • RegCloseKey.ADVAPI32(74DF0F10), ref: 004073D8
                                                                                          • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(00000000,00000000,PromptOnSecureDesktop,00000000,0040733D,00000000), ref: 0040F1AD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                        • String ID: $"$PromptOnSecureDesktop
                                                                                        • API String ID: 4293430545-98143240
                                                                                        • Opcode ID: 2c1a7a5e27a45d9024ae5e8b0fc79a4811596a6e22ca9665a21b83de94bf1e77
                                                                                        • Instruction ID: 74598ce6d8ea9c8d39eff0b1fc7e26e3f0ef6396efd0c92e31e65397aa2b09b2
                                                                                        • Opcode Fuzzy Hash: 2c1a7a5e27a45d9024ae5e8b0fc79a4811596a6e22ca9665a21b83de94bf1e77
                                                                                        • Instruction Fuzzy Hash: 17B17E71C0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501B61D1EB79AA94CB69

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 614 40675c-406778 615 406784-4067a2 CreateFileA 614->615 616 40677a-40677e SetFileAttributesA 614->616 617 4067a4-4067b2 CreateFileA 615->617 618 4067b5-4067b8 615->618 616->615 617->618 619 4067c5-4067c9 618->619 620 4067ba-4067bf SetFileAttributesA 618->620 621 406977-406986 619->621 622 4067cf-4067df GetFileSize 619->622 620->619 623 4067e5-4067e7 622->623 624 40696b 622->624 623->624 626 4067ed-40680b ReadFile 623->626 625 40696e-406971 CloseHandle 624->625 625->621 626->624 627 406811-406824 SetFilePointer 626->627 627->624 628 40682a-406842 ReadFile 627->628 628->624 629 406848-406861 SetFilePointer 628->629 629->624 630 406867-406876 629->630 631 4068d5-4068df 630->631 632 406878-40688f ReadFile 630->632 631->625 633 4068e5-4068eb 631->633 634 406891-40689e 632->634 635 4068d2 632->635 636 4068f0-4068fe call 40ebcc 633->636 637 4068ed 633->637 638 4068a0-4068b5 634->638 639 4068b7-4068ba 634->639 635->631 636->624 646 406900-40690b SetFilePointer 636->646 637->636 640 4068bd-4068c3 638->640 639->640 642 4068c5 640->642 643 4068c8-4068ce 640->643 642->643 643->632 645 4068d0 643->645 645->631 647 40695a-406969 call 40ec2e 646->647 648 40690d-406920 ReadFile 646->648 647->625 648->647 649 406922-406958 648->649 649->625
                                                                                        APIs
                                                                                        • SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 0040677E
                                                                                        • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 0040679A
                                                                                        • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 004067B0
                                                                                        • SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 004067BF
                                                                                        • GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 004067D3
                                                                                        • ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,74DF0F10,00000000), ref: 00406807
                                                                                        • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040681F
                                                                                        • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 0040683E
                                                                                        • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040685C
                                                                                        • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,74DF0F10,00000000), ref: 0040688B
                                                                                        • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,74DF0F10,00000000), ref: 00406906
                                                                                        • ReadFile.KERNEL32(000000FF,004121A8,00000000,00408244,00000000,?,74DF0F10,00000000), ref: 0040691C
                                                                                        • CloseHandle.KERNELBASE(000000FF,?,74DF0F10,00000000), ref: 00406971
                                                                                          • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                          • Part of subcall function 0040EC2E: RtlFreeHeap.NTDLL(00000000), ref: 0040EC48
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                                        • String ID:
                                                                                        • API String ID: 2622201749-0
                                                                                        • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                        • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                        • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                        • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                        • lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                        • lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                          • Part of subcall function 00406A60: CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,74DE8A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                          • Part of subcall function 00406A60: GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                          • Part of subcall function 00406A60: GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                          • Part of subcall function 00406A60: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                          • Part of subcall function 00406A60: DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Filelstrcat$CloseCreateDeleteDiskErrorFreeHandleLastSpacelstrcpy
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 4131120076-2980165447
                                                                                        • Opcode ID: 64f94f97fc7a2fc36851443ee948ec9bf9619d76a0d0eb5e6a7564e87e4dadd6
                                                                                        • Instruction ID: e7d34e2afa9736079c4f2b655464ed4410373cfc52d7b7bacd72a574a3edd52e
                                                                                        • Opcode Fuzzy Hash: 64f94f97fc7a2fc36851443ee948ec9bf9619d76a0d0eb5e6a7564e87e4dadd6
                                                                                        • Instruction Fuzzy Hash: CA018F7294020877EA102F62EC4BF9F7F1DEB44718F00883AF619790D2D9B995609A6C

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 737 404000-404008 738 40400b-40402a CreateFileA 737->738 739 404057 738->739 740 40402c-404035 GetLastError 738->740 741 404059-40405c 739->741 742 404052 740->742 743 404037-40403a 740->743 745 404054-404056 741->745 742->745 743->742 744 40403c-40403f 743->744 744->741 746 404041-404050 Sleep 744->746 746->738 746->742
                                                                                        APIs
                                                                                        • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,PromptOnSecureDesktop,004042B6,00000000,00000001,PromptOnSecureDesktop,00000000,?,004098FD), ref: 00404021
                                                                                        • GetLastError.KERNEL32(?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 0040402C
                                                                                        • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404046
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateErrorFileLastSleep
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 408151869-2980165447
                                                                                        • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                        • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                        • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                        • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 747 406987-4069b7 748 4069e0 747->748 749 4069b9-4069be 747->749 751 4069e4-4069fd WriteFile 748->751 749->748 750 4069c0-4069d0 749->750 752 4069d2 750->752 753 4069d5-4069de 750->753 754 406a4d-406a51 751->754 755 4069ff-406a02 751->755 752->753 753->751 756 406a53-406a56 754->756 757 406a59 754->757 755->754 758 406a04-406a08 755->758 756->757 761 406a5b-406a5f 757->761 759 406a0a-406a0d 758->759 760 406a3c-406a3e 758->760 762 406a10-406a2e WriteFile 759->762 760->761 763 406a40-406a4b 762->763 764 406a30-406a33 762->764 763->761 764->763 765 406a35-406a3a 764->765 765->760 765->762
                                                                                        APIs
                                                                                        • WriteFile.KERNELBASE(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                        • WriteFile.KERNELBASE(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: FileWrite
                                                                                        • String ID: ,k@
                                                                                        • API String ID: 3934441357-1053005162
                                                                                        • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                        • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                        • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                        • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 771 7101d1-7101df 772 7101e1 771->772 773 710254-710255 771->773 774 7101e3-7101e8 772->774 774->773 775 7101ea-7101f2 774->775 777 7101f4-7101f5 LoadLibraryA 775->777 778 7101f8-7101ff 775->778 777->778 779 710201-710204 778->779 779->779 780 710206-71021a VirtualProtect 779->780 781 71021c 780->781 782 71021f-710222 780->782 781->782 783 710223-710226 782->783 784 710243-710252 VirtualProtect 783->784 785 710228-71022d 783->785 784->774 786 710233-710241 785->786 787 71022f 785->787 786->783 787->786
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNELBASE(?,?,?,00000000,?,?,?,00000004,?,?), ref: 007101F5
                                                                                        • VirtualProtect.KERNELBASE(?,?,00000004,?,00000000,?,00000000,?,?,?,00000004,?,?), ref: 00710212
                                                                                        • VirtualProtect.KERNELBASE(?,00000000,?,?,?,00000000,?,?,?,00000004,?,?), ref: 0071024B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739553841.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_710000_2FnvReiPU6.jbxd
                                                                                        Similarity
                                                                                        • API ID: ProtectVirtual$LibraryLoad
                                                                                        • String ID:
                                                                                        • API String ID: 895956442-0
                                                                                        • Opcode ID: df0d4710188bbc4545ffb25a3de640365ec90d346391f8a801651d14009fcf39
                                                                                        • Instruction ID: 1ac45a230ec72495ae84957549aa643011c886b4d1ba0f4b6982d3a1158a027b
                                                                                        • Opcode Fuzzy Hash: df0d4710188bbc4545ffb25a3de640365ec90d346391f8a801651d14009fcf39
                                                                                        • Instruction Fuzzy Hash: 98118F726002106BEB214E19CC48ABBB7ACFF45721B15451DFD2AE7280D6B9ED8446E1

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 790 4050dc-405102 call 404bd1 call 404ae6 795 40512a-40512e 790->795 796 405130-40513c call 404ae6 795->796 797 405104-40511c call 404ae6 lstrcmpA 795->797 802 40514e-405154 796->802 803 40513e-405142 796->803 797->796 804 40511e-405125 call 404ae6 797->804 807 405156-405164 call 404ae6 802->807 808 40517a-405184 802->808 805 405148-405149 803->805 806 40537b-405386 803->806 804->795 810 405374-405376 call 404b50 805->810 807->808 820 405166-405174 call 404ae6 807->820 812 405186-40518b 808->812 813 40519a-4051f1 call 404ae6 call 404a3d call 404ae6 * 3 808->813 810->806 816 405194 812->816 817 40518d-405192 812->817 832 405371 813->832 833 4051f7-4051fb 813->833 821 405195-405198 816->821 817->816 817->821 820->806 820->808 821->812 821->813 832->810 833->832 834 405201-405205 833->834 835 405207-405209 834->835 836 40520f-405278 call 404ae6 * 2 call 40ee08 call 404ae6 lstrcpyA call 404ae6 834->836 835->832 835->836 847 4052b9-4052bd 836->847 848 40527a-405288 836->848 850 40530a-40533b call 404ae6 * 3 847->850 851 4052bf-4052c4 847->851 849 40528b-40528e 848->849 854 405290 849->854 855 405293-405296 849->855 850->806 870 40533d-40535d call 404ae6 * 2 lstrcmpA 850->870 851->850 852 4052c6-4052d0 851->852 856 4052d3-4052e4 call 40ed03 852->856 854->855 858 4052b0-4052b7 855->858 859 405298-4052a2 855->859 865 4052e6-4052f9 856->865 866 4052fb-4052fe 856->866 858->847 858->849 859->858 862 4052a4-4052ad 859->862 862->858 868 405302-405308 865->868 866->868 868->850 868->856 875 405366-40536f call 404b95 870->875 876 40535f-405362 870->876 875->806 876->870 877 405364 876->877 877->806
                                                                                        APIs
                                                                                          • Part of subcall function 00404BD1: GetTickCount.KERNEL32 ref: 00404BDD
                                                                                          • Part of subcall function 00404BD1: InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                        • lstrcmpA.KERNEL32(-00000010,00000000,?,00000000), ref: 00405114
                                                                                        • lstrcpyA.KERNEL32(-00000010,?,?), ref: 00405253
                                                                                        • lstrcmpA.KERNEL32(-00000010,00000000,-00000010,?,?,?,?,?), ref: 00405355
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcmp$CountExchangeInterlockedTicklstrcpy
                                                                                        • String ID:
                                                                                        • API String ID: 4162416431-0
                                                                                        • Opcode ID: e8acb27dcbe5d2487a86e349a88a12b7971b52c73f8c974b59701084c539f241
                                                                                        • Instruction ID: c02146d65d1ec8406dc32d01bb8fb8f303b93c3970f776c7232998cb04b45f4e
                                                                                        • Opcode Fuzzy Hash: e8acb27dcbe5d2487a86e349a88a12b7971b52c73f8c974b59701084c539f241
                                                                                        • Instruction Fuzzy Hash: 7291AE71A04604AFDF15DF6AC951AAF7BA5EF54304F00447EE816AB382DB78DA40CF98

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 880 4091eb-409208 881 409308 880->881 882 40920e-40921c call 40ed03 880->882 883 40930b-40930f 881->883 886 40921e-40922c call 40ed03 882->886 887 40923f-409249 882->887 886->887 893 40922e-409230 886->893 888 409250-409270 call 40ee08 887->888 889 40924b 887->889 896 409272-40927f 888->896 897 4092dd-4092e1 888->897 889->888 895 409233-409238 893->895 895->895 898 40923a-40923c 895->898 899 409281-409285 896->899 900 40929b-40929e 896->900 901 4092e3-4092e5 897->901 902 4092e7-4092e8 897->902 898->887 899->899 905 409287 899->905 903 4092a0 900->903 904 40928e-409293 900->904 901->902 906 4092ea-4092ef 901->906 902->897 907 4092a8-4092ab 903->907 908 409295-409298 904->908 909 409289-40928c 904->909 905->900 910 4092f1-4092f6 Sleep 906->910 911 4092fc-409302 906->911 912 4092a2-4092a5 907->912 913 4092ad-4092b0 907->913 908->907 914 40929a 908->914 909->904 909->914 910->911 911->881 911->882 915 4092b2 912->915 916 4092a7 912->916 913->915 917 4092bd 913->917 914->900 918 4092b5-4092b9 915->918 916->907 919 4092bf-4092db ShellExecuteA 917->919 918->918 920 4092bb 918->920 919->897 921 409310-409324 919->921 920->919 921->883
                                                                                        APIs
                                                                                        • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000023,00000000,00000000), ref: 004092CF
                                                                                        • Sleep.KERNELBASE(000001F4,00000000,00000000,000000C8), ref: 004092F6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExecuteShellSleep
                                                                                        • String ID:
                                                                                        • API String ID: 4194306370-0
                                                                                        • Opcode ID: 7eca3c6805300db696343a33d9cb0a643204c5b6a4206eeac8d502d0aa8fcc06
                                                                                        • Instruction ID: 6b3793665da58c3d641b44977197beb843871c0b6a2cff5b7a0acf506f3bfc8d
                                                                                        • Opcode Fuzzy Hash: 7eca3c6805300db696343a33d9cb0a643204c5b6a4206eeac8d502d0aa8fcc06
                                                                                        • Instruction Fuzzy Hash: 7741EE718083497EEB269664E88C7E73BA49B52300F2809FFD492B72D3D7BC4D818759
                                                                                        APIs
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                        • RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                          • Part of subcall function 0040EB74: GetProcessHeap.KERNEL32(00000000,00000000,0040EC28,00000000,?,0040DB55,7FFF0001), ref: 0040EB81
                                                                                          • Part of subcall function 0040EB74: HeapSize.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EB88
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$Process$AllocateSize
                                                                                        • String ID:
                                                                                        • API String ID: 2559512979-0
                                                                                        • Opcode ID: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                        • Instruction ID: 42103369b453d960252fa070f8f6fdc0a0ffae9c693debdf4c74a5c852f77059
                                                                                        • Opcode Fuzzy Hash: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                        • Instruction Fuzzy Hash: 54C0803210422077C60127A57C0CEDA3E74DF04352F084425F505C1160CB794880879D
                                                                                        APIs
                                                                                          • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                          • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                          • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                          • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                        • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                        • String ID:
                                                                                        • API String ID: 1823874839-0
                                                                                        • Opcode ID: 7e4ae6be47200154ff028bb1e1ff25be10201b73ffa926c49eb2fe181a2a4163
                                                                                        • Instruction ID: ee48c6aff4f3cfee6008d9a51cd09a6e26e011b11466ee3f62e74e831bc3a826
                                                                                        • Opcode Fuzzy Hash: 7e4ae6be47200154ff028bb1e1ff25be10201b73ffa926c49eb2fe181a2a4163
                                                                                        • Instruction Fuzzy Hash: 38F0AFB6104218AFD7109B68EDC4FE777BE9714308F1084B6E286E3141DAB89DA85B6C
                                                                                        APIs
                                                                                        • VirtualAlloc.KERNELBASE(00000000,000008D0,00001000,00000040), ref: 006F0065
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739541450.00000000006F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_6f0000_2FnvReiPU6.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 4275171209-0
                                                                                        • Opcode ID: 4951f6c36d1fa03500621e02ddc7bb0f5560f54398a83bde0800dfd9e4836d3c
                                                                                        • Instruction ID: 623b08ccf51c40fcd8a45172b7d15bc7f071fb8975601b203086ba1c7e212142
                                                                                        • Opcode Fuzzy Hash: 4951f6c36d1fa03500621e02ddc7bb0f5560f54398a83bde0800dfd9e4836d3c
                                                                                        • Instruction Fuzzy Hash: EF01AC759003496BE7102F74CC45BAF3B99FF84720F514469FA9AA7282C97898818B94
                                                                                        APIs
                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00710093), ref: 007105DD
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739553841.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_710000_2FnvReiPU6.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 4275171209-0
                                                                                        • Opcode ID: a9a4fa599d775aa83550951cd01ab53a510ae55495336f8eeb8bc52accc60b48
                                                                                        • Instruction ID: 65ce390d9ce214b0b9a70d03eb22b0c205847d94ce1a40b3c250883ace489992
                                                                                        • Opcode Fuzzy Hash: a9a4fa599d775aa83550951cd01ab53a510ae55495336f8eeb8bc52accc60b48
                                                                                        • Instruction Fuzzy Hash: EAB012B22C038477EB304E614C0EF8A3661ABC8FA3F350000FB106B1C48AF0E8018624
                                                                                        APIs
                                                                                        • closesocket.WS2_32(?), ref: 0040CA4E
                                                                                        • closesocket.WS2_32(?), ref: 0040CB63
                                                                                        • GetTempPathA.KERNEL32(00000120,?), ref: 0040CC28
                                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040CCB4
                                                                                        • WriteFile.KERNEL32(0040A4B3,?,-000000E8,?,00000000), ref: 0040CCDC
                                                                                        • CloseHandle.KERNEL32(0040A4B3), ref: 0040CCED
                                                                                        • wsprintfA.USER32 ref: 0040CD21
                                                                                        • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040CD77
                                                                                        • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0040CD89
                                                                                        • CloseHandle.KERNEL32(?), ref: 0040CD98
                                                                                        • CloseHandle.KERNEL32(?), ref: 0040CD9D
                                                                                        • DeleteFileA.KERNEL32(?), ref: 0040CDC4
                                                                                        • CloseHandle.KERNEL32(0040A4B3), ref: 0040CDCC
                                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040CFB1
                                                                                        • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040CFEF
                                                                                        • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040D033
                                                                                        • lstrcatA.KERNEL32(?,?), ref: 0040D10C
                                                                                        • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040D155
                                                                                        • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0040D171
                                                                                        • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040D195
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0040D19C
                                                                                        • SetFileAttributesA.KERNEL32(?,00000002), ref: 0040D1C8
                                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D231
                                                                                        • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D27C
                                                                                        • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D2AB
                                                                                        • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2C7
                                                                                        • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2EB
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2F2
                                                                                        • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D326
                                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D372
                                                                                        • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D3BD
                                                                                        • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D3EC
                                                                                        • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D408
                                                                                        • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D428
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D42F
                                                                                        • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D45B
                                                                                        • CreateProcessA.KERNEL32(?,00410264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040D4DE
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4F4
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4FC
                                                                                        • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D513
                                                                                        • closesocket.WS2_32(?), ref: 0040D56C
                                                                                        • Sleep.KERNEL32(000003E8), ref: 0040D577
                                                                                        • ExitProcess.KERNEL32 ref: 0040D583
                                                                                        • wsprintfA.USER32 ref: 0040D81F
                                                                                          • Part of subcall function 0040C65C: send.WS2_32(00000000,?,00000000), ref: 0040C74B
                                                                                        • closesocket.WS2_32(?), ref: 0040DAD5
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                        • String ID: .dat$.sys$4$@$PromptOnSecureDesktop$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                        • API String ID: 562065436-3791576231
                                                                                        • Opcode ID: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                                        • Instruction ID: 1bec03d5b3261cfbda03ea9d0ba23ae7472bbf6119f1c93de8fbd0284471d070
                                                                                        • Opcode Fuzzy Hash: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                                        • Instruction Fuzzy Hash: 1BB2B471D00209BBEB209FA4DD85FEA7BB9EB08304F14457BF505B22D1D7789A898B5C
                                                                                        APIs
                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                        • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                        • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                        • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                        • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                        • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                        • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                        • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                        • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                        • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                        • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                        • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                        • String ID: D
                                                                                        • API String ID: 3722657555-2746444292
                                                                                        • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                        • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                        • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                        • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                        APIs
                                                                                        • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                        • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExecuteShelllstrlen
                                                                                        • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDu$uac$useless$wusa.exe
                                                                                        • API String ID: 1628651668-179334549
                                                                                        • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                        • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                        • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                        • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                        APIs
                                                                                        • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                        • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                        • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                        • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                        • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                          • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                        • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                        • API String ID: 4207808166-1381319158
                                                                                        • Opcode ID: 29b29ba27ec834052d86494178e52c9b6600cd948377f9b0f2b6c99c1419fed0
                                                                                        • Instruction ID: 136d33d61de9b77116bbe3bbd7cc91a466c000d0b1383b285604d193ab548d94
                                                                                        • Opcode Fuzzy Hash: 29b29ba27ec834052d86494178e52c9b6600cd948377f9b0f2b6c99c1419fed0
                                                                                        • Instruction Fuzzy Hash: 1451EAB05043446FD330AF768C85F67BAECEB84708F00493FF955A2292D7BDA94487A9
                                                                                        APIs
                                                                                        • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,74DEF380), ref: 00402A83
                                                                                        • HeapAlloc.KERNEL32(00000000,?,74DEF380), ref: 00402A86
                                                                                        • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                        • htons.WS2_32(00000000), ref: 00402ADB
                                                                                        • select.WS2_32 ref: 00402B28
                                                                                        • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                        • htons.WS2_32(?), ref: 00402B71
                                                                                        • htons.WS2_32(?), ref: 00402B8C
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                        • String ID:
                                                                                        • API String ID: 1639031587-0
                                                                                        • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                        • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                        • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                        • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                        APIs
                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                        • ExitProcess.KERNEL32 ref: 00404121
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateEventExitProcess
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 2404124870-2980165447
                                                                                        • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                        • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                        • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                        • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                        APIs
                                                                                        • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                        • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                        • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                        • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                        • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                        • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                        • wsprintfA.USER32 ref: 0040B3B7
                                                                                        Strings
                                                                                        • %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u, xrefs: 0040B3AF
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                        • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
                                                                                        • API String ID: 766114626-4076198852
                                                                                        • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                        • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                        • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                        • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                        APIs
                                                                                        • IsBadReadPtr.KERNEL32(?,00000014), ref: 0040609C
                                                                                        • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                        • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                        • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Read$AddressLibraryLoadProc
                                                                                        • String ID:
                                                                                        • API String ID: 2438460464-0
                                                                                        • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                        • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                        • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                        • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                        APIs
                                                                                        • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                        • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                        • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                        • String ID: *p@
                                                                                        • API String ID: 3429775523-2474123842
                                                                                        • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                        • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                        • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                        • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                        • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                        • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                        • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                        • String ID:
                                                                                        • API String ID: 1965334864-0
                                                                                        • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                        • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                        • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                        • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8
                                                                                        APIs
                                                                                        • CreateFileW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000100), ref: 00408E5F
                                                                                        • DeviceIoControl.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00408EAB
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408EB4
                                                                                          • Part of subcall function 00408DF1: GetSystemTime.KERNEL32(?,004129F8,?,?,00408E8B,?), ref: 00408DFC
                                                                                          • Part of subcall function 00408DF1: SystemTimeToFileTime.KERNEL32(?,00408E8B,?,?,00408E8B,?), ref: 00408E0A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$FileSystem$CloseControlCreateDeviceHandle
                                                                                        • String ID:
                                                                                        • API String ID: 3754425949-0
                                                                                        • Opcode ID: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                        • Instruction ID: 6158522553dbc768b3fa764069f531a078bfca64040c8912efb0c234455cb59d
                                                                                        • Opcode Fuzzy Hash: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                        • Instruction Fuzzy Hash: CD11C8726402047BEB115F95CD4EEDB3F6DEB85714F00452AF611B62C1DAB9985087A8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739541450.00000000006F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_6f0000_2FnvReiPU6.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b4ea57e9c5b474e0a01886bed018e1aaea45c2fe781a12c9dc45aeed4f903f47
                                                                                        • Instruction ID: 5db77fd2341083ad28196d4f9019460ab730360bb2d63ae69d4d10de97621c18
                                                                                        • Opcode Fuzzy Hash: b4ea57e9c5b474e0a01886bed018e1aaea45c2fe781a12c9dc45aeed4f903f47
                                                                                        • Instruction Fuzzy Hash: D4418172201108AFEB50EF64C945EBAB7AAFF44724F25451DFA059B613CB71EC02CBA4
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                        • Instruction ID: 64893a5cec851924fefc00027ac9d8258265f32e823952a4835c6918c3f2ac29
                                                                                        • Opcode Fuzzy Hash: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                        • Instruction Fuzzy Hash: 59714BB4501B41CFD360CF66D548782BBE0BB54308F10CD6ED5AAAB790DBB86588DF98
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739553841.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_710000_2FnvReiPU6.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2d612ec0191f637075e5dd3c2021567e28a03859e370f7c7a2e24b6ec4edea73
                                                                                        • Instruction ID: 01a5f0ec89f24e968a62e557aac809da5124b40e883a9466b9a22dc6830ed83b
                                                                                        • Opcode Fuzzy Hash: 2d612ec0191f637075e5dd3c2021567e28a03859e370f7c7a2e24b6ec4edea73
                                                                                        • Instruction Fuzzy Hash: 4EE0E231140040CFCF9A9F28D954694B762FB48329F3488ADE8164A2D2CBBAC8C3CE40
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739541450.00000000006F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_6f0000_2FnvReiPU6.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2d612ec0191f637075e5dd3c2021567e28a03859e370f7c7a2e24b6ec4edea73
                                                                                        • Instruction ID: 62027f2b813192b09002667c3ccc931cc49f225998ef4390caf2ab2336e49529
                                                                                        • Opcode Fuzzy Hash: 2d612ec0191f637075e5dd3c2021567e28a03859e370f7c7a2e24b6ec4edea73
                                                                                        • Instruction Fuzzy Hash: C3E0E232140045CFDB9E9F20D9506A4B762FB4832AF3488ADE8064A293CB76C843DE00
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,004133B0,?), ref: 00407B16
                                                                                        • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                        • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                        • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                        • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                        • String ID: D$PromptOnSecureDesktop
                                                                                        • API String ID: 2976863881-1403908072
                                                                                        • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                        • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                        • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                        • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                        • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                        • API String ID: 2400214276-165278494
                                                                                        • Opcode ID: daf4d949a7859ac2eff1297604e09a10f79e0a9bf3e1ba7555a3ae86ccb7c85f
                                                                                        • Instruction ID: adaa1854a3122378bd2daea31773aef3e538fc03cb04507581bb4a4c69c5dae0
                                                                                        • Opcode Fuzzy Hash: daf4d949a7859ac2eff1297604e09a10f79e0a9bf3e1ba7555a3ae86ccb7c85f
                                                                                        • Instruction Fuzzy Hash: F6615E72940208EFDB609FB4DC45FEA77E9FF08300F24846AF96DD21A1DA7599908F58
                                                                                        APIs
                                                                                        • wsprintfA.USER32 ref: 0040A7FB
                                                                                        • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                        • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                        • wsprintfA.USER32 ref: 0040A8AF
                                                                                        • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                        • wsprintfA.USER32 ref: 0040A8E2
                                                                                        • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                        • wsprintfA.USER32 ref: 0040A9B9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$send$lstrlenrecv
                                                                                        • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                        • API String ID: 3650048968-2394369944
                                                                                        • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                        • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                        • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                        • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,00410750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                        • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,00410750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                        • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,00410750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                        • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,00410750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Value$CloseOpenQuery
                                                                                        • String ID: PromptOnSecureDesktop$localcfg
                                                                                        • API String ID: 237177642-1678164370
                                                                                        • Opcode ID: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                        • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                        • Opcode Fuzzy Hash: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                        • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                        APIs
                                                                                        • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                        • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                        • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                        • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                        • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                        • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                        • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                        • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                        • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                        • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                        • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                        • API String ID: 835516345-270533642
                                                                                        • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                        • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                        • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                        • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(iphlpapi.dll,74DF23A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                        • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                        • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                        • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                        • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                        • htons.WS2_32(00000035), ref: 00402E88
                                                                                        • inet_addr.WS2_32(?), ref: 00402E93
                                                                                        • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                        • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                        • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                        • String ID: GetNetworkParams$iphlpapi.dll
                                                                                        • API String ID: 929413710-2099955842
                                                                                        • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                        • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                        • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                        • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                        APIs
                                                                                        • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                          • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                          • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                          • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                          • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                          • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                          • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                        • wsprintfA.USER32 ref: 0040AEA5
                                                                                          • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(00410750), ref: 0040A7A9
                                                                                        • wsprintfA.USER32 ref: 0040AE4F
                                                                                        • wsprintfA.USER32 ref: 0040AE5E
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                        • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX
                                                                                        • API String ID: 3631595830-340622817
                                                                                        • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                        • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                        • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                        • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                        APIs
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcmpi
                                                                                        • String ID: 06A$46A$86A$smtp_ban$smtp_herr$smtp_retr
                                                                                        • API String ID: 1586166983-142018493
                                                                                        • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                        • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                        • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                        • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                        APIs
                                                                                        • wsprintfA.USER32 ref: 0040B467
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$wsprintf
                                                                                        • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                        • API String ID: 1220175532-2340906255
                                                                                        • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                        • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                        • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                        • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 00402078
                                                                                        • GetTickCount.KERNEL32 ref: 004020D4
                                                                                        • GetTickCount.KERNEL32 ref: 004020DB
                                                                                        • GetTickCount.KERNEL32 ref: 0040212B
                                                                                        • GetTickCount.KERNEL32 ref: 00402132
                                                                                        • GetTickCount.KERNEL32 ref: 00402142
                                                                                          • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000,0040E513,?,?,?,?,000000E4), ref: 0040F089
                                                                                          • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000,0040E513,?,?,?,?,000000E4,000000C8), ref: 0040F093
                                                                                          • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                          • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                          • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                        • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                        • API String ID: 3976553417-1522128867
                                                                                        • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                        • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                        • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                        • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                        APIs
                                                                                        • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                        • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                        • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: closesockethtonssocket
                                                                                        • String ID: time_cfg
                                                                                        • API String ID: 311057483-2401304539
                                                                                        • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                        • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                        • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                        • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                        APIs
                                                                                          • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                          • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                        • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                        • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                        • GetTickCount.KERNEL32 ref: 0040C363
                                                                                        • GetTickCount.KERNEL32 ref: 0040C378
                                                                                        • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                        • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                        • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                        • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 1553760989-1857712256
                                                                                        • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                        • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                        • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                        • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                        • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                        • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                        • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                        • String ID: DnsQuery_A$dnsapi.dll
                                                                                        • API String ID: 3560063639-3847274415
                                                                                        • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                        • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                        • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                        • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                        • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                        • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                        • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$PromptOnSecureDesktop$kernel32
                                                                                        • API String ID: 1082366364-2834986871
                                                                                        • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                        • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                        • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                        • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                        APIs
                                                                                        • CreateProcessA.KERNEL32(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,PromptOnSecureDesktop), ref: 004097B1
                                                                                        • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097EB
                                                                                        • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097F9
                                                                                        • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 00409831
                                                                                        • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040984E
                                                                                        • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040985B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                        • String ID: D$PromptOnSecureDesktop
                                                                                        • API String ID: 2981417381-1403908072
                                                                                        • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                        • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                        • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                        • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8
                                                                                        APIs
                                                                                        • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                        • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                        • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                        • wsprintfA.USER32 ref: 00407036
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                        • String ID: /%d$|
                                                                                        • API String ID: 676856371-4124749705
                                                                                        • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                        • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                        • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                        • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Code
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 3609698214-2980165447
                                                                                        • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                        • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                        • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                        • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                        APIs
                                                                                        • GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                        • wsprintfA.USER32 ref: 004090E9
                                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                        • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                        • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 2439722600-2980165447
                                                                                        • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                        • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                        • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                        • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,PromptOnSecureDesktop), ref: 0040E3E6
                                                                                        • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                        • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                        • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                        • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: QueryValue$CloseOpen
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 1586453840-2980165447
                                                                                        • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                        • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                        • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                        • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                        APIs
                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404290
                                                                                        • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                        • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseHandle$CreateEvent
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 1371578007-2980165447
                                                                                        • Opcode ID: a40dfeaab3bfebff7a793825c1972f7e21326da42d84a9a6f547d2f5fe47edea
                                                                                        • Instruction ID: a2cdbfba8670e70976da4da8790d1ec110d93932d0bd5f5a37bac27c5c352c9a
                                                                                        • Opcode Fuzzy Hash: a40dfeaab3bfebff7a793825c1972f7e21326da42d84a9a6f547d2f5fe47edea
                                                                                        • Instruction Fuzzy Hash: C44181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7389A51DBA4
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,PromptOnSecureDesktop), ref: 0040915F
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                        • CharToOemA.USER32(?,?), ref: 00409174
                                                                                        • wsprintfA.USER32 ref: 004091A9
                                                                                          • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                          • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                          • Part of subcall function 00409064: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                          • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                          • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                          • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                        • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 3857584221-2980165447
                                                                                        • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                        • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                        • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                        • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                        APIs
                                                                                          • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                          • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                          • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                          • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                        • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                        • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                        • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                        • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                        • String ID: flags_upd$localcfg
                                                                                        • API String ID: 204374128-3505511081
                                                                                        • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                        • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                        • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                        • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                        APIs
                                                                                          • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                          • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                          • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                        • lstrcmpA.KERNEL32(74DF0F18,00000000,?,74DF0F10,00000000,?,00405EC1), ref: 0040E693
                                                                                        • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,74DF0F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                        • lstrcmpA.KERNEL32(?,00000008,?,74DF0F10,00000000,?,00405EC1), ref: 0040E722
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                        • String ID: A$ A$ A
                                                                                        • API String ID: 3343386518-1846390581
                                                                                        • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                        • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                        • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                        • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                        • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                        • Sleep.KERNEL32(00000000,?,74DF0F10,?,00000000,0040E538,?,74DF0F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                        • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 3819781495-0
                                                                                        • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                        • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                        • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                        • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 0040815F
                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 00408187
                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 004081BE
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 00408210
                                                                                          • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 0040677E
                                                                                          • Part of subcall function 0040675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 0040679A
                                                                                          • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 004067B0
                                                                                          • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 004067BF
                                                                                          • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 004067D3
                                                                                          • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,74DF0F10,00000000), ref: 00406807
                                                                                          • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040681F
                                                                                          • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 0040683E
                                                                                          • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040685C
                                                                                          • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                          • Part of subcall function 0040EC2E: RtlFreeHeap.NTDLL(00000000), ref: 0040EC48
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 124786226-2980165447
                                                                                        • Opcode ID: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                        • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                        • Opcode Fuzzy Hash: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                        • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                        APIs
                                                                                        • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                        • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                        • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                        • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Value$CloseCreateDelete
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 2667537340-2980165447
                                                                                        • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                        • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                        • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                        • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                        APIs
                                                                                        • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                        • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                        • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                        • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$gethostnamelstrcpy
                                                                                        • String ID: LocalHost
                                                                                        • API String ID: 3695455745-3154191806
                                                                                        • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                        • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                        • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                        • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                        • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                        • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                        • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 0040272E
                                                                                        • htons.WS2_32(00000001), ref: 00402752
                                                                                        • htons.WS2_32(0000000F), ref: 004027D5
                                                                                        • htons.WS2_32(00000001), ref: 004027E3
                                                                                        • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                          • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                          • Part of subcall function 0040EBCC: RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                        • String ID:
                                                                                        • API String ID: 1128258776-0
                                                                                        • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                        • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                        • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                        • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                        APIs
                                                                                        • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                        • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                        • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                        • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                        • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: setsockopt
                                                                                        • String ID:
                                                                                        • API String ID: 3981526788-0
                                                                                        • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                        • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                        • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                        • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                        APIs
                                                                                        • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                        • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                        • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                        • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$lstrcmpi
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 1808961391-1857712256
                                                                                        • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                        • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                        • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                        • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                        APIs
                                                                                          • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                          • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                          • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,74DF0F10,?,00000000,?,0040A445), ref: 0040E558
                                                                                        • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,74DF0F10,?,00000000,?,0040A445), ref: 0040E583
                                                                                        • CloseHandle.KERNEL32(00000000,?,74DF0F10,?,00000000,?,0040A445), ref: 0040E5B2
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 3683885500-2980165447
                                                                                        • Opcode ID: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                        • Instruction ID: 336cca8f28a0ae06816d6806ca3c094c6326420f96deeb8fe64773c8e7208e17
                                                                                        • Opcode Fuzzy Hash: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                        • Instruction Fuzzy Hash: F321EAB19402047AE2207B639C0AFAB3D1CDF54758F10093EBA09B11E3E9BDD96082BD
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                        • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                        • API String ID: 2574300362-1087626847
                                                                                        • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                        • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                        • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                        • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                        APIs
                                                                                          • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                          • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                        • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                        • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                        • String ID: hi_id$localcfg
                                                                                        • API String ID: 2777991786-2393279970
                                                                                        • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                        • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                        • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                        • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,PromptOnSecureDesktop,00000000,?,?,0040A14A), ref: 00409736
                                                                                        • RegDeleteValueA.ADVAPI32(0040A14A,00000000,?,?,?,?,?,?,?,?,?,0040A14A), ref: 00409756
                                                                                        • RegCloseKey.ADVAPI32(0040A14A,?,?,?,?,?,?,?,?,?,0040A14A), ref: 0040975F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseDeleteOpenValue
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 849931509-2980165447
                                                                                        • Opcode ID: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                        • Instruction ID: 5e38ed9511aa8cc069582274463af9cddeeab7037fd65aad7bdf8be664a95ff7
                                                                                        • Opcode Fuzzy Hash: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                        • Instruction Fuzzy Hash: 5AF0C8B2680118BBF3106B51AC0BFDF3A2CDB44704F100075F605B50D2E6E55E9082BD
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf
                                                                                        • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                        • API String ID: 2111968516-120809033
                                                                                        • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                        • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                        • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                        • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                        APIs
                                                                                        • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                        • GetLastError.KERNEL32 ref: 00403F4E
                                                                                        • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3373104450-0
                                                                                        • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                        • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                        • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                        • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                        APIs
                                                                                        • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                        • GetLastError.KERNEL32 ref: 00403FC2
                                                                                        • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                        • String ID:
                                                                                        • API String ID: 888215731-0
                                                                                        • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                        • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                        • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                        • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                        APIs
                                                                                        • lstrcmpA.KERNEL32(?,80000009,00000000,80000001, A,0040DF42,00000000,00000001,?,?,75A8EA50,80000001), ref: 0040DDFF
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcmp
                                                                                        • String ID: A$ A$ A
                                                                                        • API String ID: 1534048567-1846390581
                                                                                        • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                        • Instruction ID: c5fbbd52a51a7e9422c94d4498ca6242d6f87b7f53d1a68151d56bafafc3fa70
                                                                                        • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                        • Instruction Fuzzy Hash: 68F06871A00712DBCB20CF55D884993B7E9FF59321B04863BE154D75A0D374A998CB99
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                        • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                        • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                        • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                        • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                        • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                        • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                        • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                        • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                        • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                        • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                        • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                        • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                        • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                        • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                        • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                        • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 00403103
                                                                                        • GetTickCount.KERNEL32 ref: 0040310F
                                                                                        • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                        • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                        • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                        • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                        APIs
                                                                                        • WriteFile.KERNEL32(00000001,0040DAE0,00000000,00000000,00000000), ref: 0040E209
                                                                                        • CloseHandle.KERNEL32(00000001,00000003), ref: 0040E21D
                                                                                          • Part of subcall function 0040E095: RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                          • Part of subcall function 0040E095: RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                          • Part of subcall function 0040E095: RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                          • Part of subcall function 0040E095: RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 4151426672-2980165447
                                                                                        • Opcode ID: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                        • Instruction ID: b34283ca0245a4d5345772c7626065eb71a791ff6ac24fd5689ebe733b27dfc9
                                                                                        • Opcode Fuzzy Hash: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                        • Instruction Fuzzy Hash: 5D41DB71940214BADB205E938C06FDB3F6CEB44754F1084BEFA09B41D2E6B99A60D6BD
                                                                                        APIs
                                                                                        Strings
                                                                                        • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTickwsprintf
                                                                                        • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                        • API String ID: 2424974917-1012700906
                                                                                        • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                        • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                        • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                        • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                        APIs
                                                                                          • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                          • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                        • String ID: %FROM_EMAIL
                                                                                        • API String ID: 3716169038-2903620461
                                                                                        • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                        • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                        • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                        • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                        APIs
                                                                                          • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                          • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                        • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                        • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 2777991786-1857712256
                                                                                        • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                        • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                        • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                        • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                        APIs
                                                                                        • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                        • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: IncrementInterlockedlstrcpyn
                                                                                        • String ID: %FROM_EMAIL
                                                                                        • API String ID: 224340156-2903620461
                                                                                        • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                        • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                        • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                        • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                        APIs
                                                                                        • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                        • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: gethostbyaddrinet_ntoa
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 2112563974-1857712256
                                                                                        • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                        • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                        • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                        • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: gethostbynameinet_addr
                                                                                        • String ID: time_cfg
                                                                                        • API String ID: 1594361348-2401304539
                                                                                        • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                        • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                        • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                        • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000), ref: 0040EAF2
                                                                                        • GetProcAddress.KERNEL32(?,00000000), ref: 0040EB07
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID: ntdll.dll
                                                                                        • API String ID: 2574300362-2227199552
                                                                                        • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                        • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                        • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                        • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                        APIs
                                                                                          • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                          • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                        • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1739353822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1739341975.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739379619.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739392809.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1739404967.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2FnvReiPU6.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                        • String ID:
                                                                                        • API String ID: 1017166417-0
                                                                                        • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                        • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                        • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                        • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88

                                                                                        Execution Graph

                                                                                        Execution Coverage:6.3%
                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                        Signature Coverage:0%
                                                                                        Total number of Nodes:1862
                                                                                        Total number of Limit Nodes:19
                                                                                        execution_graph 8710 40f483 WSAStartup 8711 40f304 8714 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 8711->8714 8713 40f312 8714->8713 8715 405b84 IsBadWritePtr 8716 405b99 8715->8716 8717 405b9d 8715->8717 8718 404bd1 4 API calls 8717->8718 8719 405bcc 8718->8719 8720 405472 18 API calls 8719->8720 8721 405be5 8720->8721 8722 405c05 IsBadWritePtr 8723 405c24 IsBadWritePtr 8722->8723 8730 405ca6 8722->8730 8724 405c32 8723->8724 8723->8730 8725 405c82 8724->8725 8726 404bd1 4 API calls 8724->8726 8727 404bd1 4 API calls 8725->8727 8726->8725 8728 405c90 8727->8728 8729 405472 18 API calls 8728->8729 8729->8730 8573 40e749 8574 40dd05 6 API calls 8573->8574 8575 40e751 8574->8575 8576 40e781 lstrcmpA 8575->8576 8577 40e799 8575->8577 8576->8575 8578 40444a 8579 404458 8578->8579 8580 40446a 8579->8580 8582 401940 8579->8582 8583 40ec2e codecvt 4 API calls 8582->8583 8584 401949 8583->8584 8584->8580 8585 405e4d 8590 405048 8585->8590 8591 404bd1 4 API calls 8590->8591 8594 405056 8591->8594 8592 40508b 8593 40ec2e codecvt 4 API calls 8593->8592 8594->8592 8594->8593 8744 405e0d 8747 4050dc 8744->8747 8746 405e20 8748 404bd1 4 API calls 8747->8748 8749 4050f2 8748->8749 8750 404ae6 8 API calls 8749->8750 8756 4050ff 8750->8756 8751 405130 8752 404ae6 8 API calls 8751->8752 8754 405138 8752->8754 8753 404ae6 8 API calls 8755 405110 lstrcmpA 8753->8755 8757 40516e 8754->8757 8759 404ae6 8 API calls 8754->8759 8789 40513e 8754->8789 8755->8751 8755->8756 8756->8751 8756->8753 8758 404ae6 8 API calls 8756->8758 8760 404ae6 8 API calls 8757->8760 8757->8789 8758->8756 8761 40515e 8759->8761 8762 4051b6 8760->8762 8761->8757 8764 404ae6 8 API calls 8761->8764 8763 404a3d 10 API calls 8762->8763 8765 4051bd 8763->8765 8764->8757 8766 404ae6 8 API calls 8765->8766 8767 4051c7 8766->8767 8768 404ae6 8 API calls 8767->8768 8769 4051d7 8768->8769 8770 404ae6 8 API calls 8769->8770 8771 4051e7 8770->8771 8772 404ae6 8 API calls 8771->8772 8771->8789 8773 405219 8772->8773 8774 404ae6 8 API calls 8773->8774 8775 405227 8774->8775 8776 404ae6 8 API calls 8775->8776 8777 40524f lstrcpyA 8776->8777 8778 404ae6 8 API calls 8777->8778 8782 405263 8778->8782 8779 404ae6 8 API calls 8780 405315 8779->8780 8781 404ae6 8 API calls 8780->8781 8783 405323 8781->8783 8782->8779 8784 404ae6 8 API calls 8783->8784 8786 405331 8784->8786 8785 404ae6 8 API calls 8785->8786 8786->8785 8787 404ae6 8 API calls 8786->8787 8786->8789 8788 405351 lstrcmpA 8787->8788 8788->8786 8788->8789 8789->8746 8790 404c0d 8791 404ae6 8 API calls 8790->8791 8792 404c17 8791->8792 8595 408c51 8596 408c86 8595->8596 8598 408c5d 8595->8598 8597 408c8b lstrcmpA 8596->8597 8608 408c7b 8596->8608 8599 408c9e 8597->8599 8597->8608 8600 408c7d 8598->8600 8601 408c6e 8598->8601 8602 408cad 8599->8602 8605 40ec2e codecvt 4 API calls 8599->8605 8617 408bb3 8600->8617 8609 408be7 8601->8609 8607 40ebcc 4 API calls 8602->8607 8602->8608 8605->8602 8607->8608 8610 408bf2 8609->8610 8611 408c2a 8609->8611 8612 408bb3 6 API calls 8610->8612 8611->8608 8613 408bf8 8612->8613 8621 406410 8613->8621 8615 408c01 8615->8611 8636 406246 8615->8636 8618 408be4 8617->8618 8619 408bbc 8617->8619 8619->8618 8620 406246 6 API calls 8619->8620 8620->8618 8622 406421 8621->8622 8623 40641e 8621->8623 8624 40643a 8622->8624 8625 40643e VirtualAlloc 8622->8625 8623->8615 8624->8615 8626 406472 8625->8626 8627 40645b VirtualAlloc 8625->8627 8628 40ebcc 4 API calls 8626->8628 8627->8626 8635 4064fb 8627->8635 8629 406479 8628->8629 8629->8635 8646 406069 8629->8646 8632 4064da 8633 406246 6 API calls 8632->8633 8632->8635 8633->8635 8635->8615 8637 4062b3 8636->8637 8639 406252 8636->8639 8637->8611 8638 406297 8641 4062a0 VirtualFree 8638->8641 8642 4062ad 8638->8642 8639->8638 8640 40628f 8639->8640 8643 406281 FreeLibrary 8639->8643 8644 40ec2e codecvt 4 API calls 8640->8644 8641->8642 8645 40ec2e codecvt 4 API calls 8642->8645 8643->8639 8644->8638 8645->8637 8647 406090 IsBadReadPtr 8646->8647 8649 406089 8646->8649 8647->8649 8652 4060aa 8647->8652 8648 4060c0 LoadLibraryA 8648->8649 8648->8652 8649->8632 8656 405f3f 8649->8656 8650 40ebcc 4 API calls 8650->8652 8651 40ebed 8 API calls 8651->8652 8652->8648 8652->8649 8652->8650 8652->8651 8653 406191 IsBadReadPtr 8652->8653 8654 406141 GetProcAddress 8652->8654 8655 406155 GetProcAddress 8652->8655 8653->8649 8653->8652 8654->8652 8655->8652 8657 405fe6 8656->8657 8659 405f61 8656->8659 8657->8632 8658 405fbf VirtualProtect 8658->8657 8658->8659 8659->8657 8659->8658 8793 406511 wsprintfA IsBadReadPtr 8794 40656a htonl htonl wsprintfA wsprintfA 8793->8794 8795 40674e 8793->8795 8797 4065f3 8794->8797 8796 40e318 23 API calls 8795->8796 8798 406753 ExitProcess 8796->8798 8799 40668a GetCurrentProcess StackWalk64 8797->8799 8800 4066a0 wsprintfA 8797->8800 8801 406652 wsprintfA 8797->8801 8799->8797 8799->8800 8802 4066ba 8800->8802 8801->8797 8803 406712 wsprintfA 8802->8803 8804 4066da wsprintfA 8802->8804 8805 4066ed wsprintfA 8802->8805 8806 40e8a1 30 API calls 8803->8806 8804->8805 8805->8802 8807 406739 8806->8807 8808 40e318 23 API calls 8807->8808 8809 406741 8808->8809 8660 4043d2 8661 4043e0 8660->8661 8662 4043ef 8661->8662 8663 401940 4 API calls 8661->8663 8663->8662 8810 404e92 GetTickCount 8811 404ec0 InterlockedExchange 8810->8811 8812 404ec9 8811->8812 8813 404ead GetTickCount 8811->8813 8813->8812 8814 404eb8 Sleep 8813->8814 8814->8811 8664 405453 8669 40543a 8664->8669 8670 405048 8 API calls 8669->8670 8671 40544b 8670->8671 8672 404ed3 8677 404c9a 8672->8677 8678 404ca9 8677->8678 8680 404cd8 8677->8680 8679 40ec2e codecvt 4 API calls 8678->8679 8679->8680 8815 405d93 IsBadWritePtr 8816 405ddc 8815->8816 8817 405da8 8815->8817 8817->8816 8819 405389 8817->8819 8820 404bd1 4 API calls 8819->8820 8821 4053a5 8820->8821 8822 404ae6 8 API calls 8821->8822 8825 4053ad 8822->8825 8823 405407 8823->8816 8824 404ae6 8 API calls 8824->8825 8825->8823 8825->8824 8826 408314 8827 40675c 21 API calls 8826->8827 8828 408324 8827->8828 6876 980000 6878 98000a 6876->6878 6877 980030 6878->6877 6879 980054 VirtualAlloc 6878->6879 8829 405099 8830 404bd1 4 API calls 8829->8830 8831 4050a2 8830->8831 8681 40195b 8682 40196b 8681->8682 8684 401971 8681->8684 8683 40ec2e codecvt 4 API calls 8682->8683 8683->8684 8519 4050dc 8520 404bd1 4 API calls 8519->8520 8521 4050f2 8520->8521 8522 404ae6 8 API calls 8521->8522 8528 4050ff 8522->8528 8523 405130 8524 404ae6 8 API calls 8523->8524 8526 405138 8524->8526 8525 404ae6 8 API calls 8527 405110 lstrcmpA 8525->8527 8529 40516e 8526->8529 8531 404ae6 8 API calls 8526->8531 8561 40513e 8526->8561 8527->8523 8527->8528 8528->8523 8528->8525 8530 404ae6 8 API calls 8528->8530 8532 404ae6 8 API calls 8529->8532 8529->8561 8530->8528 8533 40515e 8531->8533 8534 4051b6 8532->8534 8533->8529 8536 404ae6 8 API calls 8533->8536 8562 404a3d 8534->8562 8536->8529 8538 404ae6 8 API calls 8539 4051c7 8538->8539 8540 404ae6 8 API calls 8539->8540 8541 4051d7 8540->8541 8542 404ae6 8 API calls 8541->8542 8543 4051e7 8542->8543 8544 404ae6 8 API calls 8543->8544 8543->8561 8545 405219 8544->8545 8546 404ae6 8 API calls 8545->8546 8547 405227 8546->8547 8548 404ae6 8 API calls 8547->8548 8549 40524f lstrcpyA 8548->8549 8550 404ae6 8 API calls 8549->8550 8554 405263 8550->8554 8551 404ae6 8 API calls 8552 405315 8551->8552 8553 404ae6 8 API calls 8552->8553 8555 405323 8553->8555 8554->8551 8556 404ae6 8 API calls 8555->8556 8558 405331 8556->8558 8557 404ae6 8 API calls 8557->8558 8558->8557 8559 404ae6 8 API calls 8558->8559 8558->8561 8560 405351 lstrcmpA 8559->8560 8560->8558 8560->8561 8563 404a53 8562->8563 8564 404a4a 8562->8564 8566 404a78 8563->8566 8567 40ebed 8 API calls 8563->8567 8565 40ebed 8 API calls 8564->8565 8565->8563 8568 404aa3 8566->8568 8569 404a8e 8566->8569 8567->8566 8570 404a9b 8568->8570 8572 40ebed 8 API calls 8568->8572 8569->8570 8571 40ec2e codecvt 4 API calls 8569->8571 8570->8538 8571->8570 8572->8570 6727 401820 6733 401000 6727->6733 6729 401839 6730 401851 GetCurrentProcess 6729->6730 6731 40183d 6729->6731 6732 401864 6730->6732 6734 40100d LoadLibraryA 6733->6734 6738 401023 6733->6738 6735 401021 6734->6735 6734->6738 6735->6729 6736 4010b5 CloseHandle 6737 4010d1 GetProcAddress 6736->6737 6739 40127b 6736->6739 6737->6739 6740 4010f0 GetProcAddress 6737->6740 6738->6736 6753 4010ae 6738->6753 6739->6729 6740->6739 6741 401110 GetProcAddress 6740->6741 6741->6739 6742 401130 GetProcAddress 6741->6742 6742->6739 6743 40114f GetProcAddress 6742->6743 6743->6739 6744 40116f GetProcAddress 6743->6744 6744->6739 6745 40118f GetProcAddress 6744->6745 6745->6739 6746 4011ae GetProcAddress 6745->6746 6746->6739 6747 4011ce GetProcAddress 6746->6747 6747->6739 6748 4011ee GetProcAddress 6747->6748 6748->6739 6749 401209 GetProcAddress 6748->6749 6749->6739 6750 401225 GetProcAddress 6749->6750 6750->6739 6751 401241 GetProcAddress 6750->6751 6751->6739 6752 40125c GetProcAddress 6751->6752 6752->6739 6753->6729 8685 404960 8686 40496d 8685->8686 8688 40497d 8685->8688 8687 40ebed 8 API calls 8686->8687 8687->8688 6754 409961 RegisterServiceCtrlHandlerA 6755 40997d 6754->6755 6756 4099cb 6754->6756 6764 409892 6755->6764 6758 40999a 6759 4099ba 6758->6759 6760 409892 SetServiceStatus 6758->6760 6759->6756 6762 409892 SetServiceStatus 6759->6762 6761 4099aa 6760->6761 6761->6759 6767 4098f2 6761->6767 6762->6756 6765 4098c2 SetServiceStatus 6764->6765 6765->6758 6768 4098f6 6767->6768 6770 409904 Sleep 6768->6770 6772 409917 6768->6772 6775 404280 CreateEventA 6768->6775 6770->6768 6771 409915 6770->6771 6771->6772 6774 409947 6772->6774 6802 40977c 6772->6802 6774->6759 6776 4042a5 6775->6776 6782 40429d 6775->6782 6816 403ecd 6776->6816 6778 4042b0 6820 404000 6778->6820 6781 4043c1 CloseHandle 6781->6782 6782->6768 6783 4042ce 6826 403f18 WriteFile 6783->6826 6788 4043ba CloseHandle 6788->6781 6789 404318 6790 403f18 4 API calls 6789->6790 6791 404331 6790->6791 6792 403f18 4 API calls 6791->6792 6793 40434a 6792->6793 6834 40ebcc GetProcessHeap HeapAlloc 6793->6834 6796 403f18 4 API calls 6797 404389 6796->6797 6837 40ec2e 6797->6837 6800 403f8c 4 API calls 6801 40439f CloseHandle CloseHandle 6800->6801 6801->6782 6866 40ee2a 6802->6866 6805 4097c2 6807 4097d4 Wow64GetThreadContext 6805->6807 6806 4097bb 6806->6774 6808 409801 6807->6808 6809 4097f5 6807->6809 6868 40637c 6808->6868 6810 4097f6 TerminateProcess 6809->6810 6810->6806 6812 409816 6812->6810 6813 40981e WriteProcessMemory 6812->6813 6813->6809 6814 40983b Wow64SetThreadContext 6813->6814 6814->6809 6815 409858 ResumeThread 6814->6815 6815->6806 6817 403ee2 6816->6817 6818 403edc 6816->6818 6817->6778 6842 406dc2 6818->6842 6821 40400b CreateFileA 6820->6821 6822 404052 6821->6822 6823 40402c GetLastError 6821->6823 6822->6781 6822->6782 6822->6783 6823->6822 6824 404037 6823->6824 6824->6822 6825 404041 Sleep 6824->6825 6825->6821 6825->6822 6827 403f7c 6826->6827 6828 403f4e GetLastError 6826->6828 6830 403f8c ReadFile 6827->6830 6828->6827 6829 403f5b WaitForSingleObject GetOverlappedResult 6828->6829 6829->6827 6831 403fc2 GetLastError 6830->6831 6832 403ff0 6830->6832 6831->6832 6833 403fcf WaitForSingleObject GetOverlappedResult 6831->6833 6832->6788 6832->6789 6833->6832 6860 40eb74 6834->6860 6838 40ec37 6837->6838 6839 40438f 6837->6839 6863 40eba0 6838->6863 6839->6800 6843 406e24 6842->6843 6844 406dd7 6842->6844 6843->6817 6848 406cc9 6844->6848 6846 406ddc 6846->6843 6846->6846 6847 406e02 GetVolumeInformationA 6846->6847 6847->6843 6849 406cdc GetModuleHandleA GetProcAddress 6848->6849 6850 406dbe 6848->6850 6851 406d12 GetSystemDirectoryA 6849->6851 6852 406cfd 6849->6852 6850->6846 6853 406d27 GetWindowsDirectoryA 6851->6853 6854 406d1e 6851->6854 6852->6851 6855 406d8b 6852->6855 6856 406d42 6853->6856 6854->6853 6854->6855 6855->6850 6858 40ef1e lstrlenA 6856->6858 6859 40ef32 6858->6859 6859->6855 6861 40eb7b GetProcessHeap HeapSize 6860->6861 6862 404350 6860->6862 6861->6862 6862->6796 6864 40eba7 GetProcessHeap HeapSize 6863->6864 6865 40ebbf GetProcessHeap HeapFree 6863->6865 6864->6865 6865->6839 6867 409794 CreateProcessA 6866->6867 6867->6805 6867->6806 6869 406386 6868->6869 6870 40638a GetModuleHandleA VirtualAlloc 6868->6870 6869->6812 6871 4063f5 6870->6871 6872 4063b6 6870->6872 6871->6812 6873 4063be VirtualAllocEx 6872->6873 6873->6871 6874 4063d6 6873->6874 6875 4063df WriteProcessMemory 6874->6875 6875->6871 8689 404861 IsBadWritePtr 8690 404876 8689->8690 8832 405e21 8833 405e36 8832->8833 8834 405e29 8832->8834 8835 4050dc 17 API calls 8834->8835 8835->8833 8836 4035a5 8837 4030fa 4 API calls 8836->8837 8838 4035b3 8837->8838 8842 4035ea 8838->8842 8843 40355d 8838->8843 8840 4035da 8841 40355d 4 API calls 8840->8841 8840->8842 8841->8842 8844 40f04e 4 API calls 8843->8844 8845 40356a 8844->8845 8845->8840 8846 405029 8851 404a02 8846->8851 8852 404a12 8851->8852 8853 404a18 8851->8853 8855 40ec2e codecvt 4 API calls 8852->8855 8854 404a26 8853->8854 8856 40ec2e codecvt 4 API calls 8853->8856 8857 404a34 8854->8857 8858 40ec2e codecvt 4 API calls 8854->8858 8855->8853 8856->8854 8858->8857 6880 d4007e 6881 d40083 6880->6881 6893 d405d0 VirtualAlloc 6881->6893 6883 d40093 6884 d400bb VirtualProtect VirtualProtect 6883->6884 6889 d400ed 6884->6889 6885 d4013d 6894 d401d1 6885->6894 6887 d40104 VirtualProtect 6888 d40133 VirtualProtect 6887->6888 6887->6889 6888->6889 6889->6885 6889->6887 6889->6888 6890 d40147 6891 d40198 VirtualFree 6890->6891 6892 d401a0 6891->6892 6893->6883 6895 d40254 6894->6895 6896 d401e1 6894->6896 6895->6890 6896->6895 6897 d401f4 LoadLibraryA 6896->6897 6898 d40206 VirtualProtect 6896->6898 6899 d40243 VirtualProtect 6896->6899 6897->6896 6898->6896 6899->6896 6900 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 7017 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6900->7017 6902 409a95 6903 409aa3 GetModuleHandleA GetModuleFileNameA 6902->6903 6909 40a3c7 6902->6909 6917 409ac4 6903->6917 6904 40a41c CreateThread WSAStartup 7128 40e52e 6904->7128 7936 40405e CreateEventA 6904->7936 6906 409afd GetCommandLineA 6915 409b22 6906->6915 6907 40a406 DeleteFileA 6907->6909 6910 40a40d 6907->6910 6908 40a445 7147 40eaaf 6908->7147 6909->6904 6909->6907 6909->6910 6912 40a3ed GetLastError 6909->6912 6910->6904 6912->6910 6914 40a3f8 Sleep 6912->6914 6913 40a44d 7151 401d96 6913->7151 6914->6907 6920 409c0c 6915->6920 6929 409b47 6915->6929 6917->6906 6918 40a457 7199 4080c9 6918->7199 7018 4096aa 6920->7018 6926 40a1d2 6937 40a1e3 GetCommandLineA 6926->6937 6927 409c39 6930 40a167 GetModuleHandleA GetModuleFileNameA 6927->6930 6935 409c4b 6927->6935 6932 409b96 lstrlenA 6929->6932 6936 409b58 6929->6936 6933 409c05 ExitProcess 6930->6933 6934 40a189 6930->6934 6932->6936 6934->6933 6946 40a1b2 GetDriveTypeA 6934->6946 6935->6930 6939 404280 30 API calls 6935->6939 6936->6933 6940 409bd2 6936->6940 6962 40a205 6937->6962 6943 409c5b 6939->6943 7030 40675c 6940->7030 6943->6930 6949 40675c 21 API calls 6943->6949 6946->6933 6948 40a1c5 6946->6948 7120 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 6948->7120 6951 409c79 6949->6951 6951->6930 6958 409ca0 GetTempPathA 6951->6958 6959 409e3e 6951->6959 6952 409bff 6952->6933 6954 40a491 6955 40a49f GetTickCount 6954->6955 6956 40a4be Sleep 6954->6956 6961 40a4b7 GetTickCount 6954->6961 7245 40c913 6954->7245 6955->6954 6955->6956 6956->6954 6958->6959 6960 409cba 6958->6960 6965 409e6b GetEnvironmentVariableA 6959->6965 6969 409e04 6959->6969 7068 4099d2 lstrcpyA 6960->7068 6961->6956 6966 40a285 lstrlenA 6962->6966 6978 40a239 6962->6978 6963 40ec2e codecvt 4 API calls 6967 40a15d 6963->6967 6965->6969 6970 409e7d 6965->6970 6966->6978 6967->6930 6967->6933 6969->6963 6971 4099d2 16 API calls 6970->6971 6972 409e9d 6971->6972 6972->6969 6977 409eb0 lstrcpyA lstrlenA 6972->6977 6973 406dc2 6 API calls 6975 409d5f 6973->6975 6979 406cc9 5 API calls 6975->6979 6976 40a3c2 6980 4098f2 41 API calls 6976->6980 6981 409ef4 6977->6981 7026 406ec3 6978->7026 6983 409d72 lstrcpyA lstrcatA lstrcatA 6979->6983 6980->6909 6984 406dc2 6 API calls 6981->6984 6985 409f03 6981->6985 6982 40a39d StartServiceCtrlDispatcherA 6982->6976 6986 409cf6 6983->6986 6984->6985 6987 409f32 RegOpenKeyExA 6985->6987 7075 409326 6986->7075 6988 409f48 RegSetValueExA RegCloseKey 6987->6988 6992 409f70 6987->6992 6988->6992 6989 40a35f 6989->6976 6989->6982 6997 409f9d GetModuleHandleA GetModuleFileNameA 6992->6997 6993 409e0c DeleteFileA 6993->6959 6994 409dde GetFileAttributesExA 6994->6993 6996 409df7 6994->6996 6996->6969 7112 4096ff 6996->7112 6999 409fc2 6997->6999 7000 40a093 6997->7000 6999->7000 7005 409ff1 GetDriveTypeA 6999->7005 7001 40a103 CreateProcessA 7000->7001 7004 40a0a4 wsprintfA 7000->7004 7002 40a13a 7001->7002 7003 40a12a DeleteFileA 7001->7003 7002->6969 7010 4096ff 3 API calls 7002->7010 7003->7002 7118 402544 7004->7118 7005->7000 7008 40a00d 7005->7008 7012 40a02d lstrcatA 7008->7012 7009 40ee2a 7011 40a0ec lstrcatA 7009->7011 7010->6969 7011->7001 7013 40a046 7012->7013 7014 40a052 lstrcatA 7013->7014 7015 40a064 lstrcatA 7013->7015 7014->7015 7015->7000 7016 40a081 lstrcatA 7015->7016 7016->7000 7017->6902 7019 4096b9 7018->7019 7348 4073ff 7019->7348 7021 4096e2 7022 4096e9 7021->7022 7023 4096fa 7021->7023 7368 40704c 7022->7368 7023->6926 7023->6927 7025 4096f7 7025->7023 7027 406ed5 7026->7027 7028 406ecc 7026->7028 7027->6989 7395 406e36 GetUserNameW 7028->7395 7031 406784 CreateFileA 7030->7031 7032 40677a SetFileAttributesA 7030->7032 7033 4067a4 CreateFileA 7031->7033 7034 4067b5 7031->7034 7032->7031 7033->7034 7035 4067c5 7034->7035 7036 4067ba SetFileAttributesA 7034->7036 7037 406977 7035->7037 7038 4067cf GetFileSize 7035->7038 7036->7035 7037->6933 7055 406a60 CreateFileA 7037->7055 7039 4067e5 7038->7039 7054 406922 7038->7054 7041 4067ed ReadFile 7039->7041 7039->7054 7040 40696e CloseHandle 7040->7037 7042 406811 SetFilePointer 7041->7042 7041->7054 7043 40682a ReadFile 7042->7043 7042->7054 7044 406848 SetFilePointer 7043->7044 7043->7054 7047 406867 7044->7047 7044->7054 7045 4068d0 7045->7040 7048 40ebcc 4 API calls 7045->7048 7046 406878 ReadFile 7046->7045 7046->7047 7047->7045 7047->7046 7049 4068f8 7048->7049 7050 406900 SetFilePointer 7049->7050 7049->7054 7051 40695a 7050->7051 7052 40690d ReadFile 7050->7052 7053 40ec2e codecvt 4 API calls 7051->7053 7052->7051 7052->7054 7053->7054 7054->7040 7056 406b8c GetLastError 7055->7056 7057 406a8f GetDiskFreeSpaceA 7055->7057 7058 406b86 7056->7058 7059 406ac5 7057->7059 7067 406ad7 7057->7067 7058->6952 7398 40eb0e 7059->7398 7063 406b56 CloseHandle 7063->7058 7066 406b65 GetLastError CloseHandle 7063->7066 7064 406b36 GetLastError CloseHandle 7065 406b7f DeleteFileA 7064->7065 7065->7058 7066->7065 7402 406987 7067->7402 7069 4099eb 7068->7069 7070 409a2f lstrcatA 7069->7070 7071 40ee2a 7070->7071 7072 409a4b lstrcatA 7071->7072 7073 406a60 13 API calls 7072->7073 7074 409a60 7073->7074 7074->6959 7074->6973 7074->6986 7412 401910 7075->7412 7078 40934a GetModuleHandleA GetModuleFileNameA 7080 40937f 7078->7080 7081 4093a4 7080->7081 7082 4093d9 7080->7082 7083 4093c3 wsprintfA 7081->7083 7084 409401 wsprintfA 7082->7084 7086 409415 7083->7086 7084->7086 7085 4094a0 7414 406edd 7085->7414 7086->7085 7089 406cc9 5 API calls 7086->7089 7088 4094ac 7090 40962f 7088->7090 7091 4094e8 RegOpenKeyExA 7088->7091 7095 409439 7089->7095 7096 409646 7090->7096 7435 401820 7090->7435 7093 409502 7091->7093 7094 4094fb 7091->7094 7098 40951f RegQueryValueExA 7093->7098 7094->7090 7100 40958a 7094->7100 7099 40ef1e lstrlenA 7095->7099 7105 4095d6 7096->7105 7441 4091eb 7096->7441 7102 409530 7098->7102 7103 409539 7098->7103 7104 409462 7099->7104 7100->7096 7101 409593 7100->7101 7101->7105 7422 40f0e4 7101->7422 7106 40956e RegCloseKey 7102->7106 7107 409556 RegQueryValueExA 7103->7107 7108 40947e wsprintfA 7104->7108 7105->6993 7105->6994 7106->7094 7107->7102 7107->7106 7108->7085 7110 4095bb 7110->7105 7429 4018e0 7110->7429 7113 402544 7112->7113 7114 40972d RegOpenKeyExA 7113->7114 7115 409740 7114->7115 7116 409765 7114->7116 7117 40974f RegDeleteValueA RegCloseKey 7115->7117 7116->6969 7117->7116 7119 402554 lstrcatA 7118->7119 7119->7009 7121 402544 7120->7121 7122 40919e wsprintfA 7121->7122 7123 4091bb 7122->7123 7458 409064 GetTempPathA 7123->7458 7126 4091d5 ShellExecuteA 7127 4091e7 7126->7127 7127->6952 7465 40dd05 GetTickCount 7128->7465 7130 40e538 7472 40dbcf 7130->7472 7132 40e544 7133 40e555 GetFileSize 7132->7133 7138 40e5b8 7132->7138 7134 40e5b1 CloseHandle 7133->7134 7135 40e566 7133->7135 7134->7138 7482 40db2e 7135->7482 7491 40e3ca RegOpenKeyExA 7138->7491 7139 40e576 ReadFile 7139->7134 7141 40e58d 7139->7141 7486 40e332 7141->7486 7143 40e5f2 7145 40e3ca 19 API calls 7143->7145 7146 40e629 7143->7146 7145->7146 7146->6908 7148 40eabe 7147->7148 7149 40eaba 7147->7149 7148->7149 7150 40dd05 6 API calls 7148->7150 7149->6913 7150->7149 7152 40ee2a 7151->7152 7153 401db4 GetVersionExA 7152->7153 7154 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 7153->7154 7156 401e24 7154->7156 7157 401e16 GetCurrentProcess 7154->7157 7544 40e819 7156->7544 7157->7156 7159 401e3d 7160 40e819 11 API calls 7159->7160 7161 401e4e 7160->7161 7162 401e77 7161->7162 7551 40df70 7161->7551 7560 40ea84 7162->7560 7165 401e6c 7168 40df70 12 API calls 7165->7168 7167 40e819 11 API calls 7169 401e93 7167->7169 7168->7162 7564 40199c inet_addr LoadLibraryA 7169->7564 7172 40e819 11 API calls 7173 401eb9 7172->7173 7174 401ed8 7173->7174 7175 40f04e 4 API calls 7173->7175 7176 40e819 11 API calls 7174->7176 7178 401ec9 7175->7178 7177 401eee 7176->7177 7186 401f0a 7177->7186 7577 401b71 7177->7577 7179 40ea84 30 API calls 7178->7179 7179->7174 7181 40e819 11 API calls 7183 401f23 7181->7183 7182 401efd 7184 40ea84 30 API calls 7182->7184 7185 401f3f 7183->7185 7581 401bdf 7183->7581 7184->7186 7188 40e819 11 API calls 7185->7188 7186->7181 7189 401f5e 7188->7189 7191 401f77 7189->7191 7193 40ea84 30 API calls 7189->7193 7588 4030b5 7191->7588 7192 40ea84 30 API calls 7192->7185 7193->7191 7197 406ec3 2 API calls 7198 401f8e GetTickCount 7197->7198 7198->6918 7200 406ec3 2 API calls 7199->7200 7201 4080eb 7200->7201 7202 4080f9 7201->7202 7203 4080ef 7201->7203 7205 40704c 16 API calls 7202->7205 7636 407ee6 7203->7636 7207 408110 7205->7207 7206 408269 CreateThread 7224 405e6c 7206->7224 7965 40877e 7206->7965 7209 408156 RegOpenKeyExA 7207->7209 7210 4080f4 7207->7210 7208 40675c 21 API calls 7214 408244 7208->7214 7209->7210 7211 40816d RegQueryValueExA 7209->7211 7210->7206 7210->7208 7212 4081f7 7211->7212 7213 40818d 7211->7213 7215 40820d RegCloseKey 7212->7215 7217 40ec2e codecvt 4 API calls 7212->7217 7213->7212 7218 40ebcc 4 API calls 7213->7218 7214->7206 7216 40ec2e codecvt 4 API calls 7214->7216 7215->7210 7216->7206 7223 4081dd 7217->7223 7219 4081a0 7218->7219 7219->7215 7220 4081aa RegQueryValueExA 7219->7220 7220->7212 7221 4081c4 7220->7221 7222 40ebcc 4 API calls 7221->7222 7222->7223 7223->7215 7704 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 7224->7704 7226 405e71 7705 40e654 7226->7705 7228 405ec1 7229 403132 7228->7229 7230 40df70 12 API calls 7229->7230 7231 40313b 7230->7231 7232 40c125 7231->7232 7716 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 7232->7716 7234 40c12d 7235 40e654 13 API calls 7234->7235 7236 40c2bd 7235->7236 7237 40e654 13 API calls 7236->7237 7238 40c2c9 7237->7238 7239 40e654 13 API calls 7238->7239 7240 40a47a 7239->7240 7241 408db1 7240->7241 7242 408dbc 7241->7242 7243 40e654 13 API calls 7242->7243 7244 408dec Sleep 7243->7244 7244->6954 7246 40c92f 7245->7246 7247 40c93c 7246->7247 7717 40c517 7246->7717 7249 40e819 11 API calls 7247->7249 7264 40ca2b 7247->7264 7250 40c96a 7249->7250 7251 40e819 11 API calls 7250->7251 7252 40c97d 7251->7252 7253 40e819 11 API calls 7252->7253 7254 40c990 7253->7254 7255 40c9aa 7254->7255 7256 40ebcc 4 API calls 7254->7256 7255->7264 7734 402684 7255->7734 7256->7255 7261 40ca26 7741 40c8aa 7261->7741 7264->6954 7265 40ca44 7266 40ca4b closesocket 7265->7266 7267 40ca83 7265->7267 7266->7261 7268 40ea84 30 API calls 7267->7268 7269 40caac 7268->7269 7270 40f04e 4 API calls 7269->7270 7271 40cab2 7270->7271 7272 40ea84 30 API calls 7271->7272 7273 40caca 7272->7273 7274 40ea84 30 API calls 7273->7274 7275 40cad9 7274->7275 7749 40c65c 7275->7749 7278 40cb60 closesocket 7278->7264 7280 40dad2 closesocket 7281 40e318 23 API calls 7280->7281 7281->7264 7282 40df4c 20 API calls 7342 40cb70 7282->7342 7288 40e654 13 API calls 7288->7342 7293 40c65c send GetProcessHeap HeapSize GetProcessHeap HeapAlloc 7293->7342 7294 40ea84 30 API calls 7294->7342 7295 40d569 closesocket Sleep 7796 40e318 7295->7796 7296 40d815 wsprintfA 7296->7342 7297 40cc1c GetTempPathA 7297->7342 7298 40c517 23 API calls 7298->7342 7300 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 7300->7342 7301 40e8a1 30 API calls 7301->7342 7302 40d582 ExitProcess 7303 40cfe3 GetSystemDirectoryA 7303->7342 7304 40cfad GetEnvironmentVariableA 7304->7342 7305 40675c 21 API calls 7305->7342 7306 40d027 GetSystemDirectoryA 7306->7342 7307 40d105 lstrcatA 7307->7342 7308 40ef1e lstrlenA 7308->7342 7309 40cc9f CreateFileA 7311 40ccc6 WriteFile 7309->7311 7309->7342 7310 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 7310->7342 7314 40cdcc CloseHandle 7311->7314 7315 40cced CloseHandle 7311->7315 7312 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 7312->7342 7313 40d15b CreateFileA 7316 40d182 WriteFile CloseHandle 7313->7316 7313->7342 7314->7342 7321 40cd2f 7315->7321 7316->7342 7317 40cd16 wsprintfA 7317->7321 7318 40d149 SetFileAttributesA 7318->7313 7319 40d1bf SetFileAttributesA 7319->7342 7320 40d36e GetEnvironmentVariableA 7320->7342 7321->7317 7778 407fcf 7321->7778 7322 40d22d GetEnvironmentVariableA 7322->7342 7323 407ead 6 API calls 7323->7342 7324 40d3af lstrcatA 7326 40d3f2 CreateFileA 7324->7326 7324->7342 7329 40d415 WriteFile CloseHandle 7326->7329 7326->7342 7328 407fcf 64 API calls 7328->7342 7329->7342 7330 40cd81 WaitForSingleObject CloseHandle CloseHandle 7332 40f04e 4 API calls 7330->7332 7331 40cda5 7333 407ee6 64 API calls 7331->7333 7332->7331 7336 40cdbd DeleteFileA 7333->7336 7334 40d3e0 SetFileAttributesA 7334->7326 7335 40d26e lstrcatA 7338 40d2b1 CreateFileA 7335->7338 7335->7342 7336->7342 7337 40d4b1 CreateProcessA 7339 40d4e8 CloseHandle CloseHandle 7337->7339 7337->7342 7338->7342 7343 40d2d8 WriteFile CloseHandle 7338->7343 7339->7342 7340 407ee6 64 API calls 7340->7342 7341 40d452 SetFileAttributesA 7341->7342 7342->7280 7342->7282 7342->7288 7342->7293 7342->7294 7342->7295 7342->7296 7342->7297 7342->7298 7342->7300 7342->7301 7342->7303 7342->7304 7342->7305 7342->7306 7342->7307 7342->7308 7342->7309 7342->7310 7342->7312 7342->7313 7342->7318 7342->7319 7342->7320 7342->7322 7342->7323 7342->7324 7342->7326 7342->7328 7342->7334 7342->7335 7342->7337 7342->7338 7342->7340 7342->7341 7345 40d29f SetFileAttributesA 7342->7345 7347 40d31d SetFileAttributesA 7342->7347 7757 40c75d 7342->7757 7769 407e2f 7342->7769 7791 407ead 7342->7791 7801 4031d0 7342->7801 7818 403c09 7342->7818 7828 403a00 7342->7828 7832 40e7b4 7342->7832 7835 40c06c 7342->7835 7841 406f5f GetUserNameA 7342->7841 7852 40e854 7342->7852 7862 407dd6 7342->7862 7343->7342 7345->7338 7347->7342 7349 40741b 7348->7349 7350 406dc2 6 API calls 7349->7350 7351 40743f 7350->7351 7352 407469 RegOpenKeyExA 7351->7352 7353 407487 ___ascii_stricmp 7352->7353 7354 4077f9 7352->7354 7355 407703 RegEnumKeyA 7353->7355 7357 4074d2 RegOpenKeyExA 7353->7357 7358 40772c 7353->7358 7359 407521 RegQueryValueExA 7353->7359 7363 4076e4 RegCloseKey 7353->7363 7365 40f1a5 lstrlenA 7353->7365 7366 40777e GetFileAttributesExA 7353->7366 7367 407769 7353->7367 7354->7021 7355->7353 7356 407714 RegCloseKey 7355->7356 7356->7354 7357->7353 7360 407742 RegCloseKey 7358->7360 7361 40774b 7358->7361 7359->7353 7360->7361 7362 4077ec RegCloseKey 7361->7362 7362->7354 7363->7353 7364 4077e3 RegCloseKey 7364->7362 7365->7353 7366->7367 7367->7364 7369 407073 7368->7369 7370 4070b9 RegOpenKeyExA 7369->7370 7371 4070d0 7370->7371 7386 4071b8 7370->7386 7372 406dc2 6 API calls 7371->7372 7375 4070d5 7372->7375 7373 40719b RegEnumValueA 7374 4071af RegCloseKey 7373->7374 7373->7375 7374->7386 7375->7373 7377 4071d0 7375->7377 7393 40f1a5 lstrlenA 7375->7393 7378 407205 RegCloseKey 7377->7378 7379 407227 7377->7379 7378->7386 7380 4072b8 ___ascii_stricmp 7379->7380 7381 40728e RegCloseKey 7379->7381 7382 4072cd RegCloseKey 7380->7382 7383 4072dd 7380->7383 7381->7386 7382->7386 7384 407311 RegCloseKey 7383->7384 7385 407335 7383->7385 7384->7386 7387 40f1a5 lstrlenA 7385->7387 7386->7025 7389 40733d 7387->7389 7388 4073d5 RegCloseKey 7390 4073e4 7388->7390 7389->7388 7391 40737e GetFileAttributesExA 7389->7391 7392 407397 7389->7392 7391->7392 7392->7388 7394 40f1c3 7393->7394 7394->7375 7396 406e5f LookupAccountNameW 7395->7396 7397 406e97 7395->7397 7396->7397 7397->7027 7399 40eb17 7398->7399 7400 40eb21 7398->7400 7408 40eae4 7399->7408 7400->7067 7404 4069b9 WriteFile 7402->7404 7405 406a3c 7404->7405 7407 4069ff 7404->7407 7405->7063 7405->7064 7406 406a10 WriteFile 7406->7405 7406->7407 7407->7405 7407->7406 7409 40eb02 GetProcAddress 7408->7409 7410 40eaed LoadLibraryA 7408->7410 7409->7400 7410->7409 7411 40eb01 7410->7411 7411->7400 7413 401924 GetVersionExA 7412->7413 7413->7078 7415 406f55 7414->7415 7416 406eef AllocateAndInitializeSid 7414->7416 7415->7088 7417 406f44 7416->7417 7418 406f1c CheckTokenMembership 7416->7418 7417->7415 7421 406e36 2 API calls 7417->7421 7419 406f3b FreeSid 7418->7419 7420 406f2e 7418->7420 7419->7417 7420->7419 7421->7415 7423 40f0f1 7422->7423 7424 40f0ed 7422->7424 7425 40f119 7423->7425 7426 40f0fa lstrlenA SysAllocStringByteLen 7423->7426 7424->7110 7428 40f11c MultiByteToWideChar 7425->7428 7427 40f117 7426->7427 7426->7428 7427->7110 7428->7427 7430 401820 17 API calls 7429->7430 7431 4018f2 7430->7431 7432 4018f9 7431->7432 7446 401280 7431->7446 7432->7105 7434 401908 7434->7105 7436 401000 16 API calls 7435->7436 7437 401839 7436->7437 7438 401851 GetCurrentProcess 7437->7438 7439 40183d 7437->7439 7440 401864 7438->7440 7439->7096 7440->7096 7442 40920e 7441->7442 7445 409308 7441->7445 7442->7442 7443 4092f1 Sleep 7442->7443 7444 4092bf ShellExecuteA 7442->7444 7442->7445 7443->7442 7444->7442 7444->7445 7445->7105 7447 4012e1 7446->7447 7448 4016f9 GetLastError 7447->7448 7452 4013a8 7447->7452 7449 401699 7448->7449 7449->7434 7450 401570 lstrlenW 7450->7452 7451 4015be GetStartupInfoW 7451->7452 7452->7449 7452->7450 7452->7451 7452->7452 7453 4015ff CreateProcessWithLogonW 7452->7453 7457 401668 CloseHandle 7452->7457 7454 4016bf GetLastError 7453->7454 7455 40163f WaitForSingleObject 7453->7455 7454->7449 7455->7452 7456 401659 CloseHandle 7455->7456 7456->7452 7457->7452 7459 40908d 7458->7459 7460 4090e2 wsprintfA 7459->7460 7461 40ee2a 7460->7461 7462 4090fd CreateFileA 7461->7462 7463 40911a lstrlenA WriteFile CloseHandle 7462->7463 7464 40913f 7462->7464 7463->7464 7464->7126 7464->7127 7466 40dd41 InterlockedExchange 7465->7466 7467 40dd20 GetCurrentThreadId 7466->7467 7468 40dd4a 7466->7468 7469 40dd53 GetCurrentThreadId 7467->7469 7470 40dd2e GetTickCount 7467->7470 7468->7469 7469->7130 7470->7468 7471 40dd39 Sleep 7470->7471 7471->7466 7473 40dbf0 7472->7473 7505 40db67 GetEnvironmentVariableA 7473->7505 7475 40dc19 7476 40dcda 7475->7476 7477 40db67 3 API calls 7475->7477 7476->7132 7478 40dc5c 7477->7478 7478->7476 7479 40db67 3 API calls 7478->7479 7480 40dc9b 7479->7480 7480->7476 7481 40db67 3 API calls 7480->7481 7481->7476 7483 40db55 7482->7483 7484 40db3a 7482->7484 7483->7134 7483->7139 7509 40ebed 7484->7509 7518 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 7486->7518 7488 40e3be 7488->7134 7490 40e342 7490->7488 7521 40de24 7490->7521 7492 40e528 7491->7492 7493 40e3f4 7491->7493 7492->7143 7494 40e434 RegQueryValueExA 7493->7494 7495 40e458 7494->7495 7496 40e51d RegCloseKey 7494->7496 7497 40e46e RegQueryValueExA 7495->7497 7496->7492 7497->7495 7498 40e488 7497->7498 7498->7496 7499 40db2e 8 API calls 7498->7499 7500 40e499 7499->7500 7500->7496 7501 40e4b9 RegQueryValueExA 7500->7501 7502 40e4e8 7500->7502 7501->7500 7501->7502 7502->7496 7503 40e332 14 API calls 7502->7503 7504 40e513 7503->7504 7504->7496 7506 40db89 lstrcpyA CreateFileA 7505->7506 7507 40dbca 7505->7507 7506->7475 7507->7475 7510 40ec01 7509->7510 7511 40ebf6 7509->7511 7513 40eba0 codecvt 2 API calls 7510->7513 7512 40ebcc 4 API calls 7511->7512 7514 40ebfe 7512->7514 7515 40ec0a GetProcessHeap HeapReAlloc 7513->7515 7514->7483 7516 40eb74 2 API calls 7515->7516 7517 40ec28 7516->7517 7517->7483 7532 40eb41 7518->7532 7522 40de3a 7521->7522 7529 40de4e 7522->7529 7536 40dd84 7522->7536 7525 40de9e 7526 40ebed 8 API calls 7525->7526 7525->7529 7530 40def6 7526->7530 7527 40de76 7540 40ddcf 7527->7540 7529->7490 7530->7529 7531 40ddcf lstrcmpA 7530->7531 7531->7529 7533 40eb4a 7532->7533 7535 40eb54 7532->7535 7534 40eae4 2 API calls 7533->7534 7534->7535 7535->7490 7537 40ddc5 7536->7537 7538 40dd96 7536->7538 7537->7525 7537->7527 7538->7537 7539 40ddad lstrcmpiA 7538->7539 7539->7537 7539->7538 7541 40de20 7540->7541 7542 40dddd 7540->7542 7541->7529 7542->7541 7543 40ddfa lstrcmpA 7542->7543 7543->7542 7545 40dd05 6 API calls 7544->7545 7546 40e821 7545->7546 7547 40dd84 lstrcmpiA 7546->7547 7548 40e82c 7547->7548 7550 40e844 7548->7550 7592 402480 7548->7592 7550->7159 7552 40dd05 6 API calls 7551->7552 7553 40df7c 7552->7553 7554 40dd84 lstrcmpiA 7553->7554 7558 40df89 7554->7558 7555 40dfc4 7555->7165 7556 40ddcf lstrcmpA 7556->7558 7557 40ec2e codecvt 4 API calls 7557->7558 7558->7555 7558->7556 7558->7557 7559 40dd84 lstrcmpiA 7558->7559 7559->7558 7561 40ea98 7560->7561 7601 40e8a1 7561->7601 7563 401e84 7563->7167 7565 4019d5 GetProcAddress GetProcAddress GetProcAddress 7564->7565 7568 4019ce 7564->7568 7566 401ab3 FreeLibrary 7565->7566 7567 401a04 7565->7567 7566->7568 7567->7566 7569 401a14 GetProcessHeap 7567->7569 7568->7172 7569->7568 7571 401a2e HeapAlloc 7569->7571 7571->7568 7572 401a42 7571->7572 7573 401a52 HeapReAlloc 7572->7573 7575 401a62 7572->7575 7573->7575 7574 401aa1 FreeLibrary 7574->7568 7575->7574 7576 401a96 HeapFree 7575->7576 7576->7574 7629 401ac3 LoadLibraryA 7577->7629 7580 401bcf 7580->7182 7582 401ac3 12 API calls 7581->7582 7583 401c09 7582->7583 7584 401c41 7583->7584 7585 401c0d GetComputerNameA 7583->7585 7584->7192 7586 401c45 GetVolumeInformationA 7585->7586 7587 401c1f 7585->7587 7586->7584 7587->7584 7587->7586 7589 40ee2a 7588->7589 7590 4030d0 gethostname gethostbyname 7589->7590 7591 401f82 7590->7591 7591->7197 7591->7198 7595 402419 lstrlenA 7592->7595 7594 402491 7594->7550 7596 402474 7595->7596 7597 40243d lstrlenA 7595->7597 7596->7594 7598 402464 lstrlenA 7597->7598 7599 40244e lstrcmpiA 7597->7599 7598->7596 7598->7597 7599->7598 7600 40245c 7599->7600 7600->7596 7600->7598 7602 40dd05 6 API calls 7601->7602 7603 40e8b4 7602->7603 7604 40dd84 lstrcmpiA 7603->7604 7605 40e8c0 7604->7605 7606 40e90a 7605->7606 7607 40e8c8 lstrcpynA 7605->7607 7609 402419 4 API calls 7606->7609 7617 40ea27 7606->7617 7608 40e8f5 7607->7608 7622 40df4c 7608->7622 7610 40e926 lstrlenA lstrlenA 7609->7610 7612 40e96a 7610->7612 7613 40e94c lstrlenA 7610->7613 7616 40ebcc 4 API calls 7612->7616 7612->7617 7613->7612 7614 40e901 7615 40dd84 lstrcmpiA 7614->7615 7615->7606 7618 40e98f 7616->7618 7617->7563 7618->7617 7619 40df4c 20 API calls 7618->7619 7620 40ea1e 7619->7620 7621 40ec2e codecvt 4 API calls 7620->7621 7621->7617 7623 40dd05 6 API calls 7622->7623 7624 40df51 7623->7624 7625 40f04e 4 API calls 7624->7625 7626 40df58 7625->7626 7627 40de24 10 API calls 7626->7627 7628 40df63 7627->7628 7628->7614 7630 401ae2 GetProcAddress 7629->7630 7635 401b68 GetComputerNameA GetVolumeInformationA 7629->7635 7631 401af5 7630->7631 7630->7635 7632 40ebed 8 API calls 7631->7632 7633 401b29 7631->7633 7632->7631 7633->7633 7634 40ec2e codecvt 4 API calls 7633->7634 7633->7635 7634->7635 7635->7580 7637 406ec3 2 API calls 7636->7637 7638 407ef4 7637->7638 7639 4073ff 17 API calls 7638->7639 7648 407fc9 7638->7648 7640 407f16 7639->7640 7640->7648 7649 407809 GetUserNameA 7640->7649 7642 407f63 7643 40ef1e lstrlenA 7642->7643 7642->7648 7644 407fa6 7643->7644 7645 40ef1e lstrlenA 7644->7645 7646 407fb7 7645->7646 7673 407a95 RegOpenKeyExA 7646->7673 7648->7210 7650 40783d LookupAccountNameA 7649->7650 7651 407a8d 7649->7651 7650->7651 7652 407874 GetLengthSid GetFileSecurityA 7650->7652 7651->7642 7652->7651 7653 4078a8 GetSecurityDescriptorOwner 7652->7653 7654 4078c5 EqualSid 7653->7654 7655 40791d GetSecurityDescriptorDacl 7653->7655 7654->7655 7656 4078dc LocalAlloc 7654->7656 7655->7651 7671 407941 7655->7671 7656->7655 7657 4078ef InitializeSecurityDescriptor 7656->7657 7658 407916 LocalFree 7657->7658 7659 4078fb SetSecurityDescriptorOwner 7657->7659 7658->7655 7659->7658 7661 40790b SetFileSecurityA 7659->7661 7660 40795b GetAce 7660->7671 7661->7658 7662 407980 EqualSid 7662->7671 7663 4079be EqualSid 7663->7671 7664 407a3d 7664->7651 7665 407a43 LocalAlloc 7664->7665 7665->7651 7667 407a56 InitializeSecurityDescriptor 7665->7667 7666 40799d DeleteAce 7666->7671 7668 407a62 SetSecurityDescriptorDacl 7667->7668 7669 407a86 LocalFree 7667->7669 7668->7669 7670 407a73 SetFileSecurityA 7668->7670 7669->7651 7670->7669 7672 407a83 7670->7672 7671->7651 7671->7660 7671->7662 7671->7663 7671->7664 7671->7666 7672->7669 7674 407ac4 7673->7674 7675 407acb GetUserNameA 7673->7675 7674->7648 7676 407da7 RegCloseKey 7675->7676 7677 407aed LookupAccountNameA 7675->7677 7676->7674 7677->7676 7678 407b24 RegGetKeySecurity 7677->7678 7678->7676 7679 407b49 GetSecurityDescriptorOwner 7678->7679 7680 407b63 EqualSid 7679->7680 7681 407bb8 GetSecurityDescriptorDacl 7679->7681 7680->7681 7682 407b74 LocalAlloc 7680->7682 7683 407da6 7681->7683 7690 407bdc 7681->7690 7682->7681 7684 407b8a InitializeSecurityDescriptor 7682->7684 7683->7676 7685 407bb1 LocalFree 7684->7685 7686 407b96 SetSecurityDescriptorOwner 7684->7686 7685->7681 7686->7685 7688 407ba6 RegSetKeySecurity 7686->7688 7687 407bf8 GetAce 7687->7690 7688->7685 7689 407c1d EqualSid 7689->7690 7690->7683 7690->7687 7690->7689 7691 407c5f EqualSid 7690->7691 7692 407cd9 7690->7692 7693 407c3a DeleteAce 7690->7693 7691->7690 7692->7683 7694 407d5a LocalAlloc 7692->7694 7695 407cf2 RegOpenKeyExA 7692->7695 7693->7690 7694->7683 7696 407d70 InitializeSecurityDescriptor 7694->7696 7695->7694 7701 407d0f 7695->7701 7697 407d7c SetSecurityDescriptorDacl 7696->7697 7698 407d9f LocalFree 7696->7698 7697->7698 7699 407d8c RegSetKeySecurity 7697->7699 7698->7683 7699->7698 7700 407d9c 7699->7700 7700->7698 7702 407d43 RegSetValueExA 7701->7702 7702->7694 7703 407d54 7702->7703 7703->7694 7704->7226 7706 40dd05 6 API calls 7705->7706 7709 40e65f 7706->7709 7707 40e6a5 7708 40ebcc 4 API calls 7707->7708 7713 40e6f5 7707->7713 7711 40e6b0 7708->7711 7709->7707 7710 40e68c lstrcmpA 7709->7710 7710->7709 7712 40e6e0 lstrcpynA 7711->7712 7711->7713 7715 40e6b7 7711->7715 7712->7713 7714 40e71d lstrcmpA 7713->7714 7713->7715 7714->7713 7715->7228 7716->7234 7718 40c525 7717->7718 7719 40c532 7717->7719 7718->7719 7721 40ec2e codecvt 4 API calls 7718->7721 7720 40c548 7719->7720 7869 40e7ff 7719->7869 7723 40e7ff lstrcmpiA 7720->7723 7731 40c54f 7720->7731 7721->7719 7724 40c615 7723->7724 7725 40ebcc 4 API calls 7724->7725 7724->7731 7725->7731 7726 40c5d1 7729 40ebcc 4 API calls 7726->7729 7728 40e819 11 API calls 7730 40c5b7 7728->7730 7729->7731 7732 40f04e 4 API calls 7730->7732 7731->7247 7733 40c5bf 7732->7733 7733->7720 7733->7726 7735 402692 inet_addr 7734->7735 7736 40268e 7734->7736 7735->7736 7737 40269e gethostbyname 7735->7737 7738 40f428 7736->7738 7737->7736 7872 40f315 7738->7872 7743 40c8d2 7741->7743 7742 40c907 7742->7264 7743->7742 7744 40c517 23 API calls 7743->7744 7744->7742 7745 40f43e 7746 40f473 recv 7745->7746 7747 40f458 7746->7747 7748 40f47c 7746->7748 7747->7746 7747->7748 7748->7265 7750 40c670 7749->7750 7751 40c67d 7749->7751 7752 40ebcc 4 API calls 7750->7752 7753 40ebcc 4 API calls 7751->7753 7754 40c699 7751->7754 7752->7751 7753->7754 7755 40c6f3 7754->7755 7756 40c73c send 7754->7756 7755->7278 7755->7342 7756->7755 7758 40c770 7757->7758 7759 40c77d 7757->7759 7760 40ebcc 4 API calls 7758->7760 7761 40c799 7759->7761 7762 40ebcc 4 API calls 7759->7762 7760->7759 7763 40c7b5 7761->7763 7765 40ebcc 4 API calls 7761->7765 7762->7761 7764 40f43e recv 7763->7764 7766 40c7cb 7764->7766 7765->7763 7767 40f43e recv 7766->7767 7768 40c7d3 7766->7768 7767->7768 7768->7342 7885 407db7 7769->7885 7772 40f04e 4 API calls 7774 407e4c 7772->7774 7773 407e70 7775 40f04e 4 API calls 7773->7775 7776 407e96 7773->7776 7774->7773 7777 40f04e 4 API calls 7774->7777 7775->7776 7776->7342 7777->7773 7779 406ec3 2 API calls 7778->7779 7780 407fdd 7779->7780 7781 4073ff 17 API calls 7780->7781 7790 4080c2 CreateProcessA 7780->7790 7782 407fff 7781->7782 7783 407809 21 API calls 7782->7783 7782->7790 7784 40804d 7783->7784 7785 40ef1e lstrlenA 7784->7785 7784->7790 7786 40809e 7785->7786 7787 40ef1e lstrlenA 7786->7787 7788 4080af 7787->7788 7789 407a95 24 API calls 7788->7789 7789->7790 7790->7330 7790->7331 7792 407db7 2 API calls 7791->7792 7793 407eb8 7792->7793 7794 40f04e 4 API calls 7793->7794 7795 407ece DeleteFileA 7794->7795 7795->7342 7797 40dd05 6 API calls 7796->7797 7798 40e31d 7797->7798 7889 40e177 7798->7889 7800 40e326 7800->7302 7802 4031f3 7801->7802 7812 4031ec 7801->7812 7803 40ebcc 4 API calls 7802->7803 7811 4031fc 7803->7811 7804 403459 7806 40f04e 4 API calls 7804->7806 7805 40349d 7807 40ec2e codecvt 4 API calls 7805->7807 7808 40345f 7806->7808 7807->7812 7809 4030fa 4 API calls 7808->7809 7809->7812 7810 40ebcc GetProcessHeap HeapSize GetProcessHeap HeapAlloc 7810->7811 7811->7810 7811->7812 7813 40344d 7811->7813 7816 403141 lstrcmpiA 7811->7816 7817 40344b 7811->7817 7915 4030fa GetTickCount 7811->7915 7812->7342 7814 40ec2e codecvt 4 API calls 7813->7814 7814->7817 7816->7811 7817->7804 7817->7805 7819 4030fa 4 API calls 7818->7819 7820 403c1a 7819->7820 7824 403ce6 7820->7824 7920 403a72 7820->7920 7823 403a72 9 API calls 7827 403c5e 7823->7827 7824->7342 7825 403a72 9 API calls 7825->7827 7826 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 7826->7827 7827->7824 7827->7825 7827->7826 7829 403a10 7828->7829 7830 4030fa 4 API calls 7829->7830 7831 403a1a 7830->7831 7831->7342 7833 40dd05 6 API calls 7832->7833 7834 40e7be 7833->7834 7834->7342 7836 40c105 7835->7836 7837 40c07e wsprintfA 7835->7837 7836->7342 7929 40bfce GetTickCount wsprintfA 7837->7929 7839 40c0ef 7930 40bfce GetTickCount wsprintfA 7839->7930 7842 407047 7841->7842 7843 406f88 7841->7843 7842->7342 7843->7843 7844 406f94 LookupAccountNameA 7843->7844 7845 407025 7844->7845 7846 406fcb 7844->7846 7847 406edd 5 API calls 7845->7847 7849 406fdb ConvertSidToStringSidA 7846->7849 7848 40702a wsprintfA 7847->7848 7848->7842 7849->7845 7850 406ff1 7849->7850 7851 407013 LocalFree 7850->7851 7851->7845 7853 40dd05 6 API calls 7852->7853 7854 40e85c 7853->7854 7855 40dd84 lstrcmpiA 7854->7855 7856 40e867 7855->7856 7857 40e885 lstrcpyA 7856->7857 7931 4024a5 7856->7931 7934 40dd69 7857->7934 7863 407db7 2 API calls 7862->7863 7864 407de1 7863->7864 7865 40f04e 4 API calls 7864->7865 7868 407e16 7864->7868 7866 407df2 7865->7866 7867 40f04e 4 API calls 7866->7867 7866->7868 7867->7868 7868->7342 7870 40dd84 lstrcmpiA 7869->7870 7871 40c58e 7870->7871 7871->7720 7871->7726 7871->7728 7873 40ca1d 7872->7873 7874 40f33b 7872->7874 7873->7261 7873->7745 7875 40f347 htons socket 7874->7875 7876 40f382 ioctlsocket 7875->7876 7877 40f374 closesocket 7875->7877 7878 40f3aa connect select 7876->7878 7879 40f39d 7876->7879 7877->7873 7878->7873 7881 40f3f2 __WSAFDIsSet 7878->7881 7880 40f39f closesocket 7879->7880 7880->7873 7881->7880 7882 40f403 ioctlsocket 7881->7882 7884 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 7882->7884 7884->7873 7886 407dc8 InterlockedExchange 7885->7886 7887 407dc0 Sleep 7886->7887 7888 407dd4 7886->7888 7887->7886 7888->7772 7888->7773 7890 40e184 7889->7890 7891 40e2e4 7890->7891 7892 40e223 7890->7892 7905 40dfe2 7890->7905 7891->7800 7892->7891 7895 40dfe2 8 API calls 7892->7895 7894 40e1be 7894->7892 7897 40dbcf 3 API calls 7894->7897 7896 40e23c 7895->7896 7896->7891 7909 40e095 RegCreateKeyExA 7896->7909 7899 40e1d6 7897->7899 7898 40e21a CloseHandle 7898->7892 7899->7892 7899->7898 7900 40e1f9 WriteFile 7899->7900 7900->7898 7902 40e213 7900->7902 7902->7898 7903 40e2a3 7903->7891 7904 40e095 4 API calls 7903->7904 7904->7891 7906 40dffc 7905->7906 7908 40e024 7905->7908 7907 40db2e 8 API calls 7906->7907 7906->7908 7907->7908 7908->7894 7910 40e0c0 7909->7910 7911 40e172 7909->7911 7912 40e13d 7910->7912 7914 40e115 RegSetValueExA 7910->7914 7911->7903 7913 40e14e RegDeleteValueA RegCloseKey 7912->7913 7913->7911 7914->7910 7914->7912 7916 403122 InterlockedExchange 7915->7916 7917 40312e 7916->7917 7918 40310f GetTickCount 7916->7918 7917->7811 7918->7917 7919 40311a Sleep 7918->7919 7919->7916 7921 40f04e 4 API calls 7920->7921 7922 403a83 7921->7922 7925 403bc0 7922->7925 7926 403b66 lstrlenA 7922->7926 7927 403ac1 7922->7927 7923 403be6 7924 40ec2e codecvt 4 API calls 7923->7924 7924->7927 7925->7923 7928 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 7925->7928 7926->7922 7926->7927 7927->7823 7927->7824 7928->7925 7929->7839 7930->7836 7932 402419 4 API calls 7931->7932 7933 4024b6 7932->7933 7933->7857 7935 40dd79 lstrlenA 7934->7935 7935->7342 7937 404084 7936->7937 7938 40407d 7936->7938 7939 403ecd 6 API calls 7937->7939 7940 40408f 7939->7940 7941 404000 3 API calls 7940->7941 7943 404095 7941->7943 7942 404130 7944 403ecd 6 API calls 7942->7944 7943->7942 7948 403f18 4 API calls 7943->7948 7945 404159 CreateNamedPipeA 7944->7945 7946 404167 Sleep 7945->7946 7947 404188 ConnectNamedPipe 7945->7947 7946->7942 7949 404176 CloseHandle 7946->7949 7951 404195 GetLastError 7947->7951 7961 4041ab 7947->7961 7950 4040da 7948->7950 7949->7947 7952 403f8c 4 API calls 7950->7952 7953 40425e DisconnectNamedPipe 7951->7953 7951->7961 7954 4040ec 7952->7954 7953->7947 7955 404127 CloseHandle 7954->7955 7956 404101 7954->7956 7955->7942 7958 403f18 4 API calls 7956->7958 7957 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 7957->7961 7959 40411c ExitProcess 7958->7959 7960 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 7960->7961 7961->7947 7961->7953 7961->7957 7961->7960 7962 40426a CloseHandle CloseHandle 7961->7962 7963 40e318 23 API calls 7962->7963 7964 40427b 7963->7964 7964->7964 7966 408791 7965->7966 7967 40879f 7965->7967 7969 40f04e 4 API calls 7966->7969 7968 4087bc 7967->7968 7970 40f04e 4 API calls 7967->7970 7971 40e819 11 API calls 7968->7971 7969->7967 7970->7968 7972 4087d7 7971->7972 7984 408803 7972->7984 7986 4026b2 gethostbyaddr 7972->7986 7974 4087eb 7976 40e8a1 30 API calls 7974->7976 7974->7984 7976->7984 7979 40e819 11 API calls 7979->7984 7980 4088a0 Sleep 7980->7984 7981 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 7981->7984 7983 4026b2 2 API calls 7983->7984 7984->7979 7984->7980 7984->7981 7984->7983 7985 40e8a1 30 API calls 7984->7985 7991 40c4d6 7984->7991 7994 40c4e2 7984->7994 7997 402011 7984->7997 8032 408328 7984->8032 7985->7984 7987 4026fb 7986->7987 7988 4026cd 7986->7988 7987->7974 7989 4026e1 inet_ntoa 7988->7989 7990 4026de 7988->7990 7989->7990 7990->7974 8084 40c2dc 7991->8084 7995 40c2dc 141 API calls 7994->7995 7996 40c4ec 7995->7996 7996->7984 7998 402020 7997->7998 7999 40202e 7997->7999 8000 40f04e 4 API calls 7998->8000 8001 40204b 7999->8001 8002 40f04e 4 API calls 7999->8002 8000->7999 8003 40206e GetTickCount 8001->8003 8004 40f04e 4 API calls 8001->8004 8002->8001 8005 4020db GetTickCount 8003->8005 8014 402090 8003->8014 8008 402068 8004->8008 8006 402132 GetTickCount GetTickCount 8005->8006 8007 4020e7 8005->8007 8010 40f04e 4 API calls 8006->8010 8011 40212b GetTickCount 8007->8011 8020 401978 15 API calls 8007->8020 8026 402125 8007->8026 8424 402ef8 8007->8424 8008->8003 8009 4020d4 GetTickCount 8009->8005 8013 402159 8010->8013 8011->8006 8012 402684 2 API calls 8012->8014 8017 40e854 13 API calls 8013->8017 8028 4021b4 8013->8028 8014->8009 8014->8012 8023 4020ce 8014->8023 8419 401978 8014->8419 8016 40f04e 4 API calls 8021 4021d1 8016->8021 8019 40218e 8017->8019 8022 40e819 11 API calls 8019->8022 8020->8007 8024 40ea84 30 API calls 8021->8024 8031 4021f2 8021->8031 8025 40219c 8022->8025 8023->8009 8027 4021ec 8024->8027 8025->8028 8432 401c5f 8025->8432 8026->8011 8029 40f04e 4 API calls 8027->8029 8028->8016 8029->8031 8031->7984 8033 407dd6 6 API calls 8032->8033 8034 40833c 8033->8034 8035 408340 8034->8035 8036 406ec3 2 API calls 8034->8036 8035->7984 8037 40834f 8036->8037 8038 40835c 8037->8038 8043 40846b 8037->8043 8039 4073ff 17 API calls 8038->8039 8040 408373 8039->8040 8040->8035 8061 4083ea RegOpenKeyExA 8040->8061 8072 408450 8040->8072 8041 408626 GetTempPathA 8068 408638 8041->8068 8042 40675c 21 API calls 8046 4085df 8042->8046 8044 4084a7 RegOpenKeyExA 8043->8044 8043->8072 8047 4084c0 RegQueryValueExA 8044->8047 8049 40852f 8044->8049 8046->8041 8055 408762 8046->8055 8046->8068 8050 408521 RegCloseKey 8047->8050 8054 4084dd 8047->8054 8048 4086ad 8052 407e2f 6 API calls 8048->8052 8048->8055 8051 408564 RegOpenKeyExA 8049->8051 8063 4085a5 8049->8063 8050->8049 8053 408573 RegSetValueExA RegCloseKey 8051->8053 8051->8063 8064 4086bb 8052->8064 8053->8063 8054->8050 8056 40ebcc 4 API calls 8054->8056 8055->8035 8058 40ec2e codecvt 4 API calls 8055->8058 8060 4084f0 8056->8060 8057 40875b DeleteFileA 8057->8055 8058->8035 8060->8050 8062 4084f8 RegQueryValueExA 8060->8062 8065 4083fd RegQueryValueExA 8061->8065 8061->8072 8062->8050 8066 408515 8062->8066 8067 40ec2e codecvt 4 API calls 8063->8067 8063->8072 8064->8057 8073 4086e0 lstrcpyA lstrlenA 8064->8073 8069 40842d RegSetValueExA 8065->8069 8070 40841e 8065->8070 8071 40ec2e codecvt 4 API calls 8066->8071 8067->8072 8504 406ba7 IsBadCodePtr 8068->8504 8074 408447 RegCloseKey 8069->8074 8070->8069 8070->8074 8075 40851d 8071->8075 8072->8042 8072->8046 8076 407fcf 64 API calls 8073->8076 8074->8072 8075->8050 8077 408719 CreateProcessA 8076->8077 8078 40873d CloseHandle CloseHandle 8077->8078 8079 40874f 8077->8079 8078->8055 8080 407ee6 64 API calls 8079->8080 8081 408754 8080->8081 8082 407ead 6 API calls 8081->8082 8083 40875a 8082->8083 8083->8057 8100 40a4c7 GetTickCount 8084->8100 8087 40c45e 8092 40c4d2 8087->8092 8093 40c4ab InterlockedIncrement CreateThread 8087->8093 8088 40c300 GetTickCount 8090 40c337 8088->8090 8089 40c326 8089->8090 8091 40c32b GetTickCount 8089->8091 8090->8087 8095 40c363 GetTickCount 8090->8095 8091->8090 8092->7984 8093->8092 8094 40c4cb CloseHandle 8093->8094 8105 40b535 8093->8105 8094->8092 8095->8087 8096 40c373 8095->8096 8097 40c378 GetTickCount 8096->8097 8098 40c37f 8096->8098 8097->8098 8099 40c43b GetTickCount 8098->8099 8099->8087 8101 40a4f7 InterlockedExchange 8100->8101 8102 40a500 8101->8102 8103 40a4e4 GetTickCount 8101->8103 8102->8087 8102->8088 8102->8089 8103->8102 8104 40a4ef Sleep 8103->8104 8104->8101 8106 40b566 8105->8106 8107 40ebcc 4 API calls 8106->8107 8108 40b587 8107->8108 8109 40ebcc 4 API calls 8108->8109 8155 40b590 8109->8155 8110 40bdcd InterlockedDecrement 8111 40bde2 8110->8111 8113 40ec2e codecvt 4 API calls 8111->8113 8114 40bdea 8113->8114 8115 40ec2e codecvt 4 API calls 8114->8115 8117 40bdf2 8115->8117 8116 40bdb7 Sleep 8116->8155 8118 40be05 8117->8118 8120 40ec2e codecvt 4 API calls 8117->8120 8119 40bdcc 8119->8110 8120->8118 8121 40ebed 8 API calls 8121->8155 8124 40b6b6 lstrlenA 8124->8155 8125 4030b5 2 API calls 8125->8155 8126 40b6ed lstrcpyA 8180 405ce1 8126->8180 8127 40e819 11 API calls 8127->8155 8130 40b731 lstrlenA 8130->8155 8131 40b71f lstrcmpA 8131->8130 8131->8155 8132 40b772 GetTickCount 8132->8155 8133 40bd49 InterlockedIncrement 8277 40a628 8133->8277 8136 40bc5b InterlockedIncrement 8136->8155 8137 40b7ce InterlockedIncrement 8190 40acd7 8137->8190 8138 4038f0 6 API calls 8138->8155 8141 40b912 GetTickCount 8141->8155 8142 40b826 InterlockedIncrement 8142->8132 8143 40b932 GetTickCount 8145 40bc6d InterlockedIncrement 8143->8145 8143->8155 8144 40bcdc closesocket 8144->8155 8145->8155 8147 40a7c1 22 API calls 8147->8155 8148 40bba6 InterlockedIncrement 8148->8155 8151 40bc4c closesocket 8151->8155 8153 405ce1 22 API calls 8153->8155 8154 40ba71 wsprintfA 8211 40a7c1 8154->8211 8155->8110 8155->8116 8155->8119 8155->8121 8155->8124 8155->8125 8155->8126 8155->8127 8155->8130 8155->8131 8155->8132 8155->8133 8155->8136 8155->8137 8155->8138 8155->8141 8155->8142 8155->8143 8155->8144 8155->8147 8155->8148 8155->8151 8155->8153 8155->8154 8156 405ded 12 API calls 8155->8156 8159 40ab81 lstrcpynA InterlockedIncrement 8155->8159 8160 40ef1e lstrlenA 8155->8160 8162 403e10 8155->8162 8165 403e4f 8155->8165 8168 40384f 8155->8168 8188 40a7a3 inet_ntoa 8155->8188 8195 40abee 8155->8195 8207 401feb GetTickCount 8155->8207 8208 40a688 8155->8208 8231 403cfb 8155->8231 8234 40b3c5 8155->8234 8265 40ab81 8155->8265 8156->8155 8159->8155 8160->8155 8163 4030fa 4 API calls 8162->8163 8164 403e1d 8163->8164 8164->8155 8166 4030fa 4 API calls 8165->8166 8167 403e5c 8166->8167 8167->8155 8169 4030fa 4 API calls 8168->8169 8171 403863 8169->8171 8170 4038b2 8170->8155 8171->8170 8172 4038b9 8171->8172 8173 403889 8171->8173 8286 4035f9 8172->8286 8280 403718 8173->8280 8178 403718 6 API calls 8178->8170 8179 4035f9 6 API calls 8179->8170 8181 405cf4 8180->8181 8182 405cec 8180->8182 8184 404bd1 4 API calls 8181->8184 8292 404bd1 GetTickCount 8182->8292 8185 405d02 8184->8185 8297 405472 8185->8297 8189 40a7b9 8188->8189 8189->8155 8191 40f315 14 API calls 8190->8191 8192 40aceb 8191->8192 8193 40acff 8192->8193 8194 40f315 14 API calls 8192->8194 8193->8155 8194->8193 8196 40abfb 8195->8196 8200 40ac65 8196->8200 8360 402f22 8196->8360 8198 40f315 14 API calls 8198->8200 8199 40ac23 8199->8200 8203 402684 2 API calls 8199->8203 8200->8198 8201 40ac6f 8200->8201 8206 40ac8a 8200->8206 8202 40ab81 2 API calls 8201->8202 8204 40ac81 8202->8204 8203->8199 8368 4038f0 8204->8368 8206->8155 8207->8155 8382 40a63d 8208->8382 8210 40a696 8210->8155 8212 40a87d lstrlenA send 8211->8212 8213 40a7df 8211->8213 8214 40a899 8212->8214 8215 40a8bf 8212->8215 8213->8212 8220 40a7fa wsprintfA 8213->8220 8221 40a80a 8213->8221 8224 40a8f2 8213->8224 8218 40a8a5 wsprintfA 8214->8218 8230 40a89e 8214->8230 8216 40a8c4 send 8215->8216 8215->8224 8219 40a8d8 wsprintfA 8216->8219 8216->8224 8217 40a978 recv 8223 40a982 8217->8223 8217->8224 8218->8230 8219->8230 8220->8221 8221->8212 8222 40a9b0 wsprintfA 8222->8230 8225 4030b5 2 API calls 8223->8225 8223->8230 8224->8217 8224->8222 8224->8223 8226 40ab05 8225->8226 8227 40e819 11 API calls 8226->8227 8228 40ab17 8227->8228 8229 40a7a3 inet_ntoa 8228->8229 8229->8230 8230->8155 8232 4030fa 4 API calls 8231->8232 8233 403d0b 8232->8233 8233->8155 8235 405ce1 22 API calls 8234->8235 8236 40b3e6 8235->8236 8237 405ce1 22 API calls 8236->8237 8238 40b404 8237->8238 8239 40ef7c 3 API calls 8238->8239 8245 40b440 8238->8245 8241 40b42b 8239->8241 8240 40ef7c 3 API calls 8242 40b458 wsprintfA 8240->8242 8243 40ef7c 3 API calls 8241->8243 8244 40ef7c 3 API calls 8242->8244 8243->8245 8246 40b480 8244->8246 8245->8240 8247 40ef7c 3 API calls 8246->8247 8248 40b493 8247->8248 8249 40ef7c 3 API calls 8248->8249 8250 40b4bb 8249->8250 8387 40ad89 GetLocalTime SystemTimeToFileTime 8250->8387 8254 40b4cc 8255 40ef7c 3 API calls 8254->8255 8256 40b4dd 8255->8256 8257 40b211 7 API calls 8256->8257 8258 40b4ec 8257->8258 8259 40ef7c 3 API calls 8258->8259 8260 40b4fd 8259->8260 8261 40b211 7 API calls 8260->8261 8262 40b509 8261->8262 8263 40ef7c 3 API calls 8262->8263 8264 40b51a 8263->8264 8264->8155 8266 40ab8c 8265->8266 8267 40abe9 GetTickCount 8265->8267 8266->8267 8268 40aba8 lstrcpynA 8266->8268 8269 40abe1 InterlockedIncrement 8266->8269 8270 40a51d 8267->8270 8268->8266 8269->8266 8271 40a4c7 4 API calls 8270->8271 8272 40a52c 8271->8272 8273 40a542 GetTickCount 8272->8273 8275 40a539 GetTickCount 8272->8275 8273->8275 8276 40a56c 8275->8276 8276->8155 8278 40a4c7 4 API calls 8277->8278 8279 40a633 8278->8279 8279->8155 8281 40f04e 4 API calls 8280->8281 8284 40372a 8281->8284 8282 403847 8282->8170 8282->8178 8283 4037b3 GetCurrentThreadId 8283->8284 8285 4037c8 GetCurrentThreadId 8283->8285 8284->8282 8284->8283 8285->8284 8287 40f04e 4 API calls 8286->8287 8288 40360c 8287->8288 8289 4036da GetCurrentThreadId 8288->8289 8290 4036f1 8288->8290 8289->8290 8291 4036e5 GetCurrentThreadId 8289->8291 8290->8170 8290->8179 8291->8290 8293 404bff InterlockedExchange 8292->8293 8294 404c08 8293->8294 8295 404bec GetTickCount 8293->8295 8294->8181 8295->8294 8296 404bf7 Sleep 8295->8296 8296->8293 8316 404763 8297->8316 8299 405b58 8326 404699 8299->8326 8302 404763 lstrlenA 8303 405b6e 8302->8303 8347 404f9f 8303->8347 8305 405b79 8305->8155 8307 405549 lstrlenA 8308 40548a 8307->8308 8308->8299 8310 40558d lstrcpynA 8308->8310 8311 404ae6 8 API calls 8308->8311 8312 405a9f lstrcpyA 8308->8312 8313 405472 13 API calls 8308->8313 8314 405935 lstrcpynA 8308->8314 8315 4058e7 lstrcpyA 8308->8315 8320 404ae6 8308->8320 8324 40ef7c lstrlenA lstrlenA lstrlenA 8308->8324 8310->8308 8311->8308 8312->8308 8313->8308 8314->8308 8315->8308 8318 40477a 8316->8318 8317 404859 8317->8308 8318->8317 8319 40480d lstrlenA 8318->8319 8319->8318 8321 404af3 8320->8321 8323 404b03 8320->8323 8322 40ebed 8 API calls 8321->8322 8322->8323 8323->8307 8325 40efb4 8324->8325 8325->8308 8352 4045b3 8326->8352 8329 4045b3 7 API calls 8330 4046c6 8329->8330 8331 4045b3 7 API calls 8330->8331 8332 4046d8 8331->8332 8333 4045b3 7 API calls 8332->8333 8334 4046ea 8333->8334 8335 4045b3 7 API calls 8334->8335 8336 4046ff 8335->8336 8337 4045b3 7 API calls 8336->8337 8338 404711 8337->8338 8339 4045b3 7 API calls 8338->8339 8340 404723 8339->8340 8341 40ef7c 3 API calls 8340->8341 8342 404735 8341->8342 8343 40ef7c 3 API calls 8342->8343 8344 40474a 8343->8344 8345 40ef7c 3 API calls 8344->8345 8346 40475c 8345->8346 8346->8302 8348 404fac 8347->8348 8351 404fb0 8347->8351 8348->8305 8349 404ffd 8349->8305 8350 404fd5 IsBadCodePtr 8350->8351 8351->8349 8351->8350 8353 4045c1 8352->8353 8354 4045c8 8352->8354 8355 40ebcc 4 API calls 8353->8355 8356 40ebcc 4 API calls 8354->8356 8358 4045e1 8354->8358 8355->8354 8356->8358 8357 404691 8357->8329 8358->8357 8359 40ef7c 3 API calls 8358->8359 8359->8358 8375 402d21 GetModuleHandleA 8360->8375 8363 402fcf GetProcessHeap HeapFree 8367 402f44 8363->8367 8364 402f85 8364->8363 8364->8364 8365 402f4f 8366 402f6b GetProcessHeap HeapFree 8365->8366 8366->8367 8367->8199 8369 403900 8368->8369 8371 403980 8368->8371 8370 4030fa 4 API calls 8369->8370 8374 40390a 8370->8374 8371->8206 8372 40391b GetCurrentThreadId 8372->8374 8373 403939 GetCurrentThreadId 8373->8374 8374->8371 8374->8372 8374->8373 8376 402d46 LoadLibraryA 8375->8376 8377 402d5b GetProcAddress 8375->8377 8376->8377 8379 402d54 8376->8379 8377->8379 8381 402d6b 8377->8381 8378 402d97 GetProcessHeap HeapAlloc 8378->8379 8378->8381 8379->8364 8379->8365 8379->8367 8380 402db5 lstrcpynA 8380->8381 8381->8378 8381->8379 8381->8380 8383 40a645 8382->8383 8384 40a64d 8382->8384 8383->8210 8385 40a66e 8384->8385 8386 40a65e GetTickCount 8384->8386 8385->8210 8386->8385 8388 40adbf 8387->8388 8412 40ad08 gethostname 8388->8412 8391 4030b5 2 API calls 8392 40add3 8391->8392 8393 40a7a3 inet_ntoa 8392->8393 8394 40ade4 8392->8394 8393->8394 8395 40ae85 wsprintfA 8394->8395 8397 40ae36 wsprintfA wsprintfA 8394->8397 8396 40ef7c 3 API calls 8395->8396 8398 40aebb 8396->8398 8399 40ef7c 3 API calls 8397->8399 8400 40ef7c 3 API calls 8398->8400 8399->8394 8401 40aed2 8400->8401 8402 40b211 8401->8402 8403 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 8402->8403 8404 40b2af GetLocalTime 8402->8404 8405 40b2d2 8403->8405 8404->8405 8406 40b2d9 SystemTimeToFileTime 8405->8406 8407 40b31c GetTimeZoneInformation 8405->8407 8408 40b2ec 8406->8408 8409 40b33a wsprintfA 8407->8409 8410 40b312 FileTimeToSystemTime 8408->8410 8409->8254 8410->8407 8413 40ad71 8412->8413 8417 40ad26 lstrlenA 8412->8417 8415 40ad85 8413->8415 8416 40ad79 lstrcpyA 8413->8416 8415->8391 8416->8415 8417->8413 8418 40ad68 lstrlenA 8417->8418 8418->8413 8420 40f428 14 API calls 8419->8420 8421 40198a 8420->8421 8422 401990 closesocket 8421->8422 8423 401998 8421->8423 8422->8423 8423->8014 8425 402d21 6 API calls 8424->8425 8426 402f01 8425->8426 8427 402f0f 8426->8427 8440 402df2 GetModuleHandleA 8426->8440 8429 402684 2 API calls 8427->8429 8431 402f1f 8427->8431 8430 402f1d 8429->8430 8430->8007 8431->8007 8436 401c80 8432->8436 8433 401d1c 8433->8433 8437 401d47 wsprintfA 8433->8437 8434 401cc2 wsprintfA 8435 402684 2 API calls 8434->8435 8435->8436 8436->8433 8436->8434 8439 401d79 8436->8439 8438 402684 2 API calls 8437->8438 8438->8439 8439->8028 8441 402e10 LoadLibraryA 8440->8441 8442 402e0b 8440->8442 8443 402e17 8441->8443 8442->8441 8442->8443 8444 402ef1 8443->8444 8445 402e28 GetProcAddress 8443->8445 8444->8427 8445->8444 8446 402e3e GetProcessHeap HeapAlloc 8445->8446 8449 402e62 8446->8449 8447 402ede GetProcessHeap HeapFree 8447->8444 8448 402e7f htons inet_addr 8448->8449 8450 402ea5 gethostbyname 8448->8450 8449->8444 8449->8447 8449->8448 8449->8450 8452 402ceb 8449->8452 8450->8449 8453 402cf2 8452->8453 8455 402d1c 8453->8455 8456 402d0e Sleep 8453->8456 8457 402a62 GetProcessHeap HeapAlloc 8453->8457 8455->8449 8456->8453 8456->8455 8458 402a92 8457->8458 8459 402a99 socket 8457->8459 8458->8453 8460 402cd3 GetProcessHeap HeapFree 8459->8460 8461 402ab4 8459->8461 8460->8458 8461->8460 8475 402abd 8461->8475 8462 402adb htons 8477 4026ff 8462->8477 8464 402b04 select 8464->8475 8465 402ca4 8466 402cb3 GetProcessHeap HeapFree closesocket 8465->8466 8466->8458 8467 402b3f recv 8467->8475 8468 402b66 htons 8468->8465 8468->8475 8469 402b87 htons 8469->8465 8469->8475 8472 402bf3 GetProcessHeap HeapAlloc 8472->8475 8473 402c17 htons 8492 402871 8473->8492 8475->8462 8475->8464 8475->8465 8475->8466 8475->8467 8475->8468 8475->8469 8475->8472 8475->8473 8476 402c4d GetProcessHeap HeapFree 8475->8476 8484 402923 8475->8484 8496 402904 8475->8496 8476->8475 8478 40271d 8477->8478 8479 402717 8477->8479 8481 40272b GetTickCount htons 8478->8481 8480 40ebcc 4 API calls 8479->8480 8480->8478 8482 4027cc htons htons sendto 8481->8482 8483 40278a 8481->8483 8482->8475 8483->8482 8485 402944 8484->8485 8488 40293d 8484->8488 8500 402816 htons 8485->8500 8487 402950 8487->8488 8489 402871 htons 8487->8489 8490 4029bd htons htons htons 8487->8490 8488->8475 8489->8487 8490->8488 8491 4029f6 GetProcessHeap HeapAlloc 8490->8491 8491->8487 8491->8488 8493 4028e3 8492->8493 8495 402889 8492->8495 8493->8475 8494 4028c3 htons 8494->8493 8494->8495 8495->8493 8495->8494 8497 402921 8496->8497 8498 402908 8496->8498 8497->8475 8499 402909 GetProcessHeap HeapFree 8498->8499 8499->8497 8499->8499 8501 40286b 8500->8501 8502 402836 8500->8502 8501->8487 8502->8501 8503 40285c htons 8502->8503 8503->8501 8503->8502 8505 406bc0 8504->8505 8506 406bbc 8504->8506 8507 40ebcc 4 API calls 8505->8507 8517 406bd4 8505->8517 8506->8048 8508 406be4 8507->8508 8509 406c07 CreateFileA 8508->8509 8510 406bfc 8508->8510 8508->8517 8512 406c34 WriteFile 8509->8512 8513 406c2a 8509->8513 8511 40ec2e codecvt 4 API calls 8510->8511 8511->8517 8515 406c49 CloseHandle DeleteFileA 8512->8515 8516 406c5a CloseHandle 8512->8516 8514 40ec2e codecvt 4 API calls 8513->8514 8514->8517 8515->8513 8518 40ec2e codecvt 4 API calls 8516->8518 8517->8048 8518->8517 8859 40be31 lstrcmpiA 8860 40be55 lstrcmpiA 8859->8860 8866 40be71 8859->8866 8861 40be61 lstrcmpiA 8860->8861 8860->8866 8864 40bfc8 8861->8864 8861->8866 8862 40bf62 lstrcmpiA 8863 40bf77 lstrcmpiA 8862->8863 8867 40bf70 8862->8867 8865 40bf8c lstrcmpiA 8863->8865 8863->8867 8865->8867 8866->8862 8870 40ebcc 4 API calls 8866->8870 8867->8864 8868 40bfc2 8867->8868 8869 40ec2e codecvt 4 API calls 8867->8869 8871 40ec2e codecvt 4 API calls 8868->8871 8869->8867 8874 40beb6 8870->8874 8871->8864 8872 40ebcc 4 API calls 8872->8874 8873 40bf5a 8873->8862 8874->8862 8874->8864 8874->8872 8874->8873 8875 405d34 IsBadWritePtr 8876 405d47 8875->8876 8877 405d4a 8875->8877 8878 405389 12 API calls 8877->8878 8879 405d80 8878->8879 8699 40a677 8700 40a63d GetTickCount 8699->8700 8701 40a685 8700->8701
                                                                                        APIs
                                                                                        • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                        • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                          • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                          • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                          • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                        • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                        • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                        • ExitProcess.KERNEL32 ref: 00409C06
                                                                                        • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                        • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                        • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                        • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                        • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                        • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                        • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                        • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                        • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                        • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                        • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                        • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                        • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                        • wsprintfA.USER32 ref: 0040A0B6
                                                                                        • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                        • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                        • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                        • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                        • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                        • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                        • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                          • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,004122F8,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                          • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                          • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                        • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                        • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                        • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                        • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                        • DeleteFileA.KERNEL32(C:\Users\user\Desktop\2FnvReiPU6.exe), ref: 0040A407
                                                                                        • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                        • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                        • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                        • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                        • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                        • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                        • Sleep.KERNEL32(00007530), ref: 0040A4C3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                        • String ID: "$"$"$%X%08X$C:\Users\user\Desktop\2FnvReiPU6.exe$C:\Windows\SysWOW64\crxslmyv\upwtsplm.exe$D$P$\$crxslmyv
                                                                                        • API String ID: 2089075347-2208256327
                                                                                        • Opcode ID: 2b974e37e574cfed96f5c0f5498e5b8bec196aefc1d7885d2e868791a6bf009d
                                                                                        • Instruction ID: 3585989bbaedd28a73b270bd9bf1875f0a43ee57e8055613748a08816c1e76ab
                                                                                        • Opcode Fuzzy Hash: 2b974e37e574cfed96f5c0f5498e5b8bec196aefc1d7885d2e868791a6bf009d
                                                                                        • Instruction Fuzzy Hash: 585292B1C40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6789E948B69

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 438 d4007e-d400b1 call d4084d call d4058c call d405d0 call d4052a 447 d400b3-d400b6 call d405e3 438->447 448 d400bb-d400e9 VirtualProtect * 2 438->448 447->448 450 d400ed-d400f3 448->450 451 d400f5-d40129 call d405bc call d4038c VirtualProtect 450->451 452 d40137-d4013b 450->452 462 d40133-d40136 VirtualProtect 451->462 463 d4012b-d4012d 451->463 452->450 453 d4013d-d40168 call d40256 call d401d1 call d4058c 452->453 467 d4016a-d4016d 453->467 462->452 463->462 465 d4012f-d40131 463->465 465->462 468 d40173-d4018a 467->468 469 d4016f-d40171 467->469 470 d4018c-d40195 468->470 471 d40198-d4019b VirtualFree call d40442 468->471 469->467 470->471 473 d401a0-d401be call d40506 call d403cc call d4084d 471->473 480 d401c0-d401ce 473->480 481 d401cf 473->481 480->481 481->481
                                                                                        APIs
                                                                                          • Part of subcall function 00D405D0: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00D40093), ref: 00D405DD
                                                                                        • VirtualProtect.KERNELBASE(?,?,00000004,?,?), ref: 00D400C4
                                                                                        • VirtualProtect.KERNELBASE(?,?,00000002,?,?,?,00000004,?,?), ref: 00D400D4
                                                                                        • VirtualProtect.KERNELBASE(?,?,00000004,?,?,?,?,00000000,?,00000000,?,00000002,?,?,?,00000004), ref: 00D4011D
                                                                                        • VirtualProtect.KERNELBASE(00000004,?,?,?,?,00000000,?,00000000,?,00000002,?,?,?,00000004,?,?), ref: 00D40133
                                                                                        • VirtualFree.KERNELBASE(?,00004000,00000002,?,?,?,00000004,?,?), ref: 00D40198
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736688985.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_d40000_upwtsplm.jbxd
                                                                                        Similarity
                                                                                        • API ID: Virtual$Protect$AllocFree
                                                                                        • String ID:
                                                                                        • API String ID: 3729553426-0
                                                                                        • Opcode ID: b4ea57e9c5b474e0a01886bed018e1aaea45c2fe781a12c9dc45aeed4f903f47
                                                                                        • Instruction ID: fdeeef6481958cc95f673701420e8f3bd078903e1f1e34d3bca4e81ef3d23f38
                                                                                        • Opcode Fuzzy Hash: b4ea57e9c5b474e0a01886bed018e1aaea45c2fe781a12c9dc45aeed4f903f47
                                                                                        • Instruction Fuzzy Hash: 92419272600204AFDB10EF24C885FAABBB9EF44724F254519FA459B612C775EC02CBB0

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 518 40637c-406384 519 406386-406389 518->519 520 40638a-4063b4 GetModuleHandleA VirtualAlloc 518->520 521 4063f5-4063f7 520->521 522 4063b6-4063d4 call 40ee08 VirtualAllocEx 520->522 523 40640b-40640f 521->523 522->521 526 4063d6-4063f3 call 4062b7 WriteProcessMemory 522->526 526->521 529 4063f9-40640a 526->529 529->523
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                        • VirtualAllocEx.KERNELBASE(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                        • WriteProcessMemory.KERNELBASE(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                        • String ID:
                                                                                        • API String ID: 1965334864-0
                                                                                        • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                        • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                        • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                        • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 264 401000-40100b 265 401023-40102a 264->265 266 40100d-40101f LoadLibraryA 264->266 268 401030-401037 265->268 269 4010b5-4010cb CloseHandle 265->269 266->265 267 401021-401022 266->267 268->269 272 401039-401040 268->272 270 4010d1-4010ea GetProcAddress 269->270 271 40127b 269->271 270->271 274 4010f0-40110a GetProcAddress 270->274 273 40127d-40127f 271->273 272->269 275 401042-401049 272->275 274->271 276 401110-40112a GetProcAddress 274->276 275->269 277 40104b-401052 275->277 276->271 278 401130-401149 GetProcAddress 276->278 277->269 279 401054-40105b 277->279 278->271 280 40114f-401169 GetProcAddress 278->280 279->269 281 40105d-401064 279->281 280->271 282 40116f-401189 GetProcAddress 280->282 281->269 283 401066-40106d 281->283 282->271 284 40118f-4011a8 GetProcAddress 282->284 283->269 285 40106f-401076 283->285 284->271 286 4011ae-4011c8 GetProcAddress 284->286 285->269 287 401078-40107f 285->287 286->271 288 4011ce-4011e8 GetProcAddress 286->288 287->269 289 401081-401088 287->289 288->271 291 4011ee-401207 GetProcAddress 288->291 289->269 290 40108a-401091 289->290 290->269 293 401093-40109a 290->293 291->271 292 401209-401223 GetProcAddress 291->292 292->271 294 401225-40123f GetProcAddress 292->294 293->269 295 40109c-4010a3 293->295 294->271 296 401241-40125a GetProcAddress 294->296 295->269 297 4010a5-4010ac 295->297 296->271 298 40125c-401279 GetProcAddress 296->298 297->269 299 4010ae-4010b4 297->299 298->271 298->273
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                        • CloseHandle.KERNELBASE(00000000,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 004010E1
                                                                                        • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 00401101
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 00401121
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00401140
                                                                                        • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 00401160
                                                                                        • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 00401180
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040119F
                                                                                        • GetProcAddress.KERNEL32(00000000,NtClose), ref: 004011BF
                                                                                        • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 004011DF
                                                                                        • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 004011FE
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressProc$CloseHandleLibraryLoad
                                                                                        • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                        • API String ID: 2326521279-3228201535
                                                                                        • Opcode ID: 4374d5bc11ca1c2fa60be4766612f3b99720bc46af73de5be8a6125bd1a76152
                                                                                        • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                        • Opcode Fuzzy Hash: 4374d5bc11ca1c2fa60be4766612f3b99720bc46af73de5be8a6125bd1a76152
                                                                                        • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 300 4073ff-407419 301 40741b 300->301 302 40741d-407422 300->302 301->302 303 407424 302->303 304 407426-40742b 302->304 303->304 305 407430-407435 304->305 306 40742d 304->306 307 407437 305->307 308 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 305->308 306->305 307->308 313 407487-40749d call 40ee2a 308->313 314 4077f9-4077fe call 40ee2a 308->314 320 407703-40770e RegEnumKeyA 313->320 319 407801 314->319 323 407804-407808 319->323 321 4074a2-4074b1 call 406cad 320->321 322 407714-40771d RegCloseKey 320->322 326 4074b7-4074cc call 40f1a5 321->326 327 4076ed-407700 321->327 322->319 326->327 330 4074d2-4074f8 RegOpenKeyExA 326->330 327->320 331 407727-40772a 330->331 332 4074fe-407530 call 402544 RegQueryValueExA 330->332 333 407755-407764 call 40ee2a 331->333 334 40772c-407740 call 40ef00 331->334 332->331 340 407536-40753c 332->340 345 4076df-4076e2 333->345 342 407742-407745 RegCloseKey 334->342 343 40774b-40774e 334->343 344 40753f-407544 340->344 342->343 347 4077ec-4077f7 RegCloseKey 343->347 344->344 346 407546-40754b 344->346 345->327 348 4076e4-4076e7 RegCloseKey 345->348 346->333 349 407551-40756b call 40ee95 346->349 347->323 348->327 349->333 352 407571-407593 call 402544 call 40ee95 349->352 357 407753 352->357 358 407599-4075a0 352->358 357->333 359 4075a2-4075c6 call 40ef00 call 40ed03 358->359 360 4075c8-4075d7 call 40ed03 358->360 366 4075d8-4075da 359->366 360->366 368 4075dc 366->368 369 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 366->369 368->369 378 407626-40762b 369->378 378->378 379 40762d-407634 378->379 380 407637-40763c 379->380 380->380 381 40763e-407642 380->381 382 407644-407656 call 40ed77 381->382 383 40765c-407673 call 40ed23 381->383 382->383 388 407769-40777c call 40ef00 382->388 389 407680 383->389 390 407675-40767e 383->390 396 4077e3-4077e6 RegCloseKey 388->396 391 407683-40768e call 406cad 389->391 390->391 397 407722-407725 391->397 398 407694-4076bf call 40f1a5 call 406c96 391->398 396->347 399 4076dd 397->399 404 4076c1-4076c7 398->404 405 4076d8 398->405 399->345 404->405 406 4076c9-4076d2 404->406 405->399 406->405 407 40777e-407797 GetFileAttributesExA 406->407 408 407799 407->408 409 40779a-40779f 407->409 408->409 410 4077a1 409->410 411 4077a3-4077a8 409->411 410->411 412 4077c4-4077c8 411->412 413 4077aa-4077c0 call 40ee08 411->413 415 4077d7-4077dc 412->415 416 4077ca-4077d6 call 40ef00 412->416 413->412 419 4077e0-4077e2 415->419 420 4077de 415->420 416->415 419->396 420->419
                                                                                        APIs
                                                                                        • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,74DF0F10,00000000), ref: 00407472
                                                                                        • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 004074F0
                                                                                        • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407528
                                                                                        • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 004076E7
                                                                                        • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                        • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407717
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407745
                                                                                        • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 004077EF
                                                                                          • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(00000000,00000000,004122F8,00000000,0040733D,00000000), ref: 0040F1AD
                                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                        • RegCloseKey.KERNELBASE(?), ref: 004077E6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                        • String ID: "
                                                                                        • API String ID: 3433985886-123907689
                                                                                        • Opcode ID: 293dfb801b0d4665576106c5a1887ea473dc781c8fdaf55f1d5b1f1ba08ffc92
                                                                                        • Instruction ID: 1fe726b284cde181daef39815de7f37c4bbd18f96b62320efe93ab81be9ef980
                                                                                        • Opcode Fuzzy Hash: 293dfb801b0d4665576106c5a1887ea473dc781c8fdaf55f1d5b1f1ba08ffc92
                                                                                        • Instruction Fuzzy Hash: FEC1F171D04209ABEB119BA5DC45BEF7BB9EF44310F1004B7F504B71D1EA78AE908B69

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 422 40977c-4097b9 call 40ee2a CreateProcessA 425 4097c2-4097f3 call 40ee2a Wow64GetThreadContext 422->425 426 4097bb-4097bd 422->426 430 409801-40981c call 40637c 425->430 431 4097f5 425->431 427 409864-409866 426->427 432 4097f6-4097ff TerminateProcess 430->432 435 40981e-409839 WriteProcessMemory 430->435 431->432 432->426 435->431 436 40983b-409856 Wow64SetThreadContext 435->436 436->431 437 409858-409863 ResumeThread 436->437 437->427
                                                                                        APIs
                                                                                        • CreateProcessA.KERNELBASE(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,004122F8), ref: 004097B1
                                                                                        • Wow64GetThreadContext.KERNEL32(?,?,?,?,?,?,?,004122F8), ref: 004097EB
                                                                                        • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 004097F9
                                                                                        • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 00409831
                                                                                        • Wow64SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040984E
                                                                                        • ResumeThread.KERNELBASE(?,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040985B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ProcessThread$ContextWow64$CreateMemoryResumeTerminateWrite
                                                                                        • String ID: D
                                                                                        • API String ID: 2098669666-2746444292
                                                                                        • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                        • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                        • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                        • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                        • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                        • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseHandle$CreateEvent
                                                                                        • String ID:
                                                                                        • API String ID: 1371578007-0
                                                                                        • Opcode ID: a40dfeaab3bfebff7a793825c1972f7e21326da42d84a9a6f547d2f5fe47edea
                                                                                        • Instruction ID: a2cdbfba8670e70976da4da8790d1ec110d93932d0bd5f5a37bac27c5c352c9a
                                                                                        • Opcode Fuzzy Hash: a40dfeaab3bfebff7a793825c1972f7e21326da42d84a9a6f547d2f5fe47edea
                                                                                        • Instruction Fuzzy Hash: C44181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7389A51DBA4

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 530 d401d1-d401df 531 d40254-d40255 530->531 532 d401e1 530->532 533 d401e3-d401e8 532->533 533->531 534 d401ea-d401f2 533->534 536 d401f4-d401f5 LoadLibraryA 534->536 537 d401f8-d401ff 534->537 536->537 538 d40201-d40204 537->538 538->538 539 d40206-d4021a VirtualProtect 538->539 540 d4021c 539->540 541 d4021f-d40222 539->541 540->541 542 d40223-d40226 541->542 543 d40243-d40252 VirtualProtect 542->543 544 d40228-d4022d 542->544 543->533 545 d40233-d40241 544->545 546 d4022f 544->546 545->542 546->545
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNELBASE(?,?,?,00000000,?,?,?,00000004,?,?), ref: 00D401F5
                                                                                        • VirtualProtect.KERNELBASE(?,?,00000004,?,00000000,?,00000000,?,?,?,00000004,?,?), ref: 00D40212
                                                                                        • VirtualProtect.KERNELBASE(?,00000000,?,?,?,00000000,?,?,?,00000004,?,?), ref: 00D4024B
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736688985.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_d40000_upwtsplm.jbxd
                                                                                        Similarity
                                                                                        • API ID: ProtectVirtual$LibraryLoad
                                                                                        • String ID:
                                                                                        • API String ID: 895956442-0
                                                                                        • Opcode ID: df0d4710188bbc4545ffb25a3de640365ec90d346391f8a801651d14009fcf39
                                                                                        • Instruction ID: d3a2079c121bb63247e753ecc060fad14fbfbda370a683793f851e63415ba48e
                                                                                        • Opcode Fuzzy Hash: df0d4710188bbc4545ffb25a3de640365ec90d346391f8a801651d14009fcf39
                                                                                        • Instruction Fuzzy Hash: 8811A3725006206FEB304E19CC88A7BBBACEF85721B19451DFE6AE7140D7B1ED0446B1

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 548 404000-404008 549 40400b-40402a CreateFileA 548->549 550 404057 549->550 551 40402c-404035 GetLastError 549->551 554 404059-40405c 550->554 552 404052 551->552 553 404037-40403a 551->553 555 404054-404056 552->555 553->552 556 40403c-40403f 553->556 554->555 556->554 557 404041-404050 Sleep 556->557 557->549 557->552
                                                                                        APIs
                                                                                        • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,004122F8,004042B6,00000000,00000001,004122F8,00000000,?,004098FD), ref: 00404021
                                                                                        • GetLastError.KERNEL32(?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 0040402C
                                                                                        • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404046
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateErrorFileLastSleep
                                                                                        • String ID:
                                                                                        • API String ID: 408151869-0
                                                                                        • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                        • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                        • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                        • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                        • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                        • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$CountFileInformationSystemTickVolume
                                                                                        • String ID:
                                                                                        • API String ID: 1209300637-0
                                                                                        • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                        • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                        • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                        • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 559 4050dc-405102 call 404bd1 call 404ae6 564 40512a-40512e 559->564 565 405130-40513c call 404ae6 564->565 566 405104-40511c call 404ae6 lstrcmpA 564->566 571 40514e-405154 565->571 572 40513e-405142 565->572 566->565 573 40511e-405125 call 404ae6 566->573 576 405156-405164 call 404ae6 571->576 577 40517a-405184 571->577 574 405148-405149 572->574 575 40537b-405386 572->575 573->564 579 405374-405376 call 404b50 574->579 576->577 589 405166-405174 call 404ae6 576->589 581 405186-40518b 577->581 582 40519a-4051f1 call 404ae6 call 404a3d call 404ae6 * 3 577->582 579->575 586 405194 581->586 587 40518d-405192 581->587 601 405371 582->601 602 4051f7-4051fb 582->602 590 405195-405198 586->590 587->586 587->590 589->575 589->577 590->581 590->582 601->579 602->601 603 405201-405205 602->603 604 405207-405209 603->604 605 40520f-405278 call 404ae6 * 2 call 40ee08 call 404ae6 lstrcpyA call 404ae6 603->605 604->601 604->605 616 4052b9-4052bd 605->616 617 40527a-405288 605->617 618 40530a-40533b call 404ae6 * 3 616->618 619 4052bf-4052c4 616->619 620 40528b-40528e 617->620 618->575 639 40533d-40535d call 404ae6 * 2 lstrcmpA 618->639 619->618 621 4052c6-4052d0 619->621 623 405290 620->623 624 405293-405296 620->624 625 4052d3-4052e4 call 40ed03 621->625 623->624 627 4052b0-4052b7 624->627 628 405298-4052a2 624->628 634 4052e6-4052f9 625->634 635 4052fb-4052fe 625->635 627->616 627->620 628->627 631 4052a4-4052ad 628->631 631->627 637 405302-405308 634->637 635->637 637->618 637->625 644 405366-40536f call 404b95 639->644 645 40535f-405362 639->645 644->575 645->639 646 405364 645->646 646->575
                                                                                        APIs
                                                                                          • Part of subcall function 00404BD1: GetTickCount.KERNEL32 ref: 00404BDD
                                                                                          • Part of subcall function 00404BD1: InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                        • lstrcmpA.KERNEL32(-00000010,00000000,?,00000000), ref: 00405114
                                                                                        • lstrcpyA.KERNEL32(-00000010,?,?), ref: 00405253
                                                                                        • lstrcmpA.KERNEL32(-00000010,00000000,-00000010,?,?,?,?,?), ref: 00405355
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcmp$CountExchangeInterlockedTicklstrcpy
                                                                                        • String ID:
                                                                                        • API String ID: 4162416431-0
                                                                                        • Opcode ID: e8acb27dcbe5d2487a86e349a88a12b7971b52c73f8c974b59701084c539f241
                                                                                        • Instruction ID: c02146d65d1ec8406dc32d01bb8fb8f303b93c3970f776c7232998cb04b45f4e
                                                                                        • Opcode Fuzzy Hash: e8acb27dcbe5d2487a86e349a88a12b7971b52c73f8c974b59701084c539f241
                                                                                        • Instruction Fuzzy Hash: 7291AE71A04604AFDF15DF6AC951AAF7BA5EF54304F00447EE816AB382DB78DA40CF98

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 649 406e36-406e5d GetUserNameW 650 406ebe-406ec2 649->650 651 406e5f-406e95 LookupAccountNameW 649->651 651->650 652 406e97-406e9b 651->652 653 406ebb-406ebd 652->653 654 406e9d-406ea3 652->654 653->650 654->653 655 406ea5-406eaa 654->655 656 406eb7-406eb9 655->656 657 406eac-406eb0 655->657 656->650 657->653 658 406eb2-406eb5 657->658 658->653 658->656
                                                                                        APIs
                                                                                        • GetUserNameW.ADVAPI32(?,00401FA1), ref: 00406E55
                                                                                        • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,00000000,00000012), ref: 00406E8D
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Name$AccountLookupUser
                                                                                        • String ID:
                                                                                        • API String ID: 2370142434-0
                                                                                        • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                        • Instruction ID: d69833bf2c7126fc9b7bd4b1d5117f4fe90a033eeaed535c4400ab00b2689cfd
                                                                                        • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                        • Instruction Fuzzy Hash: 0211F776900218EBDF21CFD4C884ADFB7BCAB04741F1542B6E502F6290DB749B989BE4

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 659 406dc2-406dd5 660 406e33-406e35 659->660 661 406dd7-406df1 call 406cc9 call 40ef00 659->661 666 406df4-406df9 661->666 666->666 667 406dfb-406e00 666->667 668 406e02-406e22 GetVolumeInformationA 667->668 669 406e24 667->669 668->669 670 406e2e 668->670 669->670 670->660
                                                                                        APIs
                                                                                          • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                          • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                          • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                          • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                        • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                        • String ID:
                                                                                        • API String ID: 1823874839-0
                                                                                        • Opcode ID: 7e4ae6be47200154ff028bb1e1ff25be10201b73ffa926c49eb2fe181a2a4163
                                                                                        • Instruction ID: ee48c6aff4f3cfee6008d9a51cd09a6e26e011b11466ee3f62e74e831bc3a826
                                                                                        • Opcode Fuzzy Hash: 7e4ae6be47200154ff028bb1e1ff25be10201b73ffa926c49eb2fe181a2a4163
                                                                                        • Instruction Fuzzy Hash: 38F0AFB6104218AFD7109B68EDC4FE777BE9714308F1084B6E286E3141DAB89DA85B6C

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 671 409892-4098c0 672 4098c2-4098c5 671->672 673 4098d9 671->673 672->673 675 4098c7-4098d7 672->675 674 4098e0-4098f1 SetServiceStatus 673->674 675->674
                                                                                        APIs
                                                                                        • SetServiceStatus.ADVAPI32(00413394), ref: 004098EB
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ServiceStatus
                                                                                        • String ID:
                                                                                        • API String ID: 3969395364-0
                                                                                        • Opcode ID: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                        • Instruction ID: dd676a4af3dd8f9e000b524091363a81fd6157f1888c947a943bd607f736cbf1
                                                                                        • Opcode Fuzzy Hash: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                        • Instruction Fuzzy Hash: 02F0F271514208EFCB18CF14E89869A7BA0F348706B20C83EE82AD2371CB749A80DF0D

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 676 980000-980018 call 980752 call 98084d 682 98001d-980026 call 980300 676->682 685 980028-98002e 682->685 686 980030 685->686 687 980031-98007d call 980752 VirtualAlloc 685->687
                                                                                        APIs
                                                                                        • VirtualAlloc.KERNELBASE(00000000,000008D0,00001000,00000040), ref: 00980065
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736660386.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_980000_upwtsplm.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 4275171209-0
                                                                                        • Opcode ID: 4951f6c36d1fa03500621e02ddc7bb0f5560f54398a83bde0800dfd9e4836d3c
                                                                                        • Instruction ID: b4409f940e19e90500fa42c2a1686b61d032ea1b8c01cf77ba711cf21f49e573
                                                                                        • Opcode Fuzzy Hash: 4951f6c36d1fa03500621e02ddc7bb0f5560f54398a83bde0800dfd9e4836d3c
                                                                                        • Instruction Fuzzy Hash: E901A7719003456BD7102F74CC45B9F3BA8FFC5721F518869F99AA7381C97CA8808B90

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 693 4098f2-4098f4 694 4098f6-409902 call 404280 693->694 697 409904-409913 Sleep 694->697 698 409917 694->698 697->694 699 409915 697->699 700 409919-409942 call 402544 call 40977c 698->700 701 40995e-409960 698->701 699->698 705 409947-409957 call 40ee2a 700->705 705->701
                                                                                        APIs
                                                                                          • Part of subcall function 00404280: CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                        • Sleep.KERNEL32(000003E8,00000100,004122F8,0040A3C7), ref: 00409909
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateEventSleep
                                                                                        • String ID:
                                                                                        • API String ID: 3100162736-0
                                                                                        • Opcode ID: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                        • Instruction ID: e56085e6bf9507d1b9c0d1fa6774ae3e34a200a1ca8b69066151cd7271dcc025
                                                                                        • Opcode Fuzzy Hash: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                        • Instruction Fuzzy Hash: 58F05472A81360A6E62226566C07F8F19040B95B24F05417EF744BA2C395E8495141ED
                                                                                        APIs
                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00D40093), ref: 00D405DD
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736688985.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_d40000_upwtsplm.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 4275171209-0
                                                                                        • Opcode ID: a9a4fa599d775aa83550951cd01ab53a510ae55495336f8eeb8bc52accc60b48
                                                                                        • Instruction ID: 65ce390d9ce214b0b9a70d03eb22b0c205847d94ce1a40b3c250883ace489992
                                                                                        • Opcode Fuzzy Hash: a9a4fa599d775aa83550951cd01ab53a510ae55495336f8eeb8bc52accc60b48
                                                                                        • Instruction Fuzzy Hash: EAB012B22C038477EB304E614C0EF8A3661ABC8FA3F350000FB106B1C48AF0E8018624
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,?,?), ref: 00407B16
                                                                                        • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                        • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                        • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                        • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                        • String ID: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exe$D
                                                                                        • API String ID: 2976863881-3264072368
                                                                                        • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                        • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                        • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                        • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                        • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                        • API String ID: 2400214276-165278494
                                                                                        • Opcode ID: daf4d949a7859ac2eff1297604e09a10f79e0a9bf3e1ba7555a3ae86ccb7c85f
                                                                                        • Instruction ID: adaa1854a3122378bd2daea31773aef3e538fc03cb04507581bb4a4c69c5dae0
                                                                                        • Opcode Fuzzy Hash: daf4d949a7859ac2eff1297604e09a10f79e0a9bf3e1ba7555a3ae86ccb7c85f
                                                                                        • Instruction Fuzzy Hash: F6615E72940208EFDB609FB4DC45FEA77E9FF08300F24846AF96DD21A1DA7599908F58
                                                                                        APIs
                                                                                        • wsprintfA.USER32 ref: 0040A7FB
                                                                                        • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                        • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                        • wsprintfA.USER32 ref: 0040A8AF
                                                                                        • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                        • wsprintfA.USER32 ref: 0040A8E2
                                                                                        • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                        • wsprintfA.USER32 ref: 0040A9B9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$send$lstrlenrecv
                                                                                        • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                        • API String ID: 3650048968-2394369944
                                                                                        • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                        • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                        • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                        • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                        APIs
                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                        • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                        • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                        • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                        • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                        • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                        • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                        • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                        • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                        • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                        • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                        • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                        • String ID: D
                                                                                        • API String ID: 3722657555-2746444292
                                                                                        • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                        • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                        • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                        • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,00410750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                        • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,00410750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                        • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,00410750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                        • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,00410750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Value$CloseOpenQuery
                                                                                        • String ID: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exe$localcfg
                                                                                        • API String ID: 237177642-1041734748
                                                                                        • Opcode ID: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                        • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                        • Opcode Fuzzy Hash: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                        • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                        APIs
                                                                                        • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                        • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExecuteShelllstrlen
                                                                                        • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDu$uac$useless$wusa.exe
                                                                                        • API String ID: 1628651668-179334549
                                                                                        • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                        • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                        • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                        • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                        APIs
                                                                                        • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                        • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                        • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                        • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                        • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                          • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                        • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                        • API String ID: 4207808166-1381319158
                                                                                        • Opcode ID: 29b29ba27ec834052d86494178e52c9b6600cd948377f9b0f2b6c99c1419fed0
                                                                                        • Instruction ID: 136d33d61de9b77116bbe3bbd7cc91a466c000d0b1383b285604d193ab548d94
                                                                                        • Opcode Fuzzy Hash: 29b29ba27ec834052d86494178e52c9b6600cd948377f9b0f2b6c99c1419fed0
                                                                                        • Instruction Fuzzy Hash: 1451EAB05043446FD330AF768C85F67BAECEB84708F00493FF955A2292D7BDA94487A9
                                                                                        APIs
                                                                                        • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                        • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                        • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                        • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                        • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                        • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                        • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                        • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                        • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                        • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                        • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                        • API String ID: 835516345-270533642
                                                                                        • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                        • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                        • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                        • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                        APIs
                                                                                        • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,74DEF380), ref: 00402A83
                                                                                        • HeapAlloc.KERNEL32(00000000,?,74DEF380), ref: 00402A86
                                                                                        • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                        • htons.WS2_32(00000000), ref: 00402ADB
                                                                                        • select.WS2_32 ref: 00402B28
                                                                                        • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                        • htons.WS2_32(?), ref: 00402B71
                                                                                        • htons.WS2_32(?), ref: 00402B8C
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                        • String ID:
                                                                                        • API String ID: 1639031587-0
                                                                                        • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                        • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                        • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                        • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,74DF0F10,?,74DF0F10,00000000), ref: 004070C2
                                                                                        • RegEnumValueA.ADVAPI32(74DF0F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,74DF0F10,00000000), ref: 0040719E
                                                                                        • RegCloseKey.ADVAPI32(74DF0F10,?,74DF0F10,00000000), ref: 004071B2
                                                                                        • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407208
                                                                                        • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407291
                                                                                        • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                        • RegCloseKey.ADVAPI32(74DF0F10), ref: 004072D0
                                                                                        • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407314
                                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                        • RegCloseKey.ADVAPI32(74DF0F10), ref: 004073D8
                                                                                          • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(00000000,00000000,004122F8,00000000,0040733D,00000000), ref: 0040F1AD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                        • String ID: $"
                                                                                        • API String ID: 4293430545-3817095088
                                                                                        • Opcode ID: 2c1a7a5e27a45d9024ae5e8b0fc79a4811596a6e22ca9665a21b83de94bf1e77
                                                                                        • Instruction ID: 74598ce6d8ea9c8d39eff0b1fc7e26e3f0ef6396efd0c92e31e65397aa2b09b2
                                                                                        • Opcode Fuzzy Hash: 2c1a7a5e27a45d9024ae5e8b0fc79a4811596a6e22ca9665a21b83de94bf1e77
                                                                                        • Instruction Fuzzy Hash: 17B17E71C0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501B61D1EB79AA94CB69
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(iphlpapi.dll,74DF23A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                        • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                        • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                        • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                        • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                        • htons.WS2_32(00000035), ref: 00402E88
                                                                                        • inet_addr.WS2_32(?), ref: 00402E93
                                                                                        • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                        • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                        • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                        • String ID: GetNetworkParams$iphlpapi.dll
                                                                                        • API String ID: 929413710-2099955842
                                                                                        • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                        • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                        • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                        • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                        APIs
                                                                                        • SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 0040677E
                                                                                        • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 0040679A
                                                                                        • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 004067B0
                                                                                        • SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 004067BF
                                                                                        • GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 004067D3
                                                                                        • ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,74DF0F10,00000000), ref: 00406807
                                                                                        • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040681F
                                                                                        • ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 0040683E
                                                                                        • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040685C
                                                                                        • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,74DF0F10,00000000), ref: 0040688B
                                                                                        • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000,?,74DF0F10,00000000), ref: 00406906
                                                                                        • ReadFile.KERNEL32(000000FF,?,00000000,00408244,00000000,?,74DF0F10,00000000), ref: 0040691C
                                                                                        • CloseHandle.KERNEL32(000000FF,?,74DF0F10,00000000), ref: 00406971
                                                                                          • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                          • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                                        • String ID:
                                                                                        • API String ID: 2622201749-0
                                                                                        • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                        • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                        • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                        • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54
                                                                                        APIs
                                                                                        • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                        • wsprintfA.USER32 ref: 004093CE
                                                                                        • wsprintfA.USER32 ref: 0040940C
                                                                                        • wsprintfA.USER32 ref: 0040948D
                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                        • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                        • String ID: runas
                                                                                        • API String ID: 3696105349-4000483414
                                                                                        • Opcode ID: f08e4a66b1d8eb56d3ad1f8584b36153d56304273cbc9e31910b95c3030bd838
                                                                                        • Instruction ID: e1b414ac2acd800f86155b9566517fe94806afef677b15be1bf33dae74c6658f
                                                                                        • Opcode Fuzzy Hash: f08e4a66b1d8eb56d3ad1f8584b36153d56304273cbc9e31910b95c3030bd838
                                                                                        • Instruction Fuzzy Hash: 33A181B2540208BBEB21DFA1DC45FDF3BACEB44744F104437FA05A2192D7B999848FA9
                                                                                        APIs
                                                                                        • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                          • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                          • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                          • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                          • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                          • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                          • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                        • wsprintfA.USER32 ref: 0040AEA5
                                                                                          • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(00410750), ref: 0040A7A9
                                                                                        • wsprintfA.USER32 ref: 0040AE4F
                                                                                        • wsprintfA.USER32 ref: 0040AE5E
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                        • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX
                                                                                        • API String ID: 3631595830-340622817
                                                                                        • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                        • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                        • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                        • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                        APIs
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcmpi
                                                                                        • String ID: 06A$46A$86A$smtp_ban$smtp_herr$smtp_retr
                                                                                        • API String ID: 1586166983-142018493
                                                                                        • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                        • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                        • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                        • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                        APIs
                                                                                        • wsprintfA.USER32 ref: 0040B467
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$wsprintf
                                                                                        • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                        • API String ID: 1220175532-2340906255
                                                                                        • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                        • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                        • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                        • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 00402078
                                                                                        • GetTickCount.KERNEL32 ref: 004020D4
                                                                                        • GetTickCount.KERNEL32 ref: 004020DB
                                                                                        • GetTickCount.KERNEL32 ref: 0040212B
                                                                                        • GetTickCount.KERNEL32 ref: 00402132
                                                                                        • GetTickCount.KERNEL32 ref: 00402142
                                                                                          • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4), ref: 0040F089
                                                                                          • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0040F093
                                                                                          • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                          • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                          • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                        • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                        • API String ID: 3976553417-1522128867
                                                                                        • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                        • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                        • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                        • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                        APIs
                                                                                        • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                        • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                        • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: closesockethtonssocket
                                                                                        • String ID: time_cfg
                                                                                        • API String ID: 311057483-2401304539
                                                                                        • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                        • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                        • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                        • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                        APIs
                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                        • ExitProcess.KERNEL32 ref: 00404121
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateEventExitProcess
                                                                                        • String ID:
                                                                                        • API String ID: 2404124870-0
                                                                                        • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                        • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                        • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                        • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                        APIs
                                                                                          • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                          • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                        • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                        • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                        • GetTickCount.KERNEL32 ref: 0040C363
                                                                                        • GetTickCount.KERNEL32 ref: 0040C378
                                                                                        • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                        • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                        • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                        • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 1553760989-1857712256
                                                                                        • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                        • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                        • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                        • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                        APIs
                                                                                        • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                        • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                        • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                        • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                        • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                        • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                        • wsprintfA.USER32 ref: 0040B3B7
                                                                                        Strings
                                                                                        • %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u, xrefs: 0040B3AF
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                        • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
                                                                                        • API String ID: 766114626-4076198852
                                                                                        • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                        • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                        • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                        • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                        • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                        • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                        • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                        • String ID: DnsQuery_A$dnsapi.dll
                                                                                        • API String ID: 3560063639-3847274415
                                                                                        • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                        • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                        • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                        • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                        APIs
                                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,74DE8A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                        • GetDiskFreeSpaceA.KERNEL32(00409E9D,00409A60,?,?,?,004122F8,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                        • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                        • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                        • String ID:
                                                                                        • API String ID: 3188212458-0
                                                                                        • Opcode ID: e3959d8a0c931ef24a73e9a1ea7033e807417735a7f73b2997be16ea63ab6e7a
                                                                                        • Instruction ID: 1851fce060154b14ea5ec5bf2ccd3ef97631883a8962a6cabbb456f8c1490fb9
                                                                                        • Opcode Fuzzy Hash: e3959d8a0c931ef24a73e9a1ea7033e807417735a7f73b2997be16ea63ab6e7a
                                                                                        • Instruction Fuzzy Hash: 4731F1B2900208BFDB00DFA09D44ADFBF79EF48310F158076E512F7291D674AA618F69
                                                                                        APIs
                                                                                        • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                        • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                        • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                        • wsprintfA.USER32 ref: 00407036
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                        • String ID: /%d$|
                                                                                        • API String ID: 676856371-4124749705
                                                                                        • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                        • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                        • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                        • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                        • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                        • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                        • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                        • API String ID: 1082366364-3395550214
                                                                                        • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                        • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                        • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                        • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                        APIs
                                                                                          • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                          • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                          • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                          • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                        • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                        • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                        • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                        • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                        • String ID: flags_upd$localcfg
                                                                                        • API String ID: 204374128-3505511081
                                                                                        • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                        • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                        • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                        • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                        APIs
                                                                                          • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                          • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                          • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                        • lstrcmpA.KERNEL32(74DF0F18,00000000,?,74DF0F10,00000000,?,00405EC1), ref: 0040E693
                                                                                        • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,74DF0F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                        • lstrcmpA.KERNEL32(?,00000008,?,74DF0F10,00000000,?,00405EC1), ref: 0040E722
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                        • String ID: A$ A$ A
                                                                                        • API String ID: 3343386518-1846390581
                                                                                        • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                        • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                        • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                        • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Code
                                                                                        • String ID:
                                                                                        • API String ID: 3609698214-0
                                                                                        • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                        • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                        • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                        • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                        APIs
                                                                                        • GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                        • wsprintfA.USER32 ref: 004090E9
                                                                                        • CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                        • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                        • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                        • String ID:
                                                                                        • API String ID: 2439722600-0
                                                                                        • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                        • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                        • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                        • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                        • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                        • Sleep.KERNEL32(00000000,?,74DF0F10,?,00000000,0040E538,?,74DF0F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                        • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 3819781495-0
                                                                                        • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                        • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                        • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                        • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 0040815F
                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 00408187
                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 004081BE
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 00408210
                                                                                          • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 0040677E
                                                                                          • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 0040679A
                                                                                          • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 004067B0
                                                                                          • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 004067BF
                                                                                          • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 004067D3
                                                                                          • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,74DF0F10,00000000), ref: 00406807
                                                                                          • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040681F
                                                                                          • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 0040683E
                                                                                          • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040685C
                                                                                          • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                          • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                        • String ID: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exe
                                                                                        • API String ID: 124786226-1428914613
                                                                                        • Opcode ID: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                        • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                        • Opcode Fuzzy Hash: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                        • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                        APIs
                                                                                        • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                        • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                        • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                        • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$gethostnamelstrcpy
                                                                                        • String ID: LocalHost
                                                                                        • API String ID: 3695455745-3154191806
                                                                                        • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                        • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                        • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                        • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,004122F8), ref: 0040E3E6
                                                                                        • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                        • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                        • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                        • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: QueryValue$CloseOpen
                                                                                        • String ID:
                                                                                        • API String ID: 1586453840-0
                                                                                        • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                        • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                        • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                        • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                        APIs
                                                                                        • IsBadReadPtr.KERNEL32(?,00000014), ref: 0040609C
                                                                                        • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                        • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                        • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Read$AddressLibraryLoadProc
                                                                                        • String ID:
                                                                                        • API String ID: 2438460464-0
                                                                                        • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                        • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                        • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                        • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                        • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                        • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                        • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 0040272E
                                                                                        • htons.WS2_32(00000001), ref: 00402752
                                                                                        • htons.WS2_32(0000000F), ref: 004027D5
                                                                                        • htons.WS2_32(00000001), ref: 004027E3
                                                                                        • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                          • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                          • Part of subcall function 0040EBCC: HeapAlloc.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: htons$Heap$AllocCountProcessTicksendto
                                                                                        • String ID:
                                                                                        • API String ID: 1802437671-0
                                                                                        • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                        • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                        • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                        • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                        APIs
                                                                                        • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                        • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                        • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                        • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                        • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: setsockopt
                                                                                        • String ID:
                                                                                        • API String ID: 3981526788-0
                                                                                        • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                        • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                        • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                        • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,004122F8), ref: 0040915F
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                        • CharToOemA.USER32(?,?), ref: 00409174
                                                                                        • wsprintfA.USER32 ref: 004091A9
                                                                                          • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                          • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                          • Part of subcall function 00409064: CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                          • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                          • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                          • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                        • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                        • String ID:
                                                                                        • API String ID: 3857584221-0
                                                                                        • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                        • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                        • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                        • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                        APIs
                                                                                        • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                        • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                        • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                        • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$lstrcmpi
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 1808961391-1857712256
                                                                                        • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                        • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                        • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                        • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                        • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                        • API String ID: 2574300362-1087626847
                                                                                        • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                        • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                        • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                        • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                        APIs
                                                                                          • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                          • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                        • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                        • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                        • String ID: hi_id$localcfg
                                                                                        • API String ID: 2777991786-2393279970
                                                                                        • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                        • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                        • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                        • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                        APIs
                                                                                        • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                        • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                        • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                        • String ID: *p@
                                                                                        • API String ID: 3429775523-2474123842
                                                                                        • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                        • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                        • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                        • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf
                                                                                        • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                        • API String ID: 2111968516-120809033
                                                                                        • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                        • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                        • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                        • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                        APIs
                                                                                        • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                        • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0040E127
                                                                                        • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,004122F8), ref: 0040E158
                                                                                        • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Value$CloseCreateDelete
                                                                                        • String ID:
                                                                                        • API String ID: 2667537340-0
                                                                                        • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                        • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                        • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                        • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                        APIs
                                                                                        • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                        • GetLastError.KERNEL32 ref: 00403F4E
                                                                                        • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3373104450-0
                                                                                        • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                        • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                        • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                        • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                        APIs
                                                                                        • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                        • GetLastError.KERNEL32 ref: 00403FC2
                                                                                        • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                        • String ID:
                                                                                        • API String ID: 888215731-0
                                                                                        • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                        • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                        • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                        • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                        APIs
                                                                                        • lstrcmpA.KERNEL32(?,80000009,00000000,80000001, A,0040DF42,00000000,00000001,?,?,75A8EA50,80000001), ref: 0040DDFF
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcmp
                                                                                        • String ID: A$ A$ A
                                                                                        • API String ID: 1534048567-1846390581
                                                                                        • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                        • Instruction ID: c5fbbd52a51a7e9422c94d4498ca6242d6f87b7f53d1a68151d56bafafc3fa70
                                                                                        • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                        • Instruction Fuzzy Hash: 68F06871A00712DBCB20CF55D884993B7E9FF59321B04863BE154D75A0D374A998CB99
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                        • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                        • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                        • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                        • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                        • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                        • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                        • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                        • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                        • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                        • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                        • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                        • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                        • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                        • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                        • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                        • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 00403103
                                                                                        • GetTickCount.KERNEL32 ref: 0040310F
                                                                                        • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                        • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                        • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                        • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                        APIs
                                                                                        • WriteFile.KERNEL32(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                        • WriteFile.KERNEL32(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: FileWrite
                                                                                        • String ID: ,k@
                                                                                        • API String ID: 3934441357-1053005162
                                                                                        • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                        • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                        • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                        • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65
                                                                                        APIs
                                                                                        Strings
                                                                                        • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTickwsprintf
                                                                                        • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                        • API String ID: 2424974917-1012700906
                                                                                        • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                        • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                        • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                        • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                        APIs
                                                                                          • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                          • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                        • String ID: %FROM_EMAIL
                                                                                        • API String ID: 3716169038-2903620461
                                                                                        • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                        • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                        • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                        • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                        APIs
                                                                                          • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                          • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                        • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                        • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 2777991786-1857712256
                                                                                        • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                        • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                        • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                        • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                        APIs
                                                                                        • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                        • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: IncrementInterlockedlstrcpyn
                                                                                        • String ID: %FROM_EMAIL
                                                                                        • API String ID: 224340156-2903620461
                                                                                        • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                        • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                        • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                        • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                        APIs
                                                                                        • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                        • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: gethostbyaddrinet_ntoa
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 2112563974-1857712256
                                                                                        • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                        • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                        • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                        • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                        APIs
                                                                                        • inet_addr.WS2_32(00000001), ref: 00402693
                                                                                        • gethostbyname.WS2_32(00000001), ref: 0040269F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: gethostbynameinet_addr
                                                                                        • String ID: time_cfg
                                                                                        • API String ID: 1594361348-2401304539
                                                                                        • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                        • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                        • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                        • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000), ref: 0040EAF2
                                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040EB07
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID: ntdll.dll
                                                                                        • API String ID: 2574300362-2227199552
                                                                                        • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                        • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                        • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                        • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                        APIs
                                                                                          • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                          • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                        • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.1736375134.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.1736362009.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736391775.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736406969.0000000000412000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.1736417950.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_400000_upwtsplm.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                        • String ID:
                                                                                        • API String ID: 1017166417-0
                                                                                        • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                        • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                        • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                        • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88

                                                                                        Execution Graph

                                                                                        Execution Coverage:14.6%
                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                        Signature Coverage:0.7%
                                                                                        Total number of Nodes:1807
                                                                                        Total number of Limit Nodes:18
                                                                                        execution_graph 7918 624960 7919 62496d 7918->7919 7921 62497d 7918->7921 7920 62ebed 8 API calls 7919->7920 7920->7921 7922 624861 IsBadWritePtr 7923 624876 7922->7923 7923->7923 7924 629961 RegisterServiceCtrlHandlerA 7925 6299cb 7924->7925 7926 62997d 7924->7926 7934 629892 7926->7934 7928 62999a 7929 6299ba 7928->7929 7930 629892 SetServiceStatus 7928->7930 7929->7925 7932 629892 SetServiceStatus 7929->7932 7931 6299aa 7930->7931 7931->7929 7933 6298f2 41 API calls 7931->7933 7932->7925 7933->7929 7935 6298c2 SetServiceStatus 7934->7935 7935->7928 8061 625e21 8062 625e36 8061->8062 8063 625e29 8061->8063 8065 6250dc 8063->8065 8066 624bd1 4 API calls 8065->8066 8067 6250f2 8066->8067 8068 624ae6 8 API calls 8067->8068 8074 6250ff 8068->8074 8069 625130 8070 624ae6 8 API calls 8069->8070 8073 625138 8070->8073 8071 624ae6 8 API calls 8072 625110 lstrcmpA 8071->8072 8072->8069 8072->8074 8076 624ae6 8 API calls 8073->8076 8083 62516e 8073->8083 8107 62513e 8073->8107 8074->8069 8074->8071 8075 624ae6 8 API calls 8074->8075 8075->8074 8079 62515e 8076->8079 8077 624ae6 8 API calls 8078 6251b6 8077->8078 8108 624a3d 8078->8108 8081 624ae6 8 API calls 8079->8081 8079->8083 8081->8083 8083->8077 8083->8107 8084 624ae6 8 API calls 8085 6251c7 8084->8085 8086 624ae6 8 API calls 8085->8086 8087 6251d7 8086->8087 8088 624ae6 8 API calls 8087->8088 8089 6251e7 8088->8089 8090 624ae6 8 API calls 8089->8090 8089->8107 8091 625219 8090->8091 8092 624ae6 8 API calls 8091->8092 8093 625227 8092->8093 8094 624ae6 8 API calls 8093->8094 8095 62524f lstrcpyA 8094->8095 8096 624ae6 8 API calls 8095->8096 8099 625263 8096->8099 8097 624ae6 8 API calls 8098 625315 8097->8098 8100 624ae6 8 API calls 8098->8100 8099->8097 8101 625323 8100->8101 8102 624ae6 8 API calls 8101->8102 8104 625331 8102->8104 8103 624ae6 8 API calls 8103->8104 8104->8103 8105 624ae6 8 API calls 8104->8105 8104->8107 8106 625351 lstrcmpA 8105->8106 8106->8104 8106->8107 8107->8062 8109 624a4a 8108->8109 8112 624a53 8108->8112 8110 62ebed 8 API calls 8109->8110 8110->8112 8111 624a78 8114 624aa3 8111->8114 8115 624a8e 8111->8115 8112->8111 8113 62ebed 8 API calls 8112->8113 8113->8111 8116 624a9b 8114->8116 8118 62ebed 8 API calls 8114->8118 8115->8116 8117 62ec2e codecvt 4 API calls 8115->8117 8116->8084 8117->8116 8118->8116 8119 6235a5 8120 6230fa 4 API calls 8119->8120 8122 6235b3 8120->8122 8121 6235ea 8122->8121 8126 62355d 8122->8126 8124 6235da 8124->8121 8125 62355d 4 API calls 8124->8125 8125->8121 8127 62f04e 4 API calls 8126->8127 8128 62356a 8127->8128 8128->8124 6140 629a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 6256 62ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6140->6256 6142 629a95 6143 629aa3 GetModuleHandleA GetModuleFileNameA 6142->6143 6148 62a3cc 6142->6148 6155 629ac4 6143->6155 6144 62a41c CreateThread WSAStartup 6257 62e52e 6144->6257 7333 62405e CreateEventA 6144->7333 6145 629afd GetCommandLineA 6156 629b22 6145->6156 6146 62a406 DeleteFileA 6146->6148 6149 62a40d 6146->6149 6148->6144 6148->6146 6148->6149 6151 62a3ed GetLastError 6148->6151 6149->6144 6150 62a445 6276 62eaaf 6150->6276 6151->6149 6153 62a3f8 Sleep 6151->6153 6153->6146 6154 62a44d 6280 621d96 6154->6280 6155->6145 6161 629c0c 6156->6161 6167 629b47 6156->6167 6158 62a457 6328 6280c9 6158->6328 6520 6296aa 6161->6520 6171 629b96 lstrlenA 6167->6171 6173 629b58 6167->6173 6168 62a1d2 6174 62a1e3 GetCommandLineA 6168->6174 6169 629c39 6172 62a167 GetModuleHandleA GetModuleFileNameA 6169->6172 6526 624280 CreateEventA 6169->6526 6171->6173 6176 629c05 ExitProcess 6172->6176 6177 62a189 6172->6177 6173->6176 6479 62675c 6173->6479 6200 62a205 6174->6200 6177->6176 6185 62a1b2 GetDriveTypeA 6177->6185 6185->6176 6187 62a1c5 6185->6187 6186 62675c 21 API calls 6188 629c79 6186->6188 6627 629145 GetModuleHandleA GetModuleFileNameA CharToOemA 6187->6627 6188->6172 6195 629ca0 GetTempPathA 6188->6195 6196 629e3e 6188->6196 6190 629bff 6190->6176 6192 62a491 6193 62a49f GetTickCount 6192->6193 6197 62a4be Sleep 6192->6197 6199 62a4b7 GetTickCount 6192->6199 6375 62c913 6192->6375 6193->6192 6193->6197 6195->6196 6198 629cba 6195->6198 6206 629e6b GetEnvironmentVariableA 6196->6206 6207 629e04 6196->6207 6197->6192 6552 6299d2 lstrcpyA 6198->6552 6199->6197 6203 62a285 lstrlenA 6200->6203 6216 62a239 6200->6216 6203->6216 6206->6207 6208 629e7d 6206->6208 6622 62ec2e 6207->6622 6209 6299d2 16 API calls 6208->6209 6210 629e9d 6209->6210 6210->6207 6215 629eb0 lstrcpyA lstrlenA 6210->6215 6213 629d5f 6566 626cc9 6213->6566 6214 62a3c2 6639 6298f2 6214->6639 6217 629ef4 6215->6217 6635 626ec3 6216->6635 6220 626dc2 6 API calls 6217->6220 6224 629f03 6217->6224 6220->6224 6221 62a39d StartServiceCtrlDispatcherA 6221->6214 6222 629d72 lstrcpyA lstrcatA lstrcatA 6226 629cf6 6222->6226 6223 62a3c7 6223->6148 6225 629f32 RegOpenKeyExA 6224->6225 6228 629f48 RegSetValueExA RegCloseKey 6225->6228 6231 629f70 6225->6231 6575 629326 6226->6575 6227 62a35f 6227->6214 6227->6221 6228->6231 6236 629f9d GetModuleHandleA GetModuleFileNameA 6231->6236 6232 629e0c DeleteFileA 6232->6196 6233 629dde GetFileAttributesExA 6233->6232 6234 629df7 6233->6234 6234->6207 6612 6296ff 6234->6612 6238 629fc2 6236->6238 6239 62a093 6236->6239 6238->6239 6245 629ff1 GetDriveTypeA 6238->6245 6240 62a103 CreateProcessA 6239->6240 6241 62a0a4 wsprintfA 6239->6241 6242 62a13a 6240->6242 6243 62a12a DeleteFileA 6240->6243 6618 622544 6241->6618 6242->6207 6248 6296ff 3 API calls 6242->6248 6243->6242 6245->6239 6247 62a00d 6245->6247 6251 62a02d lstrcatA 6247->6251 6248->6207 6252 62a046 6251->6252 6253 62a052 lstrcatA 6252->6253 6254 62a064 lstrcatA 6252->6254 6253->6254 6254->6239 6255 62a081 lstrcatA 6254->6255 6255->6239 6256->6142 6646 62dd05 GetTickCount 6257->6646 6259 62e538 6654 62dbcf 6259->6654 6261 62e544 6262 62e555 GetFileSize 6261->6262 6266 62e5b8 6261->6266 6263 62e5b1 CloseHandle 6262->6263 6264 62e566 6262->6264 6263->6266 6678 62db2e 6264->6678 6664 62e3ca RegOpenKeyExA 6266->6664 6268 62e576 ReadFile 6268->6263 6270 62e58d 6268->6270 6682 62e332 6270->6682 6272 62e5f2 6274 62e629 6272->6274 6275 62e3ca 19 API calls 6272->6275 6274->6150 6275->6274 6277 62eabe 6276->6277 6279 62eaba 6276->6279 6278 62dd05 6 API calls 6277->6278 6277->6279 6278->6279 6279->6154 6281 62ee2a 6280->6281 6282 621db4 GetVersionExA 6281->6282 6283 621dd0 GetSystemInfo GetModuleHandleA GetProcAddress 6282->6283 6285 621e16 GetCurrentProcess 6283->6285 6286 621e24 6283->6286 6285->6286 6740 62e819 6286->6740 6288 621e3d 6289 62e819 11 API calls 6288->6289 6290 621e4e 6289->6290 6291 621e77 6290->6291 6781 62df70 6290->6781 6747 62ea84 6291->6747 6294 621e6c 6296 62df70 12 API calls 6294->6296 6296->6291 6297 62e819 11 API calls 6298 621e93 6297->6298 6751 62199c inet_addr LoadLibraryA 6298->6751 6301 62e819 11 API calls 6302 621eb9 6301->6302 6303 621ed8 6302->6303 6304 62f04e 4 API calls 6302->6304 6305 62e819 11 API calls 6303->6305 6306 621ec9 6304->6306 6307 621eee 6305->6307 6308 62ea84 30 API calls 6306->6308 6309 621f0a 6307->6309 6765 621b71 6307->6765 6308->6303 6311 62e819 11 API calls 6309->6311 6312 621f23 6311->6312 6314 621f3f 6312->6314 6769 621bdf 6312->6769 6313 621efd 6315 62ea84 30 API calls 6313->6315 6317 62e819 11 API calls 6314->6317 6315->6309 6319 621f5e 6317->6319 6321 62ea84 30 API calls 6319->6321 6323 621f77 6319->6323 6320 62ea84 30 API calls 6320->6314 6321->6323 6777 6230b5 6323->6777 6325 626ec3 2 API calls 6327 621f8e GetTickCount 6325->6327 6327->6158 6329 626ec3 2 API calls 6328->6329 6330 6280eb 6329->6330 6331 6280f9 6330->6331 6332 6280ef 6330->6332 6848 62704c 6331->6848 6835 627ee6 6332->6835 6335 628269 CreateThread 6354 625e6c 6335->6354 7311 62877e 6335->7311 6336 6280f4 6336->6335 6338 62675c 21 API calls 6336->6338 6337 628110 6337->6336 6339 628156 RegOpenKeyExA 6337->6339 6344 628244 6338->6344 6340 628216 6339->6340 6341 62816d RegQueryValueExA 6339->6341 6340->6336 6342 6281f7 6341->6342 6343 62818d 6341->6343 6345 62820d RegCloseKey 6342->6345 6347 62ec2e codecvt 4 API calls 6342->6347 6343->6342 6348 62ebcc 4 API calls 6343->6348 6344->6335 6346 62ec2e codecvt 4 API calls 6344->6346 6345->6340 6346->6335 6353 6281dd 6347->6353 6349 6281a0 6348->6349 6349->6345 6350 6281aa RegQueryValueExA 6349->6350 6350->6342 6351 6281c4 6350->6351 6352 62ebcc 4 API calls 6351->6352 6352->6353 6353->6345 6952 62ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6354->6952 6356 625e71 6953 62e654 6356->6953 6358 625ec1 6359 623132 6358->6359 6360 62df70 12 API calls 6359->6360 6361 62313b 6360->6361 6362 62c125 6361->6362 6964 62ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6362->6964 6364 62c12d 6365 62e654 13 API calls 6364->6365 6366 62c2bd 6365->6366 6367 62e654 13 API calls 6366->6367 6368 62c2c9 6367->6368 6369 62e654 13 API calls 6368->6369 6370 62a47a 6369->6370 6371 628db1 6370->6371 6372 628dbc 6371->6372 6373 62e654 13 API calls 6372->6373 6374 628dec Sleep 6373->6374 6374->6192 6376 62c92f 6375->6376 6377 62c93c 6376->6377 6976 62c517 6376->6976 6379 62ca2b 6377->6379 6380 62e819 11 API calls 6377->6380 6379->6192 6381 62c96a 6380->6381 6382 62e819 11 API calls 6381->6382 6383 62c97d 6382->6383 6384 62e819 11 API calls 6383->6384 6385 62c990 6384->6385 6386 62c9aa 6385->6386 6387 62ebcc 4 API calls 6385->6387 6386->6379 6965 622684 6386->6965 6387->6386 6392 62ca26 6993 62c8aa 6392->6993 6395 62ca44 6396 62ca4b closesocket 6395->6396 6397 62ca83 6395->6397 6396->6392 6398 62ea84 30 API calls 6397->6398 6399 62caac 6398->6399 6400 62f04e 4 API calls 6399->6400 6401 62cab2 6400->6401 6402 62ea84 30 API calls 6401->6402 6403 62caca 6402->6403 6404 62ea84 30 API calls 6403->6404 6405 62cad9 6404->6405 6997 62c65c 6405->6997 6408 62cb60 closesocket 6408->6379 6410 62dad2 closesocket 6411 62e318 23 API calls 6410->6411 6412 62dae0 6411->6412 6412->6379 6413 62df4c 20 API calls 6439 62cb70 6413->6439 6419 62e654 13 API calls 6419->6439 6422 62f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 6422->6439 6425 62ea84 30 API calls 6425->6439 6426 62d569 closesocket Sleep 7044 62e318 6426->7044 6427 62d815 wsprintfA 6427->6439 6428 62cc1c GetTempPathA 6428->6439 6429 62c517 23 API calls 6429->6439 6431 627ead 6 API calls 6431->6439 6432 62e8a1 30 API calls 6432->6439 6433 62d582 ExitProcess 6434 62c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 6434->6439 6435 62cfe3 GetSystemDirectoryA 6435->6439 6436 62cfad GetEnvironmentVariableA 6436->6439 6437 62675c 21 API calls 6437->6439 6438 62d027 GetSystemDirectoryA 6438->6439 6439->6410 6439->6413 6439->6419 6439->6422 6439->6425 6439->6426 6439->6427 6439->6428 6439->6429 6439->6431 6439->6432 6439->6434 6439->6435 6439->6436 6439->6437 6439->6438 6440 62d105 lstrcatA 6439->6440 6441 62ef1e lstrlenA 6439->6441 6442 62cc9f CreateFileA 6439->6442 6443 62ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 6439->6443 6445 62d15b CreateFileA 6439->6445 6450 62d149 SetFileAttributesA 6439->6450 6451 62d36e GetEnvironmentVariableA 6439->6451 6452 62d1bf SetFileAttributesA 6439->6452 6453 628e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 6439->6453 6455 62d22d GetEnvironmentVariableA 6439->6455 6456 62d3af lstrcatA 6439->6456 6458 62d3f2 CreateFileA 6439->6458 6460 627fcf 64 API calls 6439->6460 6466 62d3e0 SetFileAttributesA 6439->6466 6467 62d26e lstrcatA 6439->6467 6469 62d4b1 CreateProcessA 6439->6469 6470 62d2b1 CreateFileA 6439->6470 6472 62d452 SetFileAttributesA 6439->6472 6474 627ee6 64 API calls 6439->6474 6475 62d29f SetFileAttributesA 6439->6475 6478 62d31d SetFileAttributesA 6439->6478 7005 62c75d 6439->7005 7017 627e2f 6439->7017 7039 627ead 6439->7039 7049 6231d0 6439->7049 7066 623c09 6439->7066 7076 623a00 6439->7076 7080 62e7b4 6439->7080 7083 62c06c 6439->7083 7089 626f5f GetUserNameA 6439->7089 7100 62e854 6439->7100 7110 627dd6 6439->7110 6440->6439 6441->6439 6442->6439 6444 62ccc6 WriteFile 6442->6444 6443->6439 6446 62cdcc CloseHandle 6444->6446 6447 62cced CloseHandle 6444->6447 6445->6439 6448 62d182 WriteFile CloseHandle 6445->6448 6446->6439 6454 62cd2f 6447->6454 6448->6439 6449 62cd16 wsprintfA 6449->6454 6450->6445 6451->6439 6452->6439 6453->6439 6454->6449 7026 627fcf 6454->7026 6455->6439 6456->6439 6456->6458 6458->6439 6461 62d415 WriteFile CloseHandle 6458->6461 6460->6439 6461->6439 6462 62cd81 WaitForSingleObject CloseHandle CloseHandle 6464 62f04e 4 API calls 6462->6464 6463 62cda5 6465 627ee6 64 API calls 6463->6465 6464->6463 6468 62cdbd DeleteFileA 6465->6468 6466->6458 6467->6439 6467->6470 6468->6439 6469->6439 6471 62d4e8 CloseHandle CloseHandle 6469->6471 6470->6439 6473 62d2d8 WriteFile CloseHandle 6470->6473 6471->6439 6472->6439 6473->6439 6474->6439 6475->6470 6478->6439 6480 626784 CreateFileA 6479->6480 6481 62677a SetFileAttributesA 6479->6481 6482 6267a4 CreateFileA 6480->6482 6483 6267b5 6480->6483 6481->6480 6482->6483 6484 6267c5 6483->6484 6485 6267ba SetFileAttributesA 6483->6485 6486 626977 6484->6486 6487 6267cf GetFileSize 6484->6487 6485->6484 6486->6176 6507 626a60 CreateFileA 6486->6507 6488 6267e5 6487->6488 6506 626965 6487->6506 6490 6267ed ReadFile 6488->6490 6488->6506 6489 62696e CloseHandle 6489->6486 6491 626811 SetFilePointer 6490->6491 6490->6506 6492 62682a ReadFile 6491->6492 6491->6506 6493 626848 SetFilePointer 6492->6493 6492->6506 6494 626867 6493->6494 6493->6506 6495 6268d5 6494->6495 6496 626878 ReadFile 6494->6496 6495->6489 6498 62ebcc 4 API calls 6495->6498 6497 6268d0 6496->6497 6499 626891 6496->6499 6497->6495 6500 6268f8 6498->6500 6499->6496 6499->6497 6501 626900 SetFilePointer 6500->6501 6500->6506 6502 62695a 6501->6502 6503 62690d ReadFile 6501->6503 6504 62ec2e codecvt 4 API calls 6502->6504 6503->6502 6505 626922 6503->6505 6504->6506 6505->6489 6506->6489 6508 626a8f GetDiskFreeSpaceA 6507->6508 6509 626b8c GetLastError 6507->6509 6510 626ac5 6508->6510 6519 626ad7 6508->6519 6517 626b86 6509->6517 7195 62eb0e 6510->7195 6514 626b56 CloseHandle 6514->6517 6518 626b65 GetLastError CloseHandle 6514->6518 6515 626b36 GetLastError CloseHandle 6516 626b7f DeleteFileA 6515->6516 6516->6517 6517->6190 6518->6516 7199 626987 6519->7199 6521 6296b9 6520->6521 6522 6273ff 17 API calls 6521->6522 6523 6296e2 6522->6523 6524 6296f7 6523->6524 6525 62704c 16 API calls 6523->6525 6524->6168 6524->6169 6525->6524 6527 6242a5 6526->6527 6528 62429d 6526->6528 7205 623ecd 6527->7205 6528->6172 6528->6186 6530 6242b0 7209 624000 6530->7209 6532 6243c1 CloseHandle 6532->6528 6533 6242b6 6533->6528 6533->6532 7215 623f18 WriteFile 6533->7215 6538 6243ba CloseHandle 6538->6532 6539 624318 6540 623f18 4 API calls 6539->6540 6541 624331 6540->6541 6542 623f18 4 API calls 6541->6542 6543 62434a 6542->6543 6544 62ebcc 4 API calls 6543->6544 6545 624350 6544->6545 6546 623f18 4 API calls 6545->6546 6547 624389 6546->6547 6548 62ec2e codecvt 4 API calls 6547->6548 6549 62438f 6548->6549 6550 623f8c 4 API calls 6549->6550 6551 62439f CloseHandle CloseHandle 6550->6551 6551->6528 6553 6299eb 6552->6553 6554 629a2f lstrcatA 6553->6554 6555 62ee2a 6554->6555 6556 629a4b lstrcatA 6555->6556 6557 626a60 13 API calls 6556->6557 6558 629a60 6557->6558 6558->6196 6558->6226 6559 626dc2 6558->6559 6560 626e33 6559->6560 6561 626dd7 6559->6561 6560->6213 6562 626cc9 5 API calls 6561->6562 6563 626ddc 6562->6563 6563->6563 6564 626e02 GetVolumeInformationA 6563->6564 6565 626e24 6563->6565 6564->6565 6565->6560 6567 626cdc GetModuleHandleA GetProcAddress 6566->6567 6572 626d8b 6566->6572 6568 626d12 GetSystemDirectoryA 6567->6568 6569 626cfd 6567->6569 6570 626d27 GetWindowsDirectoryA 6568->6570 6571 626d1e 6568->6571 6569->6568 6569->6572 6574 626d42 6570->6574 6571->6570 6571->6572 6572->6222 6573 62ef1e lstrlenA 6573->6572 6574->6573 7223 621910 6575->7223 6578 62934a GetModuleHandleA GetModuleFileNameA 6580 62937f 6578->6580 6581 6293a4 6580->6581 6582 6293d9 6580->6582 6583 6293c3 wsprintfA 6581->6583 6584 629401 wsprintfA 6582->6584 6585 629415 6583->6585 6584->6585 6588 626cc9 5 API calls 6585->6588 6609 6294a0 6585->6609 6586 626edd 5 API calls 6587 6294ac 6586->6587 6589 62962f 6587->6589 6590 6294e8 RegOpenKeyExA 6587->6590 6594 629439 6588->6594 6595 629646 6589->6595 7238 621820 6589->7238 6592 629502 6590->6592 6593 6294fb 6590->6593 6599 62951f RegQueryValueExA 6592->6599 6593->6589 6597 62958a 6593->6597 6600 62ef1e lstrlenA 6594->6600 6598 6295d6 6595->6598 7244 6291eb 6595->7244 6597->6595 6601 629593 6597->6601 6598->6232 6598->6233 6603 629539 6599->6603 6608 629530 6599->6608 6604 629462 6600->6604 6601->6598 7225 62f0e4 6601->7225 6602 62956e RegCloseKey 6602->6593 6605 629556 RegQueryValueExA 6603->6605 6606 62947e wsprintfA 6604->6606 6605->6602 6605->6608 6606->6609 6608->6602 6609->6586 6610 6295bb 6610->6598 7232 6218e0 6610->7232 6613 622544 6612->6613 6614 62972d RegOpenKeyExA 6613->6614 6615 629740 6614->6615 6616 629765 6614->6616 6617 62974f RegDeleteValueA RegCloseKey 6615->6617 6616->6207 6617->6616 6619 622554 lstrcatA 6618->6619 6620 62ee2a 6619->6620 6621 62a0ec lstrcatA 6620->6621 6621->6240 6623 62ec37 6622->6623 6624 62a15d 6622->6624 6625 62eba0 codecvt 2 API calls 6623->6625 6624->6172 6624->6176 6626 62ec3d GetProcessHeap RtlFreeHeap 6625->6626 6626->6624 6628 622544 6627->6628 6629 62919e wsprintfA 6628->6629 6630 6291bb 6629->6630 7282 629064 GetTempPathA 6630->7282 6633 6291e7 6633->6190 6634 6291d5 ShellExecuteA 6634->6633 6636 626ed5 6635->6636 6637 626ecc 6635->6637 6636->6227 6638 626e36 2 API calls 6637->6638 6638->6636 6640 6298f6 6639->6640 6641 624280 30 API calls 6640->6641 6642 629904 Sleep 6640->6642 6643 629915 6640->6643 6641->6640 6642->6640 6642->6643 6645 629947 6643->6645 7289 62977c 6643->7289 6645->6223 6647 62dd41 InterlockedExchange 6646->6647 6648 62dd20 GetCurrentThreadId 6647->6648 6649 62dd4a 6647->6649 6650 62dd53 GetCurrentThreadId 6648->6650 6651 62dd2e GetTickCount 6648->6651 6649->6650 6650->6259 6652 62dd39 Sleep 6651->6652 6653 62dd4c 6651->6653 6652->6647 6653->6650 6655 62dbf0 6654->6655 6687 62db67 GetEnvironmentVariableA 6655->6687 6657 62dcda 6657->6261 6658 62dc19 6658->6657 6659 62db67 3 API calls 6658->6659 6660 62dc5c 6659->6660 6660->6657 6661 62db67 3 API calls 6660->6661 6662 62dc9b 6661->6662 6662->6657 6663 62db67 3 API calls 6662->6663 6663->6657 6665 62e528 6664->6665 6666 62e3f4 6664->6666 6665->6272 6667 62e434 RegQueryValueExA 6666->6667 6668 62e458 6667->6668 6669 62e51d RegCloseKey 6667->6669 6670 62e46e RegQueryValueExA 6668->6670 6669->6665 6670->6668 6671 62e488 6670->6671 6671->6669 6672 62db2e 8 API calls 6671->6672 6673 62e499 6672->6673 6673->6669 6674 62e4b9 RegQueryValueExA 6673->6674 6675 62e4e8 6673->6675 6674->6673 6674->6675 6675->6669 6676 62e332 14 API calls 6675->6676 6677 62e513 6676->6677 6677->6669 6679 62db55 6678->6679 6680 62db3a 6678->6680 6679->6263 6679->6268 6691 62ebed 6680->6691 6709 62f04e SystemTimeToFileTime GetSystemTimeAsFileTime 6682->6709 6684 62e3be 6684->6263 6685 62e342 6685->6684 6712 62de24 6685->6712 6688 62dbca 6687->6688 6690 62db89 lstrcpyA CreateFileA 6687->6690 6688->6658 6690->6658 6692 62ec01 6691->6692 6693 62ebf6 6691->6693 6703 62eba0 6692->6703 6700 62ebcc GetProcessHeap RtlAllocateHeap 6693->6700 6701 62eb74 2 API calls 6700->6701 6702 62ebe8 6701->6702 6702->6679 6704 62eba7 GetProcessHeap HeapSize 6703->6704 6705 62ebbf GetProcessHeap HeapReAlloc 6703->6705 6704->6705 6706 62eb74 6705->6706 6707 62eb7b GetProcessHeap HeapSize 6706->6707 6708 62eb93 6706->6708 6707->6708 6708->6679 6723 62eb41 6709->6723 6711 62f0b7 6711->6685 6713 62de3a 6712->6713 6718 62de4e 6713->6718 6732 62dd84 6713->6732 6716 62de9e 6717 62ebed 8 API calls 6716->6717 6716->6718 6721 62def6 6717->6721 6718->6685 6719 62de76 6736 62ddcf 6719->6736 6721->6718 6722 62ddcf lstrcmpA 6721->6722 6722->6718 6724 62eb61 6723->6724 6725 62eb4a 6723->6725 6724->6711 6728 62eae4 6725->6728 6727 62eb54 6727->6711 6727->6724 6729 62eb02 GetProcAddress 6728->6729 6730 62eaed LoadLibraryA 6728->6730 6729->6727 6730->6729 6731 62eb01 6730->6731 6731->6727 6733 62dd96 6732->6733 6734 62ddc5 6732->6734 6733->6734 6735 62ddad lstrcmpiA 6733->6735 6734->6716 6734->6719 6735->6733 6735->6734 6737 62de20 6736->6737 6739 62dddd 6736->6739 6737->6718 6738 62ddfa lstrcmpA 6738->6739 6739->6737 6739->6738 6741 62dd05 6 API calls 6740->6741 6742 62e821 6741->6742 6743 62dd84 lstrcmpiA 6742->6743 6744 62e82c 6743->6744 6745 62e844 6744->6745 6790 622480 6744->6790 6745->6288 6748 62ea98 6747->6748 6799 62e8a1 6748->6799 6750 621e84 6750->6297 6752 6219d5 GetProcAddress GetProcAddress GetProcAddress 6751->6752 6755 6219ce 6751->6755 6753 621ab3 FreeLibrary 6752->6753 6754 621a04 6752->6754 6753->6755 6754->6753 6756 621a14 GetBestInterface GetProcessHeap 6754->6756 6755->6301 6756->6755 6757 621a2e HeapAlloc 6756->6757 6757->6755 6758 621a42 GetAdaptersInfo 6757->6758 6759 621a62 6758->6759 6760 621a52 HeapReAlloc 6758->6760 6761 621aa1 FreeLibrary 6759->6761 6762 621a69 GetAdaptersInfo 6759->6762 6760->6759 6761->6755 6762->6761 6763 621a75 HeapFree 6762->6763 6763->6761 6827 621ac3 LoadLibraryA 6765->6827 6768 621bcf 6768->6313 6770 621ac3 13 API calls 6769->6770 6771 621c09 6770->6771 6772 621c5a 6771->6772 6773 621c0d GetComputerNameA 6771->6773 6772->6320 6774 621c45 GetVolumeInformationA 6773->6774 6775 621c1f 6773->6775 6774->6772 6775->6774 6776 621c41 6775->6776 6776->6772 6778 62ee2a 6777->6778 6779 6230d0 gethostname gethostbyname 6778->6779 6780 621f82 6779->6780 6780->6325 6780->6327 6782 62dd05 6 API calls 6781->6782 6783 62df7c 6782->6783 6784 62dd84 lstrcmpiA 6783->6784 6788 62df89 6784->6788 6785 62dfc4 6785->6294 6786 62ddcf lstrcmpA 6786->6788 6787 62ec2e codecvt 4 API calls 6787->6788 6788->6785 6788->6786 6788->6787 6789 62dd84 lstrcmpiA 6788->6789 6789->6788 6793 622419 lstrlenA 6790->6793 6792 622491 6792->6745 6794 62243d lstrlenA 6793->6794 6798 622474 6793->6798 6795 622464 lstrlenA 6794->6795 6796 62244e lstrcmpiA 6794->6796 6795->6794 6795->6798 6796->6795 6797 62245c 6796->6797 6797->6795 6797->6798 6798->6792 6800 62dd05 6 API calls 6799->6800 6801 62e8b4 6800->6801 6802 62dd84 lstrcmpiA 6801->6802 6803 62e8c0 6802->6803 6804 62e90a 6803->6804 6805 62e8c8 lstrcpynA 6803->6805 6806 622419 4 API calls 6804->6806 6814 62ea27 6804->6814 6807 62e8f5 6805->6807 6808 62e926 lstrlenA lstrlenA 6806->6808 6820 62df4c 6807->6820 6810 62e96a 6808->6810 6811 62e94c lstrlenA 6808->6811 6810->6814 6815 62ebcc 4 API calls 6810->6815 6811->6810 6812 62e901 6813 62dd84 lstrcmpiA 6812->6813 6813->6804 6814->6750 6816 62e98f 6815->6816 6816->6814 6817 62df4c 20 API calls 6816->6817 6818 62ea1e 6817->6818 6819 62ec2e codecvt 4 API calls 6818->6819 6819->6814 6821 62dd05 6 API calls 6820->6821 6822 62df51 6821->6822 6823 62f04e 4 API calls 6822->6823 6824 62df58 6823->6824 6825 62de24 10 API calls 6824->6825 6826 62df63 6825->6826 6826->6812 6828 621ae2 GetProcAddress 6827->6828 6834 621b68 GetComputerNameA GetVolumeInformationA 6827->6834 6831 621af5 6828->6831 6828->6834 6829 621b1c GetAdaptersAddresses 6829->6831 6832 621b29 6829->6832 6830 62ebed 8 API calls 6830->6831 6831->6829 6831->6830 6831->6832 6832->6832 6833 62ec2e codecvt 4 API calls 6832->6833 6832->6834 6833->6834 6834->6768 6836 626ec3 2 API calls 6835->6836 6837 627ef4 6836->6837 6847 627fc9 6837->6847 6873 6273ff 6837->6873 6839 627f16 6839->6847 6893 627809 GetUserNameA 6839->6893 6841 627f63 6841->6847 6917 62ef1e lstrlenA 6841->6917 6844 62ef1e lstrlenA 6845 627fb7 6844->6845 6919 627a95 RegOpenKeyExA 6845->6919 6847->6336 6849 627073 6848->6849 6850 6270b9 RegOpenKeyExA 6849->6850 6851 6270d0 6850->6851 6866 6271b8 6850->6866 6852 626dc2 6 API calls 6851->6852 6855 6270d5 6852->6855 6853 62719b RegEnumValueA 6854 6271af RegCloseKey 6853->6854 6853->6855 6854->6866 6855->6853 6857 6271d0 6855->6857 6950 62f1a5 lstrlenA 6855->6950 6858 627205 RegCloseKey 6857->6858 6859 627227 6857->6859 6858->6866 6860 6272b8 ___ascii_stricmp 6859->6860 6861 62728e RegCloseKey 6859->6861 6862 6272cd RegCloseKey 6860->6862 6863 6272dd 6860->6863 6861->6866 6862->6866 6864 627311 RegCloseKey 6863->6864 6865 627335 6863->6865 6864->6866 6867 62f1a5 lstrlenA 6865->6867 6866->6337 6869 62733d 6867->6869 6868 6273d5 RegCloseKey 6870 6273e4 6868->6870 6869->6868 6871 62737e GetFileAttributesExA 6869->6871 6872 627397 6869->6872 6871->6872 6872->6868 6874 62741b 6873->6874 6875 626dc2 6 API calls 6874->6875 6876 62743f 6875->6876 6877 627469 RegOpenKeyExA 6876->6877 6879 6277f9 6877->6879 6888 627487 ___ascii_stricmp 6877->6888 6878 627703 RegEnumKeyA 6880 627714 RegCloseKey 6878->6880 6878->6888 6879->6839 6880->6879 6881 6274d2 RegOpenKeyExA 6881->6888 6882 62772c 6884 627742 RegCloseKey 6882->6884 6885 62774b 6882->6885 6883 627521 RegQueryValueExA 6883->6888 6884->6885 6886 6277ec RegCloseKey 6885->6886 6886->6879 6887 6276e4 RegCloseKey 6887->6888 6888->6878 6888->6881 6888->6882 6888->6883 6888->6887 6890 62f1a5 lstrlenA 6888->6890 6891 62777e GetFileAttributesExA 6888->6891 6892 627769 6888->6892 6889 6277e3 RegCloseKey 6889->6886 6890->6888 6891->6892 6892->6889 6894 627a8d 6893->6894 6895 62783d LookupAccountNameA 6893->6895 6894->6841 6895->6894 6896 627874 GetLengthSid GetFileSecurityA 6895->6896 6896->6894 6897 6278a8 GetSecurityDescriptorOwner 6896->6897 6898 6278c5 EqualSid 6897->6898 6899 62791d GetSecurityDescriptorDacl 6897->6899 6898->6899 6900 6278dc LocalAlloc 6898->6900 6899->6894 6915 627941 6899->6915 6900->6899 6901 6278ef InitializeSecurityDescriptor 6900->6901 6902 627916 LocalFree 6901->6902 6903 6278fb SetSecurityDescriptorOwner 6901->6903 6902->6899 6903->6902 6905 62790b SetFileSecurityA 6903->6905 6904 62795b GetAce 6904->6915 6905->6902 6906 627980 EqualSid 6906->6915 6907 627a3d 6907->6894 6910 627a43 LocalAlloc 6907->6910 6908 6279be EqualSid 6908->6915 6909 62799d DeleteAce 6909->6915 6910->6894 6911 627a56 InitializeSecurityDescriptor 6910->6911 6912 627a62 SetSecurityDescriptorDacl 6911->6912 6913 627a86 LocalFree 6911->6913 6912->6913 6914 627a73 SetFileSecurityA 6912->6914 6913->6894 6914->6913 6916 627a83 6914->6916 6915->6894 6915->6904 6915->6906 6915->6907 6915->6908 6915->6909 6916->6913 6918 627fa6 6917->6918 6918->6844 6920 627ac4 6919->6920 6921 627acb GetUserNameA 6919->6921 6920->6847 6922 627da7 RegCloseKey 6921->6922 6923 627aed LookupAccountNameA 6921->6923 6922->6920 6923->6922 6924 627b24 RegGetKeySecurity 6923->6924 6924->6922 6925 627b49 GetSecurityDescriptorOwner 6924->6925 6926 627b63 EqualSid 6925->6926 6927 627bb8 GetSecurityDescriptorDacl 6925->6927 6926->6927 6928 627b74 LocalAlloc 6926->6928 6929 627da6 6927->6929 6930 627bdc 6927->6930 6928->6927 6931 627b8a InitializeSecurityDescriptor 6928->6931 6929->6922 6930->6929 6934 627bf8 GetAce 6930->6934 6936 627c1d EqualSid 6930->6936 6937 627c5f EqualSid 6930->6937 6938 627cd9 6930->6938 6939 627c3a DeleteAce 6930->6939 6932 627bb1 LocalFree 6931->6932 6933 627b96 SetSecurityDescriptorOwner 6931->6933 6932->6927 6933->6932 6935 627ba6 RegSetKeySecurity 6933->6935 6934->6930 6935->6932 6936->6930 6937->6930 6938->6929 6940 627d5a LocalAlloc 6938->6940 6942 627cf2 RegOpenKeyExA 6938->6942 6939->6930 6940->6929 6941 627d70 InitializeSecurityDescriptor 6940->6941 6943 627d9f LocalFree 6941->6943 6944 627d7c SetSecurityDescriptorDacl 6941->6944 6942->6940 6947 627d0f 6942->6947 6943->6929 6944->6943 6945 627d8c RegSetKeySecurity 6944->6945 6945->6943 6946 627d9c 6945->6946 6946->6943 6948 627d43 RegSetValueExA 6947->6948 6948->6940 6949 627d54 6948->6949 6949->6940 6951 62f1c3 6950->6951 6951->6855 6952->6356 6954 62dd05 6 API calls 6953->6954 6957 62e65f 6954->6957 6955 62e6a5 6956 62ebcc 4 API calls 6955->6956 6960 62e6f5 6955->6960 6958 62e6b0 6956->6958 6957->6955 6959 62e68c lstrcmpA 6957->6959 6958->6960 6961 62e6b7 6958->6961 6962 62e6e0 lstrcpynA 6958->6962 6959->6957 6960->6961 6963 62e71d lstrcmpA 6960->6963 6961->6358 6962->6960 6963->6960 6964->6364 6966 622692 inet_addr 6965->6966 6968 62268e 6965->6968 6967 62269e gethostbyname 6966->6967 6966->6968 6967->6968 6969 62f428 6968->6969 7117 62f315 6969->7117 6972 62f43e 6973 62f473 recv 6972->6973 6974 62f458 6973->6974 6975 62f47c 6973->6975 6974->6973 6974->6975 6975->6395 6977 62c525 6976->6977 6978 62c532 6976->6978 6977->6978 6981 62ec2e codecvt 4 API calls 6977->6981 6979 62c548 6978->6979 7130 62e7ff 6978->7130 6982 62e7ff lstrcmpiA 6979->6982 6987 62c54f 6979->6987 6981->6978 6983 62c615 6982->6983 6985 62ebcc 4 API calls 6983->6985 6983->6987 6985->6987 6986 62c5d1 6989 62ebcc 4 API calls 6986->6989 6987->6377 6988 62e819 11 API calls 6990 62c5b7 6988->6990 6989->6987 6991 62f04e 4 API calls 6990->6991 6992 62c5bf 6991->6992 6992->6979 6992->6986 6995 62c8d2 6993->6995 6994 62c907 6994->6379 6995->6994 6996 62c517 23 API calls 6995->6996 6996->6994 6998 62c67d 6997->6998 6999 62c670 6997->6999 7001 62ebcc 4 API calls 6998->7001 7002 62c699 6998->7002 7000 62ebcc 4 API calls 6999->7000 7000->6998 7001->7002 7003 62c6f3 7002->7003 7004 62c73c send 7002->7004 7003->6408 7003->6439 7004->7003 7006 62c77d 7005->7006 7007 62c770 7005->7007 7009 62ebcc 4 API calls 7006->7009 7011 62c799 7006->7011 7008 62ebcc 4 API calls 7007->7008 7008->7006 7009->7011 7010 62c7b5 7013 62f43e recv 7010->7013 7011->7010 7012 62ebcc 4 API calls 7011->7012 7012->7010 7014 62c7cb 7013->7014 7015 62f43e recv 7014->7015 7016 62c7d3 7014->7016 7015->7016 7016->6439 7133 627db7 7017->7133 7020 62f04e 4 API calls 7023 627e4c 7020->7023 7021 627e70 7022 62f04e 4 API calls 7021->7022 7024 627e96 7021->7024 7022->7024 7023->7021 7025 62f04e 4 API calls 7023->7025 7024->6439 7025->7021 7027 626ec3 2 API calls 7026->7027 7028 627fdd 7027->7028 7029 6273ff 17 API calls 7028->7029 7038 6280c2 CreateProcessA 7028->7038 7030 627fff 7029->7030 7031 627809 21 API calls 7030->7031 7030->7038 7032 62804d 7031->7032 7033 62ef1e lstrlenA 7032->7033 7032->7038 7034 62809e 7033->7034 7035 62ef1e lstrlenA 7034->7035 7036 6280af 7035->7036 7037 627a95 24 API calls 7036->7037 7037->7038 7038->6462 7038->6463 7040 627db7 2 API calls 7039->7040 7041 627eb8 7040->7041 7042 62f04e 4 API calls 7041->7042 7043 627ece DeleteFileA 7042->7043 7043->6439 7045 62dd05 6 API calls 7044->7045 7046 62e31d 7045->7046 7137 62e177 7046->7137 7048 62e326 7048->6433 7050 6231f3 7049->7050 7060 6231ec 7049->7060 7051 62ebcc 4 API calls 7050->7051 7059 6231fc 7051->7059 7052 623459 7055 62f04e 4 API calls 7052->7055 7053 62349d 7054 62ec2e codecvt 4 API calls 7053->7054 7054->7060 7056 62345f 7055->7056 7058 6230fa 4 API calls 7056->7058 7057 62ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 7057->7059 7058->7060 7059->7057 7059->7060 7061 62344d 7059->7061 7064 623141 lstrcmpiA 7059->7064 7065 62344b 7059->7065 7163 6230fa GetTickCount 7059->7163 7060->6439 7062 62ec2e codecvt 4 API calls 7061->7062 7062->7065 7064->7059 7065->7052 7065->7053 7067 6230fa 4 API calls 7066->7067 7068 623c1a 7067->7068 7072 623ce6 7068->7072 7168 623a72 7068->7168 7071 623a72 9 API calls 7075 623c5e 7071->7075 7072->6439 7073 623a72 9 API calls 7073->7075 7074 62ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7074->7075 7075->7072 7075->7073 7075->7074 7077 623a10 7076->7077 7078 6230fa 4 API calls 7077->7078 7079 623a1a 7078->7079 7079->6439 7081 62dd05 6 API calls 7080->7081 7082 62e7be 7081->7082 7082->6439 7084 62c07e wsprintfA 7083->7084 7088 62c105 7083->7088 7177 62bfce GetTickCount wsprintfA 7084->7177 7086 62c0ef 7178 62bfce GetTickCount wsprintfA 7086->7178 7088->6439 7090 627047 7089->7090 7091 626f88 LookupAccountNameA 7089->7091 7090->6439 7093 627025 7091->7093 7094 626fcb 7091->7094 7179 626edd 7093->7179 7096 626fdb ConvertSidToStringSidA 7094->7096 7096->7093 7098 626ff1 7096->7098 7099 627013 LocalFree 7098->7099 7099->7093 7101 62dd05 6 API calls 7100->7101 7102 62e85c 7101->7102 7103 62dd84 lstrcmpiA 7102->7103 7104 62e867 7103->7104 7105 62e885 lstrcpyA 7104->7105 7190 6224a5 7104->7190 7193 62dd69 7105->7193 7111 627db7 2 API calls 7110->7111 7112 627de1 7111->7112 7113 627e16 7112->7113 7114 62f04e 4 API calls 7112->7114 7113->6439 7115 627df2 7114->7115 7115->7113 7116 62f04e 4 API calls 7115->7116 7116->7113 7118 62ca1d 7117->7118 7119 62f33b 7117->7119 7118->6392 7118->6972 7120 62f347 htons socket 7119->7120 7121 62f382 ioctlsocket 7120->7121 7122 62f374 closesocket 7120->7122 7123 62f3aa connect select 7121->7123 7124 62f39d 7121->7124 7122->7118 7123->7118 7126 62f3f2 __WSAFDIsSet 7123->7126 7125 62f39f closesocket 7124->7125 7125->7118 7126->7125 7127 62f403 ioctlsocket 7126->7127 7129 62f26d setsockopt setsockopt setsockopt setsockopt setsockopt 7127->7129 7129->7118 7131 62dd84 lstrcmpiA 7130->7131 7132 62c58e 7131->7132 7132->6979 7132->6986 7132->6988 7134 627dc8 InterlockedExchange 7133->7134 7135 627dc0 Sleep 7134->7135 7136 627dd4 7134->7136 7135->7134 7136->7020 7136->7021 7138 62e184 7137->7138 7139 62e223 7138->7139 7150 62e2e4 7138->7150 7153 62dfe2 7138->7153 7141 62dfe2 8 API calls 7139->7141 7139->7150 7145 62e23c 7141->7145 7142 62e1be 7142->7139 7143 62dbcf 3 API calls 7142->7143 7146 62e1d6 7143->7146 7144 62e21a CloseHandle 7144->7139 7145->7150 7157 62e095 RegCreateKeyExA 7145->7157 7146->7139 7146->7144 7147 62e1f9 WriteFile 7146->7147 7147->7144 7148 62e213 7147->7148 7148->7144 7150->7048 7151 62e2a3 7151->7150 7152 62e095 4 API calls 7151->7152 7152->7150 7154 62dffc 7153->7154 7156 62e024 7153->7156 7155 62db2e 8 API calls 7154->7155 7154->7156 7155->7156 7156->7142 7158 62e172 7157->7158 7160 62e0c0 7157->7160 7158->7151 7159 62e13d 7161 62e14e RegDeleteValueA RegCloseKey 7159->7161 7160->7159 7162 62e115 RegSetValueExA 7160->7162 7161->7158 7162->7159 7162->7160 7164 623122 InterlockedExchange 7163->7164 7165 62312e 7164->7165 7166 62310f GetTickCount 7164->7166 7165->7059 7166->7165 7167 62311a Sleep 7166->7167 7167->7164 7169 62f04e 4 API calls 7168->7169 7170 623a83 7169->7170 7172 623bc0 7170->7172 7175 623b66 lstrlenA 7170->7175 7176 623ac1 7170->7176 7171 623be6 7173 62ec2e codecvt 4 API calls 7171->7173 7172->7171 7174 62ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7172->7174 7173->7176 7174->7172 7175->7170 7175->7176 7176->7071 7176->7072 7177->7086 7178->7088 7180 626eef AllocateAndInitializeSid 7179->7180 7186 626f55 wsprintfA 7179->7186 7181 626f44 7180->7181 7182 626f1c CheckTokenMembership 7180->7182 7181->7186 7187 626e36 GetUserNameW 7181->7187 7183 626f3b FreeSid 7182->7183 7184 626f2e 7182->7184 7183->7181 7184->7183 7186->7090 7188 626e5f LookupAccountNameW 7187->7188 7189 626e97 7187->7189 7188->7189 7189->7186 7191 622419 4 API calls 7190->7191 7192 6224b6 7191->7192 7192->7105 7194 62dd79 lstrlenA 7193->7194 7194->6439 7196 62eb17 7195->7196 7197 62eb21 7195->7197 7198 62eae4 2 API calls 7196->7198 7197->6519 7198->7197 7201 6269b9 WriteFile 7199->7201 7203 626a3c 7201->7203 7204 6269ff 7201->7204 7202 626a10 WriteFile 7202->7203 7202->7204 7203->6514 7203->6515 7204->7202 7204->7203 7206 623edc 7205->7206 7208 623ee2 7205->7208 7207 626dc2 6 API calls 7206->7207 7207->7208 7208->6530 7210 62400b CreateFileA 7209->7210 7211 62402c GetLastError 7210->7211 7212 624052 7210->7212 7211->7212 7213 624037 7211->7213 7212->6533 7213->7212 7214 624041 Sleep 7213->7214 7214->7210 7214->7212 7216 623f4e GetLastError 7215->7216 7217 623f7c 7215->7217 7216->7217 7218 623f5b WaitForSingleObject GetOverlappedResult 7216->7218 7219 623f8c ReadFile 7217->7219 7218->7217 7220 623fc2 GetLastError 7219->7220 7221 623ff0 7219->7221 7220->7221 7222 623fcf WaitForSingleObject GetOverlappedResult 7220->7222 7221->6538 7221->6539 7222->7221 7224 621924 GetVersionExA 7223->7224 7224->6578 7226 62f0f1 7225->7226 7227 62f0ed 7225->7227 7228 62f0fa lstrlenA SysAllocStringByteLen 7226->7228 7229 62f119 7226->7229 7227->6610 7230 62f117 7228->7230 7231 62f11c MultiByteToWideChar 7228->7231 7229->7231 7230->6610 7231->7230 7233 621820 17 API calls 7232->7233 7234 6218f2 7233->7234 7235 6218f9 7234->7235 7249 621280 7234->7249 7235->6598 7237 621908 7237->6598 7261 621000 7238->7261 7240 621839 7241 621851 GetCurrentProcess 7240->7241 7242 62183d 7240->7242 7243 621864 7241->7243 7242->6595 7243->6595 7245 62920e 7244->7245 7248 629308 7244->7248 7245->7245 7246 6292f1 Sleep 7245->7246 7247 6292bf ShellExecuteA 7245->7247 7245->7248 7246->7245 7247->7245 7247->7248 7248->6598 7250 6212e1 7249->7250 7251 6216f9 GetLastError 7250->7251 7252 6213a8 7250->7252 7253 621699 7251->7253 7252->7253 7254 621570 lstrlenW 7252->7254 7255 6215be GetStartupInfoW 7252->7255 7256 6215ff CreateProcessWithLogonW 7252->7256 7260 621668 CloseHandle 7252->7260 7253->7237 7254->7252 7255->7252 7257 6216bf GetLastError 7256->7257 7258 62163f WaitForSingleObject 7256->7258 7257->7253 7258->7252 7259 621659 CloseHandle 7258->7259 7259->7252 7260->7252 7262 62100d LoadLibraryA 7261->7262 7269 621023 7261->7269 7263 621021 7262->7263 7262->7269 7263->7240 7264 6210b5 GetProcAddress 7265 6210d1 GetProcAddress 7264->7265 7266 62127b 7264->7266 7265->7266 7267 6210f0 GetProcAddress 7265->7267 7266->7240 7267->7266 7268 621110 GetProcAddress 7267->7268 7268->7266 7270 621130 GetProcAddress 7268->7270 7269->7264 7281 6210ae 7269->7281 7270->7266 7271 62114f GetProcAddress 7270->7271 7271->7266 7272 62116f GetProcAddress 7271->7272 7272->7266 7273 62118f GetProcAddress 7272->7273 7273->7266 7274 6211ae GetProcAddress 7273->7274 7274->7266 7275 6211ce GetProcAddress 7274->7275 7275->7266 7276 6211ee GetProcAddress 7275->7276 7276->7266 7277 621209 GetProcAddress 7276->7277 7277->7266 7278 621225 GetProcAddress 7277->7278 7278->7266 7279 621241 GetProcAddress 7278->7279 7279->7266 7280 62125c GetProcAddress 7279->7280 7280->7266 7281->7240 7283 62908d 7282->7283 7284 6290e2 wsprintfA 7283->7284 7285 62ee2a 7284->7285 7286 6290fd CreateFileA 7285->7286 7287 62911a lstrlenA WriteFile CloseHandle 7286->7287 7288 62913f 7286->7288 7287->7288 7288->6633 7288->6634 7290 62ee2a 7289->7290 7291 629794 CreateProcessA 7290->7291 7292 6297c2 7291->7292 7293 6297bb 7291->7293 7294 6297d4 GetThreadContext 7292->7294 7293->6645 7295 629801 7294->7295 7296 6297f5 7294->7296 7303 62637c 7295->7303 7297 6297f6 TerminateProcess 7296->7297 7297->7293 7299 629816 7299->7297 7300 62981e WriteProcessMemory 7299->7300 7300->7296 7301 62983b SetThreadContext 7300->7301 7301->7296 7302 629858 ResumeThread 7301->7302 7302->7293 7304 626386 7303->7304 7305 62638a GetModuleHandleA VirtualAlloc 7303->7305 7304->7299 7306 6263b6 7305->7306 7307 6263f5 7305->7307 7308 6263be VirtualAllocEx 7306->7308 7307->7299 7308->7307 7309 6263d6 7308->7309 7310 6263df WriteProcessMemory 7309->7310 7310->7307 7312 628791 7311->7312 7313 62879f 7311->7313 7314 62f04e 4 API calls 7312->7314 7315 6287bc 7313->7315 7316 62f04e 4 API calls 7313->7316 7314->7313 7317 62e819 11 API calls 7315->7317 7316->7315 7318 6287d7 7317->7318 7325 628803 7318->7325 7466 6226b2 gethostbyaddr 7318->7466 7321 6287eb 7323 62e8a1 30 API calls 7321->7323 7321->7325 7323->7325 7327 62e819 11 API calls 7325->7327 7328 6288a0 Sleep 7325->7328 7330 6226b2 2 API calls 7325->7330 7331 62f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 7325->7331 7332 62e8a1 30 API calls 7325->7332 7363 628cee 7325->7363 7371 62c4d6 7325->7371 7374 62c4e2 7325->7374 7377 622011 7325->7377 7412 628328 7325->7412 7327->7325 7328->7325 7330->7325 7331->7325 7332->7325 7334 624084 7333->7334 7335 62407d 7333->7335 7336 623ecd 6 API calls 7334->7336 7337 62408f 7336->7337 7338 624000 3 API calls 7337->7338 7339 624095 7338->7339 7340 624130 7339->7340 7341 6240c0 7339->7341 7342 623ecd 6 API calls 7340->7342 7346 623f18 4 API calls 7341->7346 7343 624159 CreateNamedPipeA 7342->7343 7344 624167 Sleep 7343->7344 7345 624188 ConnectNamedPipe 7343->7345 7344->7340 7348 624176 CloseHandle 7344->7348 7347 624195 GetLastError 7345->7347 7359 6241ab 7345->7359 7349 6240da 7346->7349 7350 62425e DisconnectNamedPipe 7347->7350 7347->7359 7348->7345 7351 623f8c 4 API calls 7349->7351 7350->7345 7352 6240ec 7351->7352 7353 624127 CloseHandle 7352->7353 7354 624101 7352->7354 7353->7340 7356 623f18 4 API calls 7354->7356 7355 623f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 7355->7359 7357 62411c ExitProcess 7356->7357 7358 623f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 7358->7359 7359->7345 7359->7350 7359->7355 7359->7358 7360 62426a CloseHandle CloseHandle 7359->7360 7361 62e318 23 API calls 7360->7361 7362 62427b 7361->7362 7362->7362 7364 628d02 GetTickCount 7363->7364 7365 628dae 7363->7365 7364->7365 7368 628d19 7364->7368 7365->7325 7366 628da1 GetTickCount 7366->7365 7368->7366 7370 628d89 7368->7370 7471 62a677 7368->7471 7474 62a688 7368->7474 7370->7366 7482 62c2dc 7371->7482 7375 62c2dc 142 API calls 7374->7375 7376 62c4ec 7375->7376 7376->7325 7378 622020 7377->7378 7379 62202e 7377->7379 7381 62f04e 4 API calls 7378->7381 7380 62204b 7379->7380 7382 62f04e 4 API calls 7379->7382 7383 62206e GetTickCount 7380->7383 7384 62f04e 4 API calls 7380->7384 7381->7379 7382->7380 7385 6220db GetTickCount 7383->7385 7398 622090 7383->7398 7387 622068 7384->7387 7386 622132 GetTickCount GetTickCount 7385->7386 7397 6220e7 7385->7397 7389 62f04e 4 API calls 7386->7389 7387->7383 7388 6220d4 GetTickCount 7388->7385 7391 622159 7389->7391 7390 62212b GetTickCount 7390->7386 7393 6221b4 7391->7393 7396 62e854 13 API calls 7391->7396 7392 622684 2 API calls 7392->7398 7395 62f04e 4 API calls 7393->7395 7400 6221d1 7395->7400 7402 62218e 7396->7402 7397->7390 7403 622125 7397->7403 7406 621978 15 API calls 7397->7406 7812 622ef8 7397->7812 7398->7388 7398->7392 7401 6220ce 7398->7401 7822 621978 7398->7822 7404 6221f2 7400->7404 7407 62ea84 30 API calls 7400->7407 7401->7388 7405 62e819 11 API calls 7402->7405 7403->7390 7404->7325 7408 62219c 7405->7408 7406->7397 7409 6221ec 7407->7409 7408->7393 7827 621c5f 7408->7827 7410 62f04e 4 API calls 7409->7410 7410->7404 7413 627dd6 6 API calls 7412->7413 7414 62833c 7413->7414 7415 626ec3 2 API calls 7414->7415 7441 628340 7414->7441 7416 62834f 7415->7416 7417 62835c 7416->7417 7421 62846b 7416->7421 7418 6273ff 17 API calls 7417->7418 7436 628373 7418->7436 7419 6285df 7422 628626 GetTempPathA 7419->7422 7432 628768 7419->7432 7458 628671 7419->7458 7420 62675c 21 API calls 7420->7419 7423 6284a7 RegOpenKeyExA 7421->7423 7446 628450 7421->7446 7433 628638 7422->7433 7425 62852f 7423->7425 7426 6284c0 RegQueryValueExA 7423->7426 7434 628564 RegOpenKeyExA 7425->7434 7445 6285a5 7425->7445 7429 628521 RegCloseKey 7426->7429 7430 6284dd 7426->7430 7427 6286ad 7428 628762 7427->7428 7431 627e2f 6 API calls 7427->7431 7428->7432 7429->7425 7430->7429 7440 62ebcc 4 API calls 7430->7440 7435 6286bb 7431->7435 7439 62ec2e codecvt 4 API calls 7432->7439 7432->7441 7433->7458 7437 628573 RegSetValueExA RegCloseKey 7434->7437 7434->7445 7438 62875b DeleteFileA 7435->7438 7452 6286e0 lstrcpyA lstrlenA 7435->7452 7436->7441 7436->7446 7447 6283ea RegOpenKeyExA 7436->7447 7437->7445 7438->7428 7439->7441 7443 6284f0 7440->7443 7441->7325 7443->7429 7444 6284f8 RegQueryValueExA 7443->7444 7444->7429 7448 628515 7444->7448 7445->7446 7449 62ec2e codecvt 4 API calls 7445->7449 7446->7419 7446->7420 7447->7446 7450 6283fd RegQueryValueExA 7447->7450 7451 62ec2e codecvt 4 API calls 7448->7451 7449->7446 7453 62841e 7450->7453 7454 62842d RegSetValueExA 7450->7454 7456 62851d 7451->7456 7457 627fcf 64 API calls 7452->7457 7453->7454 7455 628447 RegCloseKey 7453->7455 7454->7455 7455->7446 7456->7429 7459 628719 CreateProcessA 7457->7459 7899 626ba7 IsBadCodePtr 7458->7899 7460 62874f 7459->7460 7461 62873d CloseHandle CloseHandle 7459->7461 7462 627ee6 64 API calls 7460->7462 7461->7432 7463 628754 7462->7463 7464 627ead 6 API calls 7463->7464 7465 62875a 7464->7465 7465->7438 7467 6226fb 7466->7467 7468 6226cd 7466->7468 7467->7321 7469 6226e1 inet_ntoa 7468->7469 7470 6226de 7468->7470 7469->7470 7470->7321 7477 62a63d 7471->7477 7473 62a685 7473->7368 7475 62a63d GetTickCount 7474->7475 7476 62a696 7475->7476 7476->7368 7478 62a645 7477->7478 7479 62a64d 7477->7479 7478->7473 7480 62a66e 7479->7480 7481 62a65e GetTickCount 7479->7481 7480->7473 7481->7480 7499 62a4c7 GetTickCount 7482->7499 7485 62c300 GetTickCount 7488 62c337 7485->7488 7486 62c326 7486->7488 7489 62c32b GetTickCount 7486->7489 7487 62c47a 7490 62c4d2 7487->7490 7491 62c4ab InterlockedIncrement CreateThread 7487->7491 7488->7487 7493 62c363 GetTickCount 7488->7493 7489->7488 7490->7325 7491->7490 7492 62c4cb CloseHandle 7491->7492 7504 62b535 7491->7504 7492->7490 7493->7487 7494 62c373 7493->7494 7495 62c378 GetTickCount 7494->7495 7496 62c37f 7494->7496 7495->7496 7497 62c43b GetTickCount 7496->7497 7498 62c45e 7497->7498 7498->7487 7500 62a4f7 InterlockedExchange 7499->7500 7501 62a500 7500->7501 7502 62a4e4 GetTickCount 7500->7502 7501->7485 7501->7486 7501->7487 7502->7501 7503 62a4ef Sleep 7502->7503 7503->7500 7505 62b566 7504->7505 7506 62ebcc 4 API calls 7505->7506 7507 62b587 7506->7507 7508 62ebcc 4 API calls 7507->7508 7545 62b590 7508->7545 7509 62bdcd InterlockedDecrement 7510 62bde2 7509->7510 7512 62ec2e codecvt 4 API calls 7510->7512 7513 62bdea 7512->7513 7514 62ec2e codecvt 4 API calls 7513->7514 7516 62bdf2 7514->7516 7515 62bdb7 Sleep 7515->7545 7517 62be05 7516->7517 7519 62ec2e codecvt 4 API calls 7516->7519 7518 62bdcc 7518->7509 7519->7517 7520 62ebed 8 API calls 7520->7545 7523 62b6b6 lstrlenA 7523->7545 7524 6230b5 2 API calls 7524->7545 7525 62b6ed lstrcpyA 7579 625ce1 7525->7579 7526 62e819 11 API calls 7526->7545 7529 62b731 lstrlenA 7529->7545 7530 62b71f lstrcmpA 7530->7529 7530->7545 7531 62b772 GetTickCount 7531->7545 7532 62bd49 InterlockedIncrement 7673 62a628 7532->7673 7535 6238f0 6 API calls 7535->7545 7536 62bc5b InterlockedIncrement 7536->7545 7537 62b7ce InterlockedIncrement 7589 62acd7 7537->7589 7540 62b912 GetTickCount 7540->7545 7541 62b826 InterlockedIncrement 7541->7531 7542 62b932 GetTickCount 7544 62bc6d InterlockedIncrement 7542->7544 7542->7545 7543 62bcdc closesocket 7543->7545 7544->7545 7545->7509 7545->7515 7545->7518 7545->7520 7545->7523 7545->7524 7545->7525 7545->7526 7545->7529 7545->7530 7545->7531 7545->7532 7545->7535 7545->7536 7545->7537 7545->7540 7545->7541 7545->7542 7545->7543 7547 62bba6 InterlockedIncrement 7545->7547 7550 62bc4c closesocket 7545->7550 7552 625ce1 22 API calls 7545->7552 7553 62ba71 wsprintfA 7545->7553 7554 62ab81 lstrcpynA InterlockedIncrement 7545->7554 7557 62a7c1 22 API calls 7545->7557 7558 62ef1e lstrlenA 7545->7558 7559 625ded 12 API calls 7545->7559 7560 62a688 GetTickCount 7545->7560 7561 623e10 7545->7561 7564 623e4f 7545->7564 7567 62384f 7545->7567 7587 62a7a3 inet_ntoa 7545->7587 7594 62abee 7545->7594 7606 621feb GetTickCount 7545->7606 7627 623cfb 7545->7627 7630 62b3c5 7545->7630 7661 62ab81 7545->7661 7547->7545 7550->7545 7552->7545 7607 62a7c1 7553->7607 7554->7545 7557->7545 7558->7545 7559->7545 7560->7545 7562 6230fa 4 API calls 7561->7562 7563 623e1d 7562->7563 7563->7545 7565 6230fa 4 API calls 7564->7565 7566 623e5c 7565->7566 7566->7545 7568 6230fa 4 API calls 7567->7568 7569 623863 7568->7569 7570 6238b9 7569->7570 7571 623889 7569->7571 7578 6238b2 7569->7578 7682 6235f9 7570->7682 7676 623718 7571->7676 7576 623718 6 API calls 7576->7578 7577 6235f9 6 API calls 7577->7578 7578->7545 7580 625cf4 7579->7580 7581 625cec 7579->7581 7582 624bd1 4 API calls 7580->7582 7688 624bd1 GetTickCount 7581->7688 7584 625d02 7582->7584 7693 625472 7584->7693 7588 62a7b9 7587->7588 7588->7545 7590 62f315 14 API calls 7589->7590 7591 62aceb 7590->7591 7592 62acff 7591->7592 7593 62f315 14 API calls 7591->7593 7592->7545 7593->7592 7595 62abfb 7594->7595 7598 62ac65 7595->7598 7756 622f22 7595->7756 7597 62f315 14 API calls 7597->7598 7598->7597 7599 62ac8a 7598->7599 7600 62ac6f 7598->7600 7599->7545 7602 62ab81 2 API calls 7600->7602 7601 62ac23 7601->7598 7603 622684 2 API calls 7601->7603 7604 62ac81 7602->7604 7603->7601 7764 6238f0 7604->7764 7606->7545 7608 62a7df 7607->7608 7609 62a87d lstrlenA send 7607->7609 7608->7609 7615 62a7fa wsprintfA 7608->7615 7618 62a80a 7608->7618 7619 62a8f2 7608->7619 7610 62a899 7609->7610 7611 62a8bf 7609->7611 7612 62a8a5 wsprintfA 7610->7612 7620 62a89e 7610->7620 7613 62a8c4 send 7611->7613 7611->7619 7612->7620 7616 62a8d8 wsprintfA 7613->7616 7613->7619 7614 62a978 recv 7614->7619 7621 62a982 7614->7621 7615->7618 7616->7620 7617 62a9b0 wsprintfA 7617->7620 7618->7609 7619->7614 7619->7617 7619->7621 7620->7545 7621->7620 7622 6230b5 2 API calls 7621->7622 7623 62ab05 7622->7623 7624 62e819 11 API calls 7623->7624 7625 62ab17 7624->7625 7626 62a7a3 inet_ntoa 7625->7626 7626->7620 7628 6230fa 4 API calls 7627->7628 7629 623d0b 7628->7629 7629->7545 7631 625ce1 22 API calls 7630->7631 7632 62b3e6 7631->7632 7633 625ce1 22 API calls 7632->7633 7635 62b404 7633->7635 7634 62b440 7637 62ef7c 3 API calls 7634->7637 7635->7634 7636 62ef7c 3 API calls 7635->7636 7638 62b42b 7636->7638 7639 62b458 wsprintfA 7637->7639 7640 62ef7c 3 API calls 7638->7640 7641 62ef7c 3 API calls 7639->7641 7640->7634 7642 62b480 7641->7642 7643 62ef7c 3 API calls 7642->7643 7644 62b493 7643->7644 7645 62ef7c 3 API calls 7644->7645 7646 62b4bb 7645->7646 7780 62ad89 GetLocalTime SystemTimeToFileTime 7646->7780 7650 62b4cc 7651 62ef7c 3 API calls 7650->7651 7652 62b4dd 7651->7652 7653 62b211 7 API calls 7652->7653 7654 62b4ec 7653->7654 7655 62ef7c 3 API calls 7654->7655 7656 62b4fd 7655->7656 7657 62b211 7 API calls 7656->7657 7658 62b509 7657->7658 7659 62ef7c 3 API calls 7658->7659 7660 62b51a 7659->7660 7660->7545 7662 62abe9 GetTickCount 7661->7662 7664 62ab8c 7661->7664 7666 62a51d 7662->7666 7663 62aba8 lstrcpynA 7663->7664 7664->7662 7664->7663 7665 62abe1 InterlockedIncrement 7664->7665 7665->7664 7667 62a4c7 4 API calls 7666->7667 7668 62a52c 7667->7668 7669 62a542 GetTickCount 7668->7669 7671 62a539 GetTickCount 7668->7671 7669->7671 7672 62a56c 7671->7672 7672->7545 7674 62a4c7 4 API calls 7673->7674 7675 62a633 7674->7675 7675->7545 7677 62f04e 4 API calls 7676->7677 7680 62372a 7677->7680 7678 623847 7678->7576 7678->7578 7679 6237b3 GetCurrentThreadId 7679->7680 7681 6237c8 GetCurrentThreadId 7679->7681 7680->7678 7680->7679 7681->7680 7683 62f04e 4 API calls 7682->7683 7687 62360c 7683->7687 7684 6236f1 7684->7577 7684->7578 7685 6236da GetCurrentThreadId 7685->7684 7686 6236e5 GetCurrentThreadId 7685->7686 7686->7684 7687->7684 7687->7685 7689 624bff InterlockedExchange 7688->7689 7690 624c08 7689->7690 7691 624bec GetTickCount 7689->7691 7690->7580 7691->7690 7692 624bf7 Sleep 7691->7692 7692->7689 7712 624763 7693->7712 7695 62548a 7696 625b58 7695->7696 7706 62558d lstrcpynA 7695->7706 7707 625a9f lstrcpyA 7695->7707 7708 625935 lstrcpynA 7695->7708 7709 624ae6 8 API calls 7695->7709 7710 625472 13 API calls 7695->7710 7711 6258e7 lstrcpyA 7695->7711 7716 624ae6 7695->7716 7720 62ef7c lstrlenA lstrlenA lstrlenA 7695->7720 7722 624699 7696->7722 7699 624763 lstrlenA 7700 625b6e 7699->7700 7743 624f9f 7700->7743 7702 625b79 7702->7545 7704 625549 lstrlenA 7704->7695 7706->7695 7707->7695 7708->7695 7709->7695 7710->7695 7711->7695 7713 62477a 7712->7713 7714 624859 7713->7714 7715 62480d lstrlenA 7713->7715 7714->7695 7715->7713 7717 624af3 7716->7717 7719 624b03 7716->7719 7718 62ebed 8 API calls 7717->7718 7718->7719 7719->7704 7721 62efb4 7720->7721 7721->7695 7748 6245b3 7722->7748 7725 6245b3 7 API calls 7726 6246c6 7725->7726 7727 6245b3 7 API calls 7726->7727 7728 6246d8 7727->7728 7729 6245b3 7 API calls 7728->7729 7730 6246ea 7729->7730 7731 6245b3 7 API calls 7730->7731 7732 6246ff 7731->7732 7733 6245b3 7 API calls 7732->7733 7734 624711 7733->7734 7735 6245b3 7 API calls 7734->7735 7736 624723 7735->7736 7737 62ef7c 3 API calls 7736->7737 7738 624735 7737->7738 7739 62ef7c 3 API calls 7738->7739 7740 62474a 7739->7740 7741 62ef7c 3 API calls 7740->7741 7742 62475c 7741->7742 7742->7699 7744 624fac 7743->7744 7746 624fb0 7743->7746 7744->7702 7745 624ffd 7745->7702 7746->7745 7747 624fd5 IsBadCodePtr 7746->7747 7747->7746 7749 6245c1 7748->7749 7750 6245c8 7748->7750 7751 62ebcc 4 API calls 7749->7751 7752 62ebcc 4 API calls 7750->7752 7754 6245e1 7750->7754 7751->7750 7752->7754 7753 624691 7753->7725 7754->7753 7755 62ef7c 3 API calls 7754->7755 7755->7754 7771 622d21 GetModuleHandleA 7756->7771 7759 622f85 7760 622fcf GetProcessHeap HeapFree 7759->7760 7763 622f44 7760->7763 7761 622f4f 7762 622f6b GetProcessHeap HeapFree 7761->7762 7762->7763 7763->7601 7765 623900 7764->7765 7770 623980 7764->7770 7766 6230fa 4 API calls 7765->7766 7768 62390a 7766->7768 7767 62391b GetCurrentThreadId 7767->7768 7768->7767 7769 623939 GetCurrentThreadId 7768->7769 7768->7770 7769->7768 7770->7599 7772 622d46 LoadLibraryA 7771->7772 7773 622d5b GetProcAddress 7771->7773 7772->7773 7777 622d54 7772->7777 7774 622d6b DnsQuery_A 7773->7774 7773->7777 7775 622d7d 7774->7775 7774->7777 7776 622d97 GetProcessHeap HeapAlloc 7775->7776 7775->7777 7776->7777 7779 622dac 7776->7779 7777->7759 7777->7761 7777->7763 7778 622db5 lstrcpynA 7778->7779 7779->7775 7779->7778 7781 62adbf 7780->7781 7805 62ad08 gethostname 7781->7805 7784 6230b5 2 API calls 7785 62add3 7784->7785 7786 62a7a3 inet_ntoa 7785->7786 7793 62ade4 7785->7793 7786->7793 7787 62ae85 wsprintfA 7788 62ef7c 3 API calls 7787->7788 7790 62aebb 7788->7790 7789 62ae36 wsprintfA wsprintfA 7791 62ef7c 3 API calls 7789->7791 7792 62ef7c 3 API calls 7790->7792 7791->7793 7794 62aed2 7792->7794 7793->7787 7793->7789 7795 62b211 7794->7795 7796 62b2bb FileTimeToLocalFileTime FileTimeToSystemTime 7795->7796 7797 62b2af GetLocalTime 7795->7797 7798 62b2d2 7796->7798 7797->7798 7799 62b2d9 SystemTimeToFileTime 7798->7799 7800 62b31c GetTimeZoneInformation 7798->7800 7801 62b2ec 7799->7801 7802 62b33a wsprintfA 7800->7802 7803 62b312 FileTimeToSystemTime 7801->7803 7802->7650 7803->7800 7806 62ad71 7805->7806 7811 62ad26 lstrlenA 7805->7811 7808 62ad85 7806->7808 7809 62ad79 lstrcpyA 7806->7809 7808->7784 7809->7808 7810 62ad68 lstrlenA 7810->7806 7811->7806 7811->7810 7813 622d21 7 API calls 7812->7813 7814 622f01 7813->7814 7815 622f06 7814->7815 7816 622f14 7814->7816 7835 622df2 GetModuleHandleA 7815->7835 7817 622684 2 API calls 7816->7817 7820 622f1d 7817->7820 7820->7397 7821 622f1f 7821->7397 7823 62f428 14 API calls 7822->7823 7824 62198a 7823->7824 7825 621990 closesocket 7824->7825 7826 621998 7824->7826 7825->7826 7826->7398 7829 621c80 7827->7829 7828 621d1c 7832 621d47 wsprintfA 7828->7832 7829->7828 7830 621cc2 wsprintfA 7829->7830 7834 621d79 7829->7834 7831 622684 2 API calls 7830->7831 7831->7829 7833 622684 2 API calls 7832->7833 7833->7834 7834->7393 7836 622e10 LoadLibraryA 7835->7836 7837 622e0b 7835->7837 7838 622e17 7836->7838 7837->7836 7837->7838 7839 622ef1 7838->7839 7840 622e28 GetProcAddress 7838->7840 7839->7816 7839->7821 7840->7839 7841 622e3e GetProcessHeap HeapAlloc 7840->7841 7843 622e62 7841->7843 7842 622ede GetProcessHeap HeapFree 7842->7839 7843->7839 7843->7842 7844 622e7f htons inet_addr 7843->7844 7845 622ea5 gethostbyname 7843->7845 7847 622ceb 7843->7847 7844->7843 7844->7845 7845->7843 7848 622cf2 7847->7848 7850 622d1c 7848->7850 7851 622d0e Sleep 7848->7851 7852 622a62 GetProcessHeap HeapAlloc 7848->7852 7850->7843 7851->7848 7851->7850 7853 622a92 7852->7853 7854 622a99 socket 7852->7854 7853->7848 7855 622cd3 GetProcessHeap HeapFree 7854->7855 7856 622ab4 7854->7856 7855->7853 7856->7855 7870 622abd 7856->7870 7857 622adb htons 7872 6226ff 7857->7872 7859 622b04 select 7859->7870 7860 622ca4 7861 622cb3 GetProcessHeap HeapFree closesocket 7860->7861 7861->7853 7862 622b3f recv 7862->7870 7863 622b66 htons 7863->7860 7863->7870 7864 622b87 htons 7864->7860 7864->7870 7867 622bf3 GetProcessHeap HeapAlloc 7867->7870 7868 622c17 htons 7887 622871 7868->7887 7870->7857 7870->7859 7870->7860 7870->7861 7870->7862 7870->7863 7870->7864 7870->7867 7870->7868 7871 622c4d GetProcessHeap HeapFree 7870->7871 7879 622923 7870->7879 7891 622904 7870->7891 7871->7870 7873 62271d 7872->7873 7874 622717 7872->7874 7876 62272b GetTickCount htons 7873->7876 7875 62ebcc 4 API calls 7874->7875 7875->7873 7877 6227cc htons htons sendto 7876->7877 7878 62278a 7876->7878 7877->7870 7878->7877 7880 622944 7879->7880 7881 62293d 7879->7881 7895 622816 htons 7880->7895 7881->7870 7883 622871 htons 7886 622950 7883->7886 7884 6229bd htons htons htons 7884->7881 7885 6229f6 GetProcessHeap HeapAlloc 7884->7885 7885->7881 7885->7886 7886->7881 7886->7883 7886->7884 7888 6228e3 7887->7888 7890 622889 7887->7890 7888->7870 7889 6228c3 htons 7889->7888 7889->7890 7890->7888 7890->7889 7892 622921 7891->7892 7893 622908 7891->7893 7892->7870 7894 622909 GetProcessHeap HeapFree 7893->7894 7894->7892 7894->7894 7896 62286b 7895->7896 7897 622836 7895->7897 7896->7886 7897->7896 7898 62285c htons 7897->7898 7898->7896 7898->7897 7900 626bc0 7899->7900 7901 626bbc 7899->7901 7902 62ebcc 4 API calls 7900->7902 7912 626bd4 7900->7912 7901->7427 7903 626be4 7902->7903 7904 626c07 CreateFileA 7903->7904 7905 626bfc 7903->7905 7903->7912 7907 626c34 WriteFile 7904->7907 7908 626c2a 7904->7908 7906 62ec2e codecvt 4 API calls 7905->7906 7906->7912 7910 626c5a CloseHandle 7907->7910 7911 626c49 CloseHandle DeleteFileA 7907->7911 7909 62ec2e codecvt 4 API calls 7908->7909 7909->7912 7913 62ec2e codecvt 4 API calls 7910->7913 7911->7908 7912->7427 7913->7912 8129 625029 8134 624a02 8129->8134 8135 624a12 8134->8135 8136 624a18 8134->8136 8137 62ec2e codecvt 4 API calls 8135->8137 8138 624a26 8136->8138 8139 62ec2e codecvt 4 API calls 8136->8139 8137->8136 8140 624a34 8138->8140 8141 62ec2e codecvt 4 API calls 8138->8141 8139->8138 8141->8140 8142 62be31 lstrcmpiA 8143 62be55 lstrcmpiA 8142->8143 8149 62be71 8142->8149 8144 62be61 lstrcmpiA 8143->8144 8143->8149 8147 62bfc8 8144->8147 8144->8149 8145 62bf62 lstrcmpiA 8146 62bf77 lstrcmpiA 8145->8146 8150 62bf70 8145->8150 8148 62bf8c lstrcmpiA 8146->8148 8146->8150 8148->8150 8149->8145 8154 62ebcc 4 API calls 8149->8154 8150->8147 8151 62bfc2 8150->8151 8153 62ec2e codecvt 4 API calls 8150->8153 8152 62ec2e codecvt 4 API calls 8151->8152 8152->8147 8153->8150 8157 62beb6 8154->8157 8155 62bf5a 8155->8145 8156 62ebcc 4 API calls 8156->8157 8157->8145 8157->8147 8157->8155 8157->8156 8158 625d34 IsBadWritePtr 8159 625d47 8158->8159 8160 625d4a 8158->8160 8163 625389 8160->8163 8164 624bd1 4 API calls 8163->8164 8165 6253a5 8164->8165 8166 624ae6 8 API calls 8165->8166 8169 6253ad 8166->8169 8167 625407 8168 624ae6 8 API calls 8168->8169 8169->8167 8169->8168 7937 624c75 7938 624c83 7937->7938 7939 624c92 7938->7939 7941 621940 7938->7941 7942 62ec2e codecvt 4 API calls 7941->7942 7943 621949 7942->7943 7943->7939 8170 62f483 WSAStartup 8171 62f304 8174 62f26d setsockopt setsockopt setsockopt setsockopt setsockopt 8171->8174 8173 62f312 8174->8173 8175 625b84 IsBadWritePtr 8176 625b99 8175->8176 8177 625b9d 8175->8177 8178 624bd1 4 API calls 8177->8178 8179 625bcc 8178->8179 8180 625472 18 API calls 8179->8180 8181 625be5 8180->8181 8182 625c05 IsBadWritePtr 8183 625c24 IsBadWritePtr 8182->8183 8190 625ca6 8182->8190 8184 625c32 8183->8184 8183->8190 8185 625c82 8184->8185 8186 624bd1 4 API calls 8184->8186 8187 624bd1 4 API calls 8185->8187 8186->8185 8188 625c90 8187->8188 8189 625472 18 API calls 8188->8189 8189->8190 7956 62e749 7957 62dd05 6 API calls 7956->7957 7960 62e751 7957->7960 7958 62e799 7959 62e781 lstrcmpA 7959->7960 7960->7958 7960->7959 7961 625e4d 7966 625048 7961->7966 7967 624bd1 4 API calls 7966->7967 7969 625056 7967->7969 7968 62508b 7969->7968 7970 62ec2e codecvt 4 API calls 7969->7970 7970->7968 8204 625e0d 8205 6250dc 17 API calls 8204->8205 8206 625e20 8205->8206 8207 624c0d 8208 624ae6 8 API calls 8207->8208 8209 624c17 8208->8209 7971 6243d2 7972 6243e0 7971->7972 7973 6243ef 7972->7973 7974 621940 4 API calls 7972->7974 7974->7973 8210 624e92 GetTickCount 8211 624ec0 InterlockedExchange 8210->8211 8212 624ec9 8211->8212 8213 624ead GetTickCount 8211->8213 8213->8212 8214 624eb8 Sleep 8213->8214 8214->8211 7975 625453 7980 62543a 7975->7980 7981 625048 8 API calls 7980->7981 7982 62544b 7981->7982 7983 624ed3 7988 624c9a 7983->7988 7990 624ca9 7988->7990 7991 624cd8 7988->7991 7989 62ec2e codecvt 4 API calls 7989->7991 7990->7989 8215 625d93 IsBadWritePtr 8216 625da8 8215->8216 8218 625ddc 8215->8218 8217 625389 12 API calls 8216->8217 8216->8218 8217->8218 7992 628c51 7993 628c86 7992->7993 7994 628c5d 7992->7994 7995 628c8b lstrcmpA 7993->7995 8005 628c7b 7993->8005 7997 628c6e 7994->7997 7998 628c7d 7994->7998 7996 628c9e 7995->7996 7995->8005 7999 62ec2e codecvt 4 API calls 7996->7999 8002 628cad 7996->8002 8006 628be7 7997->8006 8014 628bb3 7998->8014 7999->8002 8004 62ebcc 4 API calls 8002->8004 8002->8005 8004->8005 8007 628bf2 8006->8007 8013 628c2a 8006->8013 8008 628bb3 6 API calls 8007->8008 8009 628bf8 8008->8009 8018 626410 8009->8018 8011 628c01 8011->8013 8033 626246 8011->8033 8013->8005 8015 628be4 8014->8015 8016 628bbc 8014->8016 8016->8015 8017 626246 6 API calls 8016->8017 8017->8015 8019 626421 8018->8019 8020 62641e 8018->8020 8021 62643a 8019->8021 8022 62643e VirtualAlloc 8019->8022 8020->8011 8021->8011 8023 626472 8022->8023 8024 62645b VirtualAlloc 8022->8024 8025 62ebcc 4 API calls 8023->8025 8024->8023 8032 6264fb 8024->8032 8026 626479 8025->8026 8026->8032 8043 626069 8026->8043 8029 6264da 8031 626246 6 API calls 8029->8031 8029->8032 8031->8032 8032->8011 8034 626252 8033->8034 8042 6262b3 8033->8042 8035 62628f 8034->8035 8038 626281 FreeLibrary 8034->8038 8041 626297 8034->8041 8039 62ec2e codecvt 4 API calls 8035->8039 8036 6262a0 VirtualFree 8037 6262ad 8036->8037 8040 62ec2e codecvt 4 API calls 8037->8040 8038->8034 8039->8041 8040->8042 8041->8036 8041->8037 8042->8013 8044 626090 IsBadReadPtr 8043->8044 8045 626089 8043->8045 8044->8045 8050 6260aa 8044->8050 8045->8029 8053 625f3f 8045->8053 8046 6260c0 LoadLibraryA 8046->8045 8046->8050 8047 62ebed 8 API calls 8047->8050 8048 62ebcc 4 API calls 8048->8050 8049 626191 IsBadReadPtr 8049->8045 8049->8050 8050->8045 8050->8046 8050->8047 8050->8048 8050->8049 8051 626141 GetProcAddress 8050->8051 8052 626155 GetProcAddress 8050->8052 8051->8050 8052->8050 8054 625fe6 8053->8054 8056 625f61 8053->8056 8054->8029 8055 625fbf VirtualProtect 8055->8054 8055->8056 8056->8054 8056->8055 8219 626511 wsprintfA IsBadReadPtr 8220 62656a htonl htonl wsprintfA wsprintfA 8219->8220 8221 62674e 8219->8221 8223 6265f3 8220->8223 8222 62e318 23 API calls 8221->8222 8224 626753 ExitProcess 8222->8224 8225 62668a GetCurrentProcess StackWalk64 8223->8225 8226 6266a0 wsprintfA 8223->8226 8228 626652 wsprintfA 8223->8228 8225->8223 8225->8226 8227 6266ba 8226->8227 8229 626712 wsprintfA 8227->8229 8230 6266da wsprintfA 8227->8230 8231 6266ed wsprintfA 8227->8231 8228->8223 8232 62e8a1 30 API calls 8229->8232 8230->8231 8231->8227 8233 626739 8232->8233 8234 62e318 23 API calls 8233->8234 8235 626741 8234->8235 8236 628314 8237 62675c 21 API calls 8236->8237 8238 628324 8237->8238 8057 62195b 8058 62196b 8057->8058 8060 621971 8057->8060 8059 62ec2e codecvt 4 API calls 8058->8059 8059->8060 8239 625099 8240 624bd1 4 API calls 8239->8240 8241 6250a2 8240->8241
                                                                                        APIs
                                                                                        • closesocket.WS2_32(?), ref: 0062CA4E
                                                                                        • closesocket.WS2_32(?), ref: 0062CB63
                                                                                        • GetTempPathA.KERNEL32(00000120,?), ref: 0062CC28
                                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0062CCB4
                                                                                        • WriteFile.KERNEL32(0062A4B3,?,-000000E8,?,00000000), ref: 0062CCDC
                                                                                        • CloseHandle.KERNEL32(0062A4B3), ref: 0062CCED
                                                                                        • wsprintfA.USER32 ref: 0062CD21
                                                                                        • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0062CD77
                                                                                        • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0062CD89
                                                                                        • CloseHandle.KERNEL32(?), ref: 0062CD98
                                                                                        • CloseHandle.KERNEL32(?), ref: 0062CD9D
                                                                                        • DeleteFileA.KERNEL32(?), ref: 0062CDC4
                                                                                        • CloseHandle.KERNEL32(0062A4B3), ref: 0062CDCC
                                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0062CFB1
                                                                                        • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0062CFEF
                                                                                        • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0062D033
                                                                                        • lstrcatA.KERNEL32(?,03B00108), ref: 0062D10C
                                                                                        • SetFileAttributesA.KERNEL32(?,00000080), ref: 0062D155
                                                                                        • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0062D171
                                                                                        • WriteFile.KERNEL32(00000000,03B0012C,?,?,00000000), ref: 0062D195
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0062D19C
                                                                                        • SetFileAttributesA.KERNEL32(?,00000002), ref: 0062D1C8
                                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0062D231
                                                                                        • lstrcatA.KERNEL32(?,03B00108,?,?,?,?,?,?,?,00000100), ref: 0062D27C
                                                                                        • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0062D2AB
                                                                                        • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0062D2C7
                                                                                        • WriteFile.KERNEL32(00000000,03B0012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0062D2EB
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0062D2F2
                                                                                        • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0062D326
                                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0062D372
                                                                                        • lstrcatA.KERNEL32(?,03B00108,?,?,?,?,?,?,?,00000100), ref: 0062D3BD
                                                                                        • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0062D3EC
                                                                                        • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0062D408
                                                                                        • WriteFile.KERNEL32(00000000,03B0012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0062D428
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0062D42F
                                                                                        • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0062D45B
                                                                                        • CreateProcessA.KERNEL32(?,00630264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0062D4DE
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0062D4F4
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0062D4FC
                                                                                        • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0062D513
                                                                                        • closesocket.WS2_32(?), ref: 0062D56C
                                                                                        • Sleep.KERNEL32(000003E8), ref: 0062D577
                                                                                        • ExitProcess.KERNEL32 ref: 0062D583
                                                                                        • wsprintfA.USER32 ref: 0062D81F
                                                                                          • Part of subcall function 0062C65C: send.WS2_32(00000000,?,00000000), ref: 0062C74B
                                                                                        • closesocket.WS2_32(?), ref: 0062DAD5
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                        • String ID: .dat$.sys$4$@$C:\Windows\SysWOW64\crxslmyv\upwtsplm.exe$X c$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                        • API String ID: 562065436-1603472655
                                                                                        • Opcode ID: b5913138a6148e34724da7226be567d29223e3e4aa0881e3e5dc94a66a7427de
                                                                                        • Instruction ID: fd6e39f1c79caffe4c157e1408d7a8b491b99fa620cdb3d3c2c1f8d8bdceaa99
                                                                                        • Opcode Fuzzy Hash: b5913138a6148e34724da7226be567d29223e3e4aa0881e3e5dc94a66a7427de
                                                                                        • Instruction Fuzzy Hash: 56B2E771900A29AFEB20DFA4ED55EEE7BBFEB05300F140069F645A7291D7709A45CF90
                                                                                        APIs
                                                                                        • SetErrorMode.KERNELBASE(00000003), ref: 00629A7F
                                                                                        • SetErrorMode.KERNELBASE(00000003), ref: 00629A83
                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00626511), ref: 00629A8A
                                                                                          • Part of subcall function 0062EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0062EC5E
                                                                                          • Part of subcall function 0062EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0062EC72
                                                                                          • Part of subcall function 0062EC54: GetTickCount.KERNEL32 ref: 0062EC78
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00629AB3
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 00629ABA
                                                                                        • GetCommandLineA.KERNEL32 ref: 00629AFD
                                                                                        • lstrlenA.KERNEL32(?), ref: 00629B99
                                                                                        • ExitProcess.KERNEL32 ref: 00629C06
                                                                                        • GetTempPathA.KERNEL32(000001F4,?), ref: 00629CAC
                                                                                        • lstrcpyA.KERNEL32(?,00000000), ref: 00629D7A
                                                                                        • lstrcatA.KERNEL32(?,?), ref: 00629D8B
                                                                                        • lstrcatA.KERNEL32(?,0063070C), ref: 00629D9D
                                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00629DED
                                                                                        • DeleteFileA.KERNEL32(00000022), ref: 00629E38
                                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00629E6F
                                                                                        • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00629EC8
                                                                                        • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00629ED5
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00629F3B
                                                                                        • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00629F5E
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00629F6A
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00629FAD
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00629FB4
                                                                                        • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00629FFE
                                                                                        • lstrcatA.KERNEL32(00000022,00000000), ref: 0062A038
                                                                                        • lstrcatA.KERNEL32(00000022,00630A34), ref: 0062A05E
                                                                                        • lstrcatA.KERNEL32(00000022,00000022), ref: 0062A072
                                                                                        • lstrcatA.KERNEL32(00000022,00630A34), ref: 0062A08D
                                                                                        • wsprintfA.USER32 ref: 0062A0B6
                                                                                        • lstrcatA.KERNEL32(00000022,00000000), ref: 0062A0DE
                                                                                        • lstrcatA.KERNEL32(00000022,?), ref: 0062A0FD
                                                                                        • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0062A120
                                                                                        • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0062A131
                                                                                        • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0062A174
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 0062A17B
                                                                                        • GetDriveTypeA.KERNEL32(00000022), ref: 0062A1B6
                                                                                        • GetCommandLineA.KERNEL32 ref: 0062A1E5
                                                                                          • Part of subcall function 006299D2: lstrcpyA.KERNEL32(?,?,00000100,006322F8,00000000,?,00629E9D,?,00000022,?,?,?,?,?,?,?), ref: 006299DF
                                                                                          • Part of subcall function 006299D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00629E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00629A3C
                                                                                          • Part of subcall function 006299D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00629E9D,?,00000022,?,?,?), ref: 00629A52
                                                                                        • lstrlenA.KERNEL32(?), ref: 0062A288
                                                                                        • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0062A3B7
                                                                                        • GetLastError.KERNEL32 ref: 0062A3ED
                                                                                        • Sleep.KERNELBASE(000003E8), ref: 0062A400
                                                                                        • DeleteFileA.KERNELBASE(006333D8), ref: 0062A407
                                                                                        • CreateThread.KERNELBASE(00000000,00000000,0062405E,00000000,00000000,00000000), ref: 0062A42C
                                                                                        • WSAStartup.WS2_32(00001010,?), ref: 0062A43A
                                                                                        • CreateThread.KERNELBASE(00000000,00000000,0062877E,00000000,00000000,00000000), ref: 0062A469
                                                                                        • Sleep.KERNELBASE(00000BB8), ref: 0062A48A
                                                                                        • GetTickCount.KERNEL32 ref: 0062A49F
                                                                                        • GetTickCount.KERNEL32 ref: 0062A4B7
                                                                                        • Sleep.KERNELBASE(00007530), ref: 0062A4C3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                        • String ID: "$"$"$%X%08X$C:\Windows\SysWOW64\crxslmyv\upwtsplm.exe$D$P$\$crxslmyv
                                                                                        • API String ID: 2089075347-270588858
                                                                                        • Opcode ID: 82b5102548ac7011ff300d4a016fd84d65aefc337f8189b2df2ea0a2cfdbfc81
                                                                                        • Instruction ID: 6e1f1d14ab0909bdfaa6c7cd1783885a28077522b5f0d51dc350db3daf24f24c
                                                                                        • Opcode Fuzzy Hash: 82b5102548ac7011ff300d4a016fd84d65aefc337f8189b2df2ea0a2cfdbfc81
                                                                                        • Instruction Fuzzy Hash: 9D52A6B1D40669AFEF11DFA0EC49EEE77BEAF04300F1444A9F509E2141E7719A488FA5

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 905 62199c-6219cc inet_addr LoadLibraryA 906 6219d5-6219fe GetProcAddress * 3 905->906 907 6219ce-6219d0 905->907 909 621ab3-621ab6 FreeLibrary 906->909 910 621a04-621a06 906->910 908 621abf-621ac2 907->908 912 621abc 909->912 910->909 911 621a0c-621a0e 910->911 911->909 913 621a14-621a28 GetBestInterface GetProcessHeap 911->913 914 621abe 912->914 913->912 915 621a2e-621a40 HeapAlloc 913->915 914->908 915->912 916 621a42-621a50 GetAdaptersInfo 915->916 917 621a62-621a67 916->917 918 621a52-621a60 HeapReAlloc 916->918 919 621aa1-621aad FreeLibrary 917->919 920 621a69-621a73 GetAdaptersInfo 917->920 918->917 919->912 922 621aaf-621ab1 919->922 920->919 921 621a75 920->921 923 621a77-621a80 921->923 922->914 924 621a82-621a86 923->924 925 621a8a-621a91 923->925 924->923 926 621a88 924->926 927 621a93 925->927 928 621a96-621a9b HeapFree 925->928 926->928 927->928 928->919
                                                                                        APIs
                                                                                        • inet_addr.WS2_32(123.45.67.89), ref: 006219B1
                                                                                        • LoadLibraryA.KERNELBASE(Iphlpapi.dll,?,?,?,?,00000001,00621E9E), ref: 006219BF
                                                                                        • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 006219E2
                                                                                        • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 006219ED
                                                                                        • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 006219F9
                                                                                        • GetBestInterface.IPHLPAPI(?,?,?,?,?,?,00000001,00621E9E), ref: 00621A1B
                                                                                        • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00621E9E), ref: 00621A1D
                                                                                        • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00621E9E), ref: 00621A36
                                                                                        • GetAdaptersInfo.IPHLPAPI(00000000,00621E9E,?,?,?,?,00000001,00621E9E), ref: 00621A4A
                                                                                        • HeapReAlloc.KERNEL32(?,00000000,00000000,00621E9E,?,?,?,?,00000001,00621E9E), ref: 00621A5A
                                                                                        • GetAdaptersInfo.IPHLPAPI(00000000,00621E9E,?,?,?,?,00000001,00621E9E), ref: 00621A6E
                                                                                        • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00621E9E), ref: 00621A9B
                                                                                        • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00621E9E), ref: 00621AA4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AddressProc$AdaptersAllocFreeInfoLibrary$BestInterfaceLoadProcessinet_addr
                                                                                        • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                        • API String ID: 293628436-270533642
                                                                                        • Opcode ID: f470aa10103d42d3b391ccee312f5645ec30f2a3c902fa4fcc665de32782afae
                                                                                        • Instruction ID: 43b79a1f7f385c46dde9616d97baeffc5bb09027969bc1bfe770499226101397
                                                                                        • Opcode Fuzzy Hash: f470aa10103d42d3b391ccee312f5645ec30f2a3c902fa4fcc665de32782afae
                                                                                        • Instruction Fuzzy Hash: 7C318B32D05669AFDB119FE4EC988BEBBBBEF66301B24017AE501A6210D7304E45CF90

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 696 627a95-627ac2 RegOpenKeyExA 697 627ac4-627ac6 696->697 698 627acb-627ae7 GetUserNameA 696->698 699 627db4-627db6 697->699 700 627da7-627db3 RegCloseKey 698->700 701 627aed-627b1e LookupAccountNameA 698->701 700->699 701->700 702 627b24-627b43 RegGetKeySecurity 701->702 702->700 703 627b49-627b61 GetSecurityDescriptorOwner 702->703 704 627b63-627b72 EqualSid 703->704 705 627bb8-627bd6 GetSecurityDescriptorDacl 703->705 704->705 706 627b74-627b88 LocalAlloc 704->706 707 627da6 705->707 708 627bdc-627be1 705->708 706->705 709 627b8a-627b94 InitializeSecurityDescriptor 706->709 707->700 708->707 710 627be7-627bf2 708->710 711 627bb1-627bb2 LocalFree 709->711 712 627b96-627ba4 SetSecurityDescriptorOwner 709->712 710->707 713 627bf8-627c08 GetAce 710->713 711->705 712->711 714 627ba6-627bab RegSetKeySecurity 712->714 715 627cc6 713->715 716 627c0e-627c1b 713->716 714->711 717 627cc9-627cd3 715->717 718 627c4f-627c52 716->718 719 627c1d-627c2f EqualSid 716->719 717->713 722 627cd9-627cdc 717->722 720 627c54-627c5e 718->720 721 627c5f-627c71 EqualSid 718->721 723 627c31-627c34 719->723 724 627c36-627c38 719->724 720->721 725 627c73-627c84 721->725 726 627c86 721->726 722->707 727 627ce2-627ce8 722->727 723->719 723->724 724->718 728 627c3a-627c4d DeleteAce 724->728 729 627c8b-627c8e 725->729 726->729 730 627d5a-627d6e LocalAlloc 727->730 731 627cea-627cf0 727->731 728->717 732 627c90-627c96 729->732 733 627c9d-627c9f 729->733 730->707 734 627d70-627d7a InitializeSecurityDescriptor 730->734 731->730 735 627cf2-627d0d RegOpenKeyExA 731->735 732->733 737 627ca1-627ca5 733->737 738 627ca7-627cc3 733->738 739 627d9f-627da0 LocalFree 734->739 740 627d7c-627d8a SetSecurityDescriptorDacl 734->740 735->730 736 627d0f-627d16 735->736 741 627d19-627d1e 736->741 737->715 737->738 738->715 739->707 740->739 742 627d8c-627d9a RegSetKeySecurity 740->742 741->741 743 627d20-627d52 call 622544 RegSetValueExA 741->743 742->739 744 627d9c 742->744 743->730 747 627d54 743->747 744->739 747->730
                                                                                        APIs
                                                                                        • RegOpenKeyExA.KERNELBASE(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00627ABA
                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 00627ADF
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,0063070C,?,?,?), ref: 00627B16
                                                                                        • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00627B3B
                                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00627B59
                                                                                        • EqualSid.ADVAPI32(?,00000022), ref: 00627B6A
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 00627B7E
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00627B8C
                                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00627B9C
                                                                                        • RegSetKeySecurity.KERNELBASE(00000000,00000001,00000000), ref: 00627BAB
                                                                                        • LocalFree.KERNEL32(00000000), ref: 00627BB2
                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,00627FC9,?,00000000), ref: 00627BCE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                        • String ID: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exe$D
                                                                                        • API String ID: 2976863881-3264072368
                                                                                        • Opcode ID: d27685810ab5914945b1e660607af6b58dbbd0f88a3b3a52f0ad8c05c6f0a88f
                                                                                        • Instruction ID: ef9935f6479647735ac76044c6f9b16ee142aa847567d9522c1eed971bab3670
                                                                                        • Opcode Fuzzy Hash: d27685810ab5914945b1e660607af6b58dbbd0f88a3b3a52f0ad8c05c6f0a88f
                                                                                        • Instruction Fuzzy Hash: 77A17171A04629AFEF119FA0EC94FEEBBBAFF04701F044469E505E2250D7359A45CFA0

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 748 627809-627837 GetUserNameA 749 627a8e-627a94 748->749 750 62783d-62786e LookupAccountNameA 748->750 750->749 751 627874-6278a2 GetLengthSid GetFileSecurityA 750->751 751->749 752 6278a8-6278c3 GetSecurityDescriptorOwner 751->752 753 6278c5-6278da EqualSid 752->753 754 62791d-62793b GetSecurityDescriptorDacl 752->754 753->754 755 6278dc-6278ed LocalAlloc 753->755 756 627941-627946 754->756 757 627a8d 754->757 755->754 758 6278ef-6278f9 InitializeSecurityDescriptor 755->758 756->757 759 62794c-627955 756->759 757->749 760 627916-627917 LocalFree 758->760 761 6278fb-627909 SetSecurityDescriptorOwner 758->761 759->757 762 62795b-62796b GetAce 759->762 760->754 761->760 763 62790b-627910 SetFileSecurityA 761->763 764 627971-62797e 762->764 765 627a2a 762->765 763->760 767 627980-627992 EqualSid 764->767 768 6279ae-6279b1 764->768 766 627a2d-627a37 765->766 766->762 771 627a3d-627a41 766->771 769 627994-627997 767->769 770 627999-62799b 767->770 772 6279b3-6279bd 768->772 773 6279be-6279d0 EqualSid 768->773 769->767 769->770 770->768 774 62799d-6279ac DeleteAce 770->774 771->757 775 627a43-627a54 LocalAlloc 771->775 772->773 776 6279d2-6279e3 773->776 777 6279e5 773->777 774->766 775->757 778 627a56-627a60 InitializeSecurityDescriptor 775->778 779 6279ea-6279ed 776->779 777->779 780 627a62-627a71 SetSecurityDescriptorDacl 778->780 781 627a86-627a87 LocalFree 778->781 782 6279f8-6279fb 779->782 783 6279ef-6279f5 779->783 780->781 784 627a73-627a81 SetFileSecurityA 780->784 781->757 785 627a03-627a0e 782->785 786 6279fd-627a01 782->786 783->782 784->781 787 627a83 784->787 788 627a10-627a17 785->788 789 627a19-627a24 785->789 786->765 786->785 787->781 790 627a27 788->790 789->790 790->765
                                                                                        APIs
                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 0062782F
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00627866
                                                                                        • GetLengthSid.ADVAPI32(?), ref: 00627878
                                                                                        • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0062789A
                                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,00627F63,?), ref: 006278B8
                                                                                        • EqualSid.ADVAPI32(?,00627F63), ref: 006278D2
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 006278E3
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 006278F1
                                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00627901
                                                                                        • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00627910
                                                                                        • LocalFree.KERNEL32(00000000), ref: 00627917
                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00627933
                                                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 00627963
                                                                                        • EqualSid.ADVAPI32(?,00627F63), ref: 0062798A
                                                                                        • DeleteAce.ADVAPI32(?,00000000), ref: 006279A3
                                                                                        • EqualSid.ADVAPI32(?,00627F63), ref: 006279C5
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 00627A4A
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00627A58
                                                                                        • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00627A69
                                                                                        • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00627A79
                                                                                        • LocalFree.KERNEL32(00000000), ref: 00627A87
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                        • String ID: D
                                                                                        • API String ID: 3722657555-2746444292
                                                                                        • Opcode ID: 22d9f38afac398de13ab7c1ec52a9ac139d6f834ce6c2293144c4af3b8f9fa28
                                                                                        • Instruction ID: a6abbe240c9e523c8634f72640b42d2cab76e09af7d50771f9225161a7d80ca1
                                                                                        • Opcode Fuzzy Hash: 22d9f38afac398de13ab7c1ec52a9ac139d6f834ce6c2293144c4af3b8f9fa28
                                                                                        • Instruction Fuzzy Hash: D0814E71D04629ABEB21CFA5DD84FEEBBBEEF08340F14416AE505E2250D7349A45CFA0

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 791 628328-62833e call 627dd6 794 628340-628343 791->794 795 628348-628356 call 626ec3 791->795 796 62877b-62877d 794->796 799 62846b-628474 795->799 800 62835c-628378 call 6273ff 795->800 801 6285c2-6285ce 799->801 802 62847a-628480 799->802 808 628464-628466 800->808 809 62837e-628384 800->809 805 6285d0-6285da call 62675c 801->805 806 628615-628620 801->806 802->801 807 628486-6284ba call 622544 RegOpenKeyExA 802->807 816 6285df-6285eb 805->816 812 628626-62864c GetTempPathA call 628274 call 62eca5 806->812 813 6286a7-6286b0 call 626ba7 806->813 823 628543-628571 call 622544 RegOpenKeyExA 807->823 824 6284c0-6284db RegQueryValueExA 807->824 815 628779-62877a 808->815 809->808 814 62838a-62838d 809->814 845 628671-6286a4 call 622544 call 62ef00 call 62ee2a 812->845 846 62864e-62866f call 62eca5 812->846 826 628762 813->826 827 6286b6-6286bd call 627e2f 813->827 814->808 821 628393-628399 814->821 815->796 816->806 822 6285ed-6285ef 816->822 829 62839c-6283a1 821->829 822->806 830 6285f1-6285fa 822->830 851 628573-62857b 823->851 852 6285a5-6285b7 call 62ee2a 823->852 832 628521-62852d RegCloseKey 824->832 833 6284dd-6284e1 824->833 835 628768-62876b 826->835 854 6286c3-62873b call 62ee2a * 2 lstrcpyA lstrlenA call 627fcf CreateProcessA 827->854 855 62875b-62875c DeleteFileA 827->855 829->829 837 6283a3-6283af 829->837 830->806 839 6285fc-62860f call 6224c2 830->839 832->823 838 62852f-628541 call 62eed1 832->838 833->832 841 6284e3-6284e6 833->841 843 628776-628778 835->843 844 62876d-628775 call 62ec2e 835->844 847 6283b3-6283ba 837->847 848 6283b1 837->848 838->823 838->852 839->806 839->835 841->832 853 6284e8-6284f6 call 62ebcc 841->853 843->815 844->843 845->813 846->845 860 628450-62845f call 62ee2a 847->860 861 6283c0-6283fb call 622544 RegOpenKeyExA 847->861 848->847 863 62857e-628583 851->863 852->801 876 6285b9-6285c1 call 62ec2e 852->876 853->832 875 6284f8-628513 RegQueryValueExA 853->875 899 62874f-62875a call 627ee6 call 627ead 854->899 900 62873d-62874d CloseHandle * 2 854->900 855->826 860->801 861->860 885 6283fd-62841c RegQueryValueExA 861->885 863->863 873 628585-62859f RegSetValueExA RegCloseKey 863->873 873->852 875->832 881 628515-62851e call 62ec2e 875->881 876->801 881->832 890 62841e-628421 885->890 891 62842d-628441 RegSetValueExA 885->891 890->891 896 628423-628426 890->896 892 628447-62844a RegCloseKey 891->892 892->860 896->891 898 628428-62842b 896->898 898->891 898->892 899->855 900->835
                                                                                        APIs
                                                                                        • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000103,00630750,?,?,00000000,localcfg,00000000), ref: 006283F3
                                                                                        • RegQueryValueExA.KERNELBASE(00630750,?,00000000,?,00628893,?,?,?,00000000,00000103,00630750,?,?,00000000,localcfg,00000000), ref: 00628414
                                                                                        • RegSetValueExA.KERNELBASE(00630750,?,00000000,00000004,00628893,00000004,?,?,00000000,00000103,00630750,?,?,00000000,localcfg,00000000), ref: 00628441
                                                                                        • RegCloseKey.ADVAPI32(00630750,?,?,00000000,00000103,00630750,?,?,00000000,localcfg,00000000), ref: 0062844A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Value$CloseOpenQuery
                                                                                        • String ID: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exe$localcfg
                                                                                        • API String ID: 237177642-1041734748
                                                                                        • Opcode ID: 99c40c53c76f0b8e975ee4e0285f1ba36c55365a2416a4caeba4c28b043dc6ac
                                                                                        • Instruction ID: 223ff98ccd4ae8ae88c573366cfeb00f8de6da7aef89ad3493a561fb38572e91
                                                                                        • Opcode Fuzzy Hash: 99c40c53c76f0b8e975ee4e0285f1ba36c55365a2416a4caeba4c28b043dc6ac
                                                                                        • Instruction Fuzzy Hash: 10C1C2B194162ABFEF51AFA4EC95EEE7BBEEB04300F144069F601A3151EB314E448F65

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 929 621d96-621dce call 62ee2a GetVersionExA 932 621de0 929->932 933 621dd0-621dde 929->933 934 621de3-621e14 GetSystemInfo GetModuleHandleA GetProcAddress 932->934 933->934 935 621e16-621e21 GetCurrentProcess 934->935 936 621e24-621e59 call 62e819 * 2 934->936 935->936 941 621e7a-621ea0 call 62ea84 call 62e819 call 62199c 936->941 942 621e5b-621e77 call 62df70 * 2 936->942 953 621ea2-621ea6 941->953 954 621ea8 941->954 942->941 955 621eac-621ec1 call 62e819 953->955 954->955 958 621ec3-621ede call 62f04e call 62ea84 955->958 959 621ee0-621ef6 call 62e819 955->959 958->959 965 621f14-621f2b call 62e819 959->965 966 621ef8 call 621b71 959->966 972 621f49-621f65 call 62e819 965->972 973 621f2d call 621bdf 965->973 971 621efd-621f11 call 62ea84 966->971 971->965 981 621f67-621f77 call 62ea84 972->981 982 621f7a-621f8c call 6230b5 972->982 978 621f32-621f46 call 62ea84 973->978 978->972 981->982 988 621f93-621f9a 982->988 989 621f8e-621f91 982->989 991 621fb7 988->991 992 621f9c-621fa3 call 626ec3 988->992 990 621fbb-621fc0 989->990 994 621fc2 990->994 995 621fc9-621fea GetTickCount 990->995 991->990 997 621fa5-621fac 992->997 998 621fae-621fb5 992->998 994->995 997->990 998->990
                                                                                        APIs
                                                                                        • GetVersionExA.KERNEL32 ref: 00621DC6
                                                                                        • GetSystemInfo.KERNELBASE(?), ref: 00621DE8
                                                                                        • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00621E03
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00621E0A
                                                                                        • GetCurrentProcess.KERNEL32(?), ref: 00621E1B
                                                                                        • GetTickCount.KERNEL32 ref: 00621FC9
                                                                                          • Part of subcall function 00621BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00621C15
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                        • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                        • API String ID: 4207808166-1381319158
                                                                                        • Opcode ID: b3aabe6584f9b344ec5bd4e40e00abda11370afa26c2f81361e6a5e7c505783a
                                                                                        • Instruction ID: 1167818ed7484e1261e5971620d9eeb520726b761bec992b622dc8f4348955cc
                                                                                        • Opcode Fuzzy Hash: b3aabe6584f9b344ec5bd4e40e00abda11370afa26c2f81361e6a5e7c505783a
                                                                                        • Instruction Fuzzy Hash: FE5126B0904B546FF370AF759C86F67BAEEEF55704F00082CF4968A242D775A9088BA5

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 999 6273ff-627419 1000 62741b 999->1000 1001 62741d-627422 999->1001 1000->1001 1002 627426-62742b 1001->1002 1003 627424 1001->1003 1004 627430-627435 1002->1004 1005 62742d 1002->1005 1003->1002 1006 627437 1004->1006 1007 62743a-627481 call 626dc2 call 622544 RegOpenKeyExA 1004->1007 1005->1004 1006->1007 1012 627487-62749d call 62ee2a 1007->1012 1013 6277f9-6277fe call 62ee2a 1007->1013 1018 627703-62770e RegEnumKeyA 1012->1018 1019 627801 1013->1019 1020 6274a2-6274b1 call 626cad 1018->1020 1021 627714-62771d RegCloseKey 1018->1021 1022 627804-627808 1019->1022 1025 6274b7-6274cc call 62f1a5 1020->1025 1026 6276ed-627700 1020->1026 1021->1019 1025->1026 1029 6274d2-6274f8 RegOpenKeyExA 1025->1029 1026->1018 1030 627727-62772a 1029->1030 1031 6274fe-627530 call 622544 RegQueryValueExA 1029->1031 1032 627755-627764 call 62ee2a 1030->1032 1033 62772c-627740 call 62ef00 1030->1033 1031->1030 1040 627536-62753c 1031->1040 1041 6276df-6276e2 1032->1041 1042 627742-627745 RegCloseKey 1033->1042 1043 62774b-62774e 1033->1043 1044 62753f-627544 1040->1044 1041->1026 1047 6276e4-6276e7 RegCloseKey 1041->1047 1042->1043 1046 6277ec-6277f7 RegCloseKey 1043->1046 1044->1044 1045 627546-62754b 1044->1045 1045->1032 1048 627551-62756b call 62ee95 1045->1048 1046->1022 1047->1026 1048->1032 1051 627571-627593 call 622544 call 62ee95 1048->1051 1056 627753 1051->1056 1057 627599-6275a0 1051->1057 1056->1032 1058 6275a2-6275c6 call 62ef00 call 62ed03 1057->1058 1059 6275c8-6275d7 call 62ed03 1057->1059 1064 6275d8-6275da 1058->1064 1059->1064 1066 6275df-627623 call 62ee95 call 622544 call 62ee95 call 62ee2a 1064->1066 1067 6275dc 1064->1067 1077 627626-62762b 1066->1077 1067->1066 1077->1077 1078 62762d-627634 1077->1078 1079 627637-62763c 1078->1079 1079->1079 1080 62763e-627642 1079->1080 1081 627644-627656 call 62ed77 1080->1081 1082 62765c-627673 call 62ed23 1080->1082 1081->1082 1087 627769-62777c call 62ef00 1081->1087 1088 627680 1082->1088 1089 627675-62767e 1082->1089 1094 6277e3-6277e6 RegCloseKey 1087->1094 1091 627683-62768e call 626cad 1088->1091 1089->1091 1096 627722-627725 1091->1096 1097 627694-6276bf call 62f1a5 call 626c96 1091->1097 1094->1046 1098 6276dd 1096->1098 1103 6276c1-6276c7 1097->1103 1104 6276d8 1097->1104 1098->1041 1103->1104 1105 6276c9-6276d2 1103->1105 1104->1098 1105->1104 1106 62777e-627797 GetFileAttributesExA 1105->1106 1107 62779a-62779f 1106->1107 1108 627799 1106->1108 1109 6277a3-6277a8 1107->1109 1110 6277a1 1107->1110 1108->1107 1111 6277c4-6277c8 1109->1111 1112 6277aa-6277c0 call 62ee08 1109->1112 1110->1109 1113 6277d7-6277dc 1111->1113 1114 6277ca-6277d6 call 62ef00 1111->1114 1112->1111 1117 6277e0-6277e2 1113->1117 1118 6277de 1113->1118 1114->1113 1117->1094 1118->1117
                                                                                        APIs
                                                                                        • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,74DF0F10,00000000), ref: 00627472
                                                                                        • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 006274F0
                                                                                        • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,74DF0F10,00000000), ref: 00627528
                                                                                        • ___ascii_stricmp.LIBCMT ref: 0062764D
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 006276E7
                                                                                        • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00627706
                                                                                        • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 00627717
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,74DF0F10,00000000), ref: 00627745
                                                                                        • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 006277EF
                                                                                          • Part of subcall function 0062F1A5: lstrlenA.KERNEL32(00000000,00000000,006322F8,00000000,0062733D,00000000), ref: 0062F1AD
                                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0062778F
                                                                                        • RegCloseKey.KERNELBASE(?), ref: 006277E6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                        • String ID: "
                                                                                        • API String ID: 3433985886-123907689
                                                                                        • Opcode ID: 119ed9b20355eb80c789d4cf35e9f0cd762610cd5b98d2f7ed0bd14b57456f8c
                                                                                        • Instruction ID: cd04fd2dd398d2ddd1a467487a85b7ba779a0c6a2c22dbff81b3106d7eed4e47
                                                                                        • Opcode Fuzzy Hash: 119ed9b20355eb80c789d4cf35e9f0cd762610cd5b98d2f7ed0bd14b57456f8c
                                                                                        • Instruction Fuzzy Hash: 13C1A271904A29AFEB119FA4EC45FEEBBBAEF45310F1400A5F504E6291EB31DE448F64

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1121 62675c-626778 1122 626784-6267a2 CreateFileA 1121->1122 1123 62677a-62677e SetFileAttributesA 1121->1123 1124 6267a4-6267b2 CreateFileA 1122->1124 1125 6267b5-6267b8 1122->1125 1123->1122 1124->1125 1126 6267c5-6267c9 1125->1126 1127 6267ba-6267bf SetFileAttributesA 1125->1127 1128 626977-626986 1126->1128 1129 6267cf-6267df GetFileSize 1126->1129 1127->1126 1130 6267e5-6267e7 1129->1130 1131 62696b 1129->1131 1130->1131 1133 6267ed-62680b ReadFile 1130->1133 1132 62696e-626971 CloseHandle 1131->1132 1132->1128 1133->1131 1134 626811-626824 SetFilePointer 1133->1134 1134->1131 1135 62682a-626842 ReadFile 1134->1135 1135->1131 1136 626848-626861 SetFilePointer 1135->1136 1136->1131 1137 626867-626876 1136->1137 1138 6268d5-6268df 1137->1138 1139 626878-62688f ReadFile 1137->1139 1138->1132 1140 6268e5-6268eb 1138->1140 1141 6268d2 1139->1141 1142 626891-62689e 1139->1142 1145 6268f0-6268fe call 62ebcc 1140->1145 1146 6268ed 1140->1146 1141->1138 1143 6268a0-6268b5 1142->1143 1144 6268b7-6268ba 1142->1144 1147 6268bd-6268c3 1143->1147 1144->1147 1145->1131 1153 626900-62690b SetFilePointer 1145->1153 1146->1145 1149 6268c5 1147->1149 1150 6268c8-6268ce 1147->1150 1149->1150 1150->1139 1152 6268d0 1150->1152 1152->1138 1154 62695a-626969 call 62ec2e 1153->1154 1155 62690d-626920 ReadFile 1153->1155 1154->1132 1155->1154 1157 626922-626958 1155->1157 1157->1132
                                                                                        APIs
                                                                                        • SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 0062677E
                                                                                        • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 0062679A
                                                                                        • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 006267B0
                                                                                        • SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 006267BF
                                                                                        • GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 006267D3
                                                                                        • ReadFile.KERNELBASE(000000FF,?,00000040,00628244,00000000,?,74DF0F10,00000000), ref: 00626807
                                                                                        • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0062681F
                                                                                        • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 0062683E
                                                                                        • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0062685C
                                                                                        • ReadFile.KERNEL32(000000FF,?,00000028,00628244,00000000,?,74DF0F10,00000000), ref: 0062688B
                                                                                        • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,74DF0F10,00000000), ref: 00626906
                                                                                        • ReadFile.KERNEL32(000000FF,?,00000000,00628244,00000000,?,74DF0F10,00000000), ref: 0062691C
                                                                                        • CloseHandle.KERNELBASE(000000FF,?,74DF0F10,00000000), ref: 00626971
                                                                                          • Part of subcall function 0062EC2E: GetProcessHeap.KERNEL32(00000000,'b,00000000,0062EA27,00000000), ref: 0062EC41
                                                                                          • Part of subcall function 0062EC2E: RtlFreeHeap.NTDLL(00000000), ref: 0062EC48
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                                        • String ID:
                                                                                        • API String ID: 2622201749-0
                                                                                        • Opcode ID: 51ac4c6a5de9f510c5af45005994dff7fa2177c3a6246cf5b5636fbcdcb8682d
                                                                                        • Instruction ID: 50a509c7062a13b649246bbd7718dc0e86ab75fe9e719e333cbfc3fb513ce2b7
                                                                                        • Opcode Fuzzy Hash: 51ac4c6a5de9f510c5af45005994dff7fa2177c3a6246cf5b5636fbcdcb8682d
                                                                                        • Instruction Fuzzy Hash: EF710B71D0062AEFDF118FA4DC809EEBBBAFB04314F10456AF515A6290D7309E96DFA0

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1159 62f315-62f332 1160 62f334-62f336 1159->1160 1161 62f33b-62f372 call 62ee2a htons socket 1159->1161 1162 62f424-62f427 1160->1162 1165 62f382-62f39b ioctlsocket 1161->1165 1166 62f374-62f37d closesocket 1161->1166 1167 62f3aa-62f3f0 connect select 1165->1167 1168 62f39d 1165->1168 1166->1162 1170 62f3f2-62f401 __WSAFDIsSet 1167->1170 1171 62f421 1167->1171 1169 62f39f-62f3a8 closesocket 1168->1169 1172 62f423 1169->1172 1170->1169 1173 62f403-62f416 ioctlsocket call 62f26d 1170->1173 1171->1172 1172->1162 1175 62f41b-62f41f 1173->1175 1175->1172
                                                                                        APIs
                                                                                        • htons.WS2_32(0062CA1D), ref: 0062F34D
                                                                                        • socket.WS2_32(00000002,00000001,00000000), ref: 0062F367
                                                                                        • closesocket.WS2_32(00000000), ref: 0062F375
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: closesockethtonssocket
                                                                                        • String ID: time_cfg
                                                                                        • API String ID: 311057483-2401304539
                                                                                        • Opcode ID: 630760c50835386ca446f548bd47f0bc3ce3e118f76fa39a10bc960969e2edb3
                                                                                        • Instruction ID: f5c6622d6389a9e93421687974b25e5631b56df45f135188fd60f08d187acc97
                                                                                        • Opcode Fuzzy Hash: 630760c50835386ca446f548bd47f0bc3ce3e118f76fa39a10bc960969e2edb3
                                                                                        • Instruction Fuzzy Hash: ED317872900528ABEB10DFA4EC899EF7BFEEB88314F104176F905E2151E6708A458FE0

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1176 62405e-62407b CreateEventA 1177 624084-6240a8 call 623ecd call 624000 1176->1177 1178 62407d-624081 1176->1178 1183 624130-62413e call 62ee2a 1177->1183 1184 6240ae-6240be call 62ee2a 1177->1184 1189 62413f-624165 call 623ecd CreateNamedPipeA 1183->1189 1184->1183 1190 6240c0-6240f1 call 62eca5 call 623f18 call 623f8c 1184->1190 1195 624167-624174 Sleep 1189->1195 1196 624188-624193 ConnectNamedPipe 1189->1196 1207 6240f3-6240ff 1190->1207 1208 624127-62412a CloseHandle 1190->1208 1195->1189 1200 624176-624182 CloseHandle 1195->1200 1198 624195-6241a5 GetLastError 1196->1198 1199 6241ab-6241c0 call 623f8c 1196->1199 1198->1199 1202 62425e-624265 DisconnectNamedPipe 1198->1202 1199->1196 1209 6241c2-6241f2 call 623f18 call 623f8c 1199->1209 1200->1196 1202->1196 1207->1208 1210 624101-624121 call 623f18 ExitProcess 1207->1210 1208->1183 1209->1202 1217 6241f4-624200 1209->1217 1217->1202 1218 624202-624215 call 623f8c 1217->1218 1218->1202 1221 624217-62421b 1218->1221 1221->1202 1222 62421d-624230 call 623f8c 1221->1222 1222->1202 1225 624232-624236 1222->1225 1225->1196 1226 62423c-624251 call 623f18 1225->1226 1229 624253-624259 1226->1229 1230 62426a-624276 CloseHandle * 2 call 62e318 1226->1230 1229->1196 1232 62427b 1230->1232 1232->1232
                                                                                        APIs
                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00624070
                                                                                        • ExitProcess.KERNEL32 ref: 00624121
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateEventExitProcess
                                                                                        • String ID:
                                                                                        • API String ID: 2404124870-0
                                                                                        • Opcode ID: f03ba6cd0bd54411062a4e6877fb9fa20dac3c96f1a27b13f7a80307212935b6
                                                                                        • Instruction ID: 5c1161362df03bb98eb633e1f5988cf9de8c321f42b6f62587ba54e711d7f75d
                                                                                        • Opcode Fuzzy Hash: f03ba6cd0bd54411062a4e6877fb9fa20dac3c96f1a27b13f7a80307212935b6
                                                                                        • Instruction Fuzzy Hash: 7F51A5B1D00629BBEB109BA1AD85FFF7B7EEF11754F100065F600A6280DB358A45CFA1

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1233 622d21-622d44 GetModuleHandleA 1234 622d46-622d52 LoadLibraryA 1233->1234 1235 622d5b-622d69 GetProcAddress 1233->1235 1234->1235 1236 622d54-622d56 1234->1236 1235->1236 1237 622d6b-622d7b DnsQuery_A 1235->1237 1238 622dee-622df1 1236->1238 1237->1236 1239 622d7d-622d88 1237->1239 1240 622d8a-622d8b 1239->1240 1241 622deb 1239->1241 1242 622d90-622d95 1240->1242 1241->1238 1243 622de2-622de8 1242->1243 1244 622d97-622daa GetProcessHeap HeapAlloc 1242->1244 1243->1242 1245 622dea 1243->1245 1244->1245 1246 622dac-622dd9 call 62ee2a lstrcpynA 1244->1246 1245->1241 1249 622de0 1246->1249 1250 622ddb-622dde 1246->1250 1249->1243 1250->1243
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,00622F01,?,006220FF,00632000), ref: 00622D3A
                                                                                        • LoadLibraryA.KERNEL32(?), ref: 00622D4A
                                                                                        • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00622D61
                                                                                        • DnsQuery_A.DNSAPI(00000000,0000000F,00000000,00000000,?,00000000), ref: 00622D77
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00622D99
                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 00622DA0
                                                                                        • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00622DCB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcessQuery_lstrcpyn
                                                                                        • String ID: DnsQuery_A$dnsapi.dll
                                                                                        • API String ID: 233223969-3847274415
                                                                                        • Opcode ID: f6052097e7c8dbe031423185d4a18fa963a9481cfaa1fcb327056756db0b3e25
                                                                                        • Instruction ID: 3ae69897cb8464b86ef68755127bc54b5f9c3ff0b81ff887942e19b7259fe634
                                                                                        • Opcode Fuzzy Hash: f6052097e7c8dbe031423185d4a18fa963a9481cfaa1fcb327056756db0b3e25
                                                                                        • Instruction Fuzzy Hash: 86216271900A26BBDB119F94EC64AEEBBBAEF08750F104451F905E7210D770A9858BD0

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1251 6280c9-6280ed call 626ec3 1254 6280f9-628115 call 62704c 1251->1254 1255 6280ef call 627ee6 1251->1255 1260 628225-62822b 1254->1260 1261 62811b-628121 1254->1261 1258 6280f4 1255->1258 1258->1260 1262 62826c-628273 1260->1262 1263 62822d-628233 1260->1263 1261->1260 1264 628127-62812a 1261->1264 1263->1262 1265 628235-62823f call 62675c 1263->1265 1264->1260 1266 628130-628167 call 622544 RegOpenKeyExA 1264->1266 1269 628244-62824b 1265->1269 1272 628216-628222 call 62ee2a 1266->1272 1273 62816d-62818b RegQueryValueExA 1266->1273 1269->1262 1271 62824d-628269 call 6224c2 call 62ec2e 1269->1271 1271->1262 1272->1260 1276 6281f7-6281fe 1273->1276 1277 62818d-628191 1273->1277 1280 628200-628206 call 62ec2e 1276->1280 1281 62820d-628210 RegCloseKey 1276->1281 1277->1276 1282 628193-628196 1277->1282 1290 62820c 1280->1290 1281->1272 1282->1276 1285 628198-6281a8 call 62ebcc 1282->1285 1285->1281 1291 6281aa-6281c2 RegQueryValueExA 1285->1291 1290->1281 1291->1276 1292 6281c4-6281ca 1291->1292 1293 6281cd-6281d2 1292->1293 1293->1293 1294 6281d4-6281e5 call 62ebcc 1293->1294 1294->1281 1297 6281e7-6281f5 call 62ef00 1294->1297 1297->1290
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 0062815F
                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0062A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 00628187
                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0062A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 006281BE
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 00628210
                                                                                          • Part of subcall function 0062675C: SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 0062677E
                                                                                          • Part of subcall function 0062675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 0062679A
                                                                                          • Part of subcall function 0062675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 006267B0
                                                                                          • Part of subcall function 0062675C: SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 006267BF
                                                                                          • Part of subcall function 0062675C: GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 006267D3
                                                                                          • Part of subcall function 0062675C: ReadFile.KERNELBASE(000000FF,?,00000040,00628244,00000000,?,74DF0F10,00000000), ref: 00626807
                                                                                          • Part of subcall function 0062675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0062681F
                                                                                          • Part of subcall function 0062675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 0062683E
                                                                                          • Part of subcall function 0062675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0062685C
                                                                                          • Part of subcall function 0062EC2E: GetProcessHeap.KERNEL32(00000000,'b,00000000,0062EA27,00000000), ref: 0062EC41
                                                                                          • Part of subcall function 0062EC2E: RtlFreeHeap.NTDLL(00000000), ref: 0062EC48
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                        • String ID: C:\Windows\SysWOW64\crxslmyv\upwtsplm.exe
                                                                                        • API String ID: 124786226-1428914613
                                                                                        • Opcode ID: 1dd2c25c9b5c390a69bc91a8220444bb325157ceee2f7973e6ebb3fd50d3cebb
                                                                                        • Instruction ID: a7f5fd0a5c212d64254a9bd802aaafceeeffff97e258449900af018aee493659
                                                                                        • Opcode Fuzzy Hash: 1dd2c25c9b5c390a69bc91a8220444bb325157ceee2f7973e6ebb3fd50d3cebb
                                                                                        • Instruction Fuzzy Hash: 3C41B4B190252ABFEB50EBA0FD95DFE776EEB10300F04146AF501A3151EA715F488F94

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1300 621ac3-621adc LoadLibraryA 1301 621ae2-621af3 GetProcAddress 1300->1301 1302 621b6b-621b70 1300->1302 1303 621af5-621b01 1301->1303 1304 621b6a 1301->1304 1305 621b1c-621b27 GetAdaptersAddresses 1303->1305 1304->1302 1306 621b03-621b12 call 62ebed 1305->1306 1307 621b29-621b2b 1305->1307 1306->1307 1315 621b14-621b1b 1306->1315 1309 621b5b-621b5e 1307->1309 1310 621b2d-621b32 1307->1310 1313 621b69 1309->1313 1314 621b60-621b68 call 62ec2e 1309->1314 1312 621b34-621b3b 1310->1312 1310->1313 1316 621b54-621b59 1312->1316 1317 621b3d-621b52 1312->1317 1313->1304 1314->1313 1315->1305 1316->1309 1316->1312 1317->1316 1317->1317
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00621AD4
                                                                                        • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00621AE9
                                                                                        • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 00621B20
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AdaptersAddressAddressesLibraryLoadProc
                                                                                        • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                        • API String ID: 3646706440-1087626847
                                                                                        • Opcode ID: efe23e13039cfe04bc3ca6d70a6b60b83a6df4c455b75954b8f82db785313b26
                                                                                        • Instruction ID: ae26fbb45e6ea8e8cbdb0a67b28e51e619f7512382b7e198a8ec9d995ff071fe
                                                                                        • Opcode Fuzzy Hash: efe23e13039cfe04bc3ca6d70a6b60b83a6df4c455b75954b8f82db785313b26
                                                                                        • Instruction Fuzzy Hash: 4F110671E05538BFCB259BA4EC848EEBBBBEB6AB12F144055E005AB200E6304E40CF84

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1320 62e3ca-62e3ee RegOpenKeyExA 1321 62e3f4-62e3fb 1320->1321 1322 62e528-62e52d 1320->1322 1323 62e3fe-62e403 1321->1323 1323->1323 1324 62e405-62e40f 1323->1324 1325 62e411-62e413 1324->1325 1326 62e414-62e452 call 62ee08 call 62f1ed RegQueryValueExA 1324->1326 1325->1326 1331 62e458-62e486 call 62f1ed RegQueryValueExA 1326->1331 1332 62e51d-62e527 RegCloseKey 1326->1332 1335 62e488-62e48a 1331->1335 1332->1322 1335->1332 1336 62e490-62e4a1 call 62db2e 1335->1336 1336->1332 1339 62e4a3-62e4a6 1336->1339 1340 62e4a9-62e4d3 call 62f1ed RegQueryValueExA 1339->1340 1343 62e4d5-62e4da 1340->1343 1344 62e4e8-62e4ea 1340->1344 1343->1344 1345 62e4dc-62e4e6 1343->1345 1344->1332 1346 62e4ec-62e516 call 622544 call 62e332 1344->1346 1345->1340 1345->1344 1346->1332
                                                                                        APIs
                                                                                        • RegOpenKeyExA.KERNELBASE(80000001,0062E5F2,00000000,00020119,0062E5F2,006322F8), ref: 0062E3E6
                                                                                        • RegQueryValueExA.ADVAPI32(0062E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0062E44E
                                                                                        • RegQueryValueExA.ADVAPI32(0062E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0062E482
                                                                                        • RegQueryValueExA.ADVAPI32(0062E5F2,?,00000000,?,80000001,?), ref: 0062E4CF
                                                                                        • RegCloseKey.ADVAPI32(0062E5F2,?,?,?,?,000000C8,000000E4), ref: 0062E520
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: QueryValue$CloseOpen
                                                                                        • String ID:
                                                                                        • API String ID: 1586453840-0
                                                                                        • Opcode ID: 8842f654a027d6aa7da8f611f6b93879f6c04daf5bdcb7c83d0230cdbcb0e37b
                                                                                        • Instruction ID: fd8904c3357cb63650425b226b62429fd9950fc446d4dede2903ed5562620dba
                                                                                        • Opcode Fuzzy Hash: 8842f654a027d6aa7da8f611f6b93879f6c04daf5bdcb7c83d0230cdbcb0e37b
                                                                                        • Instruction Fuzzy Hash: 0941F8B2D00529AFEF119FD4EC85DEEBBBAEB04304F544465E911B6250E3329A558FA0

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1351 62f26d-62f303 setsockopt * 5
                                                                                        APIs
                                                                                        • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0062F2A0
                                                                                        • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0062F2C0
                                                                                        • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0062F2DD
                                                                                        • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0062F2EC
                                                                                        • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0062F2FD
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: setsockopt
                                                                                        • String ID:
                                                                                        • API String ID: 3981526788-0
                                                                                        • Opcode ID: cca4a02780e60c776cce4624abc6c4762bd0ddef50c1252d7d66939ed62854d6
                                                                                        • Instruction ID: dedf1928b006653050ee6d26b5019d165d71f0802938eb589942dd40047de63e
                                                                                        • Opcode Fuzzy Hash: cca4a02780e60c776cce4624abc6c4762bd0ddef50c1252d7d66939ed62854d6
                                                                                        • Instruction Fuzzy Hash: 47110AB2A40248BAEF11DF94CD85FDE7FBDEB44751F008066BB04EA1D0E6B19A44CB94

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1352 621bdf-621c04 call 621ac3 1354 621c09-621c0b 1352->1354 1355 621c5a-621c5e 1354->1355 1356 621c0d-621c1d GetComputerNameA 1354->1356 1357 621c45-621c57 GetVolumeInformationA 1356->1357 1358 621c1f-621c24 1356->1358 1357->1355 1358->1357 1359 621c26-621c3b 1358->1359 1359->1359 1360 621c3d-621c3f 1359->1360 1360->1357 1361 621c41-621c43 1360->1361 1361->1355
                                                                                        APIs
                                                                                          • Part of subcall function 00621AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00621AD4
                                                                                          • Part of subcall function 00621AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00621AE9
                                                                                          • Part of subcall function 00621AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 00621B20
                                                                                        • GetComputerNameA.KERNEL32(?,0000000F), ref: 00621C15
                                                                                        • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00621C51
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                        • String ID: hi_id$localcfg
                                                                                        • API String ID: 2794401326-2393279970
                                                                                        • Opcode ID: 97c11b680c7c4521321958d1702643cfa360cea07c0fa28cb11ab9b27942f4f1
                                                                                        • Instruction ID: cb03b767518131abd6849c5fcd78172e6703181d6fd376d5252bae7d6b10d346
                                                                                        • Opcode Fuzzy Hash: 97c11b680c7c4521321958d1702643cfa360cea07c0fa28cb11ab9b27942f4f1
                                                                                        • Instruction Fuzzy Hash: D901D676A44528BFEB10DAF8DCC09EFBBBDE715344F100475E602E7100D2348D448AA0
                                                                                        APIs
                                                                                          • Part of subcall function 00621AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00621AD4
                                                                                          • Part of subcall function 00621AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00621AE9
                                                                                          • Part of subcall function 00621AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 00621B20
                                                                                        • GetComputerNameA.KERNEL32(?,0000000F), ref: 00621BA3
                                                                                        • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,00621EFD,00000000,00000000,00000000,00000000), ref: 00621BB8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 2794401326-1857712256
                                                                                        • Opcode ID: acdbdee0d458334047082570e388a4566dfb428a22cd7536cc879a04e3285449
                                                                                        • Instruction ID: 4168bf36a3e8fe69007c280451b509bf5a49aae412b83452e4a13039caef6f2f
                                                                                        • Opcode Fuzzy Hash: acdbdee0d458334047082570e388a4566dfb428a22cd7536cc879a04e3285449
                                                                                        • Instruction Fuzzy Hash: E2018BB2D04518BFEB009BE9DC819EFFABEAB58650F150062A601E7140D6705E084AE0
                                                                                        APIs
                                                                                        • inet_addr.WS2_32(00000001), ref: 00622693
                                                                                        • gethostbyname.WS2_32(00000001), ref: 0062269F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: gethostbynameinet_addr
                                                                                        • String ID: time_cfg
                                                                                        • API String ID: 1594361348-2401304539
                                                                                        • Opcode ID: 5a530b5871fef9f38d49e1007efbcba268d14f8cd63942632e0f35d20a062ab9
                                                                                        • Instruction ID: 9688b2f151f1b8608884ec636d3706d536efb64bd25b8ca737818a42b1e05c0b
                                                                                        • Opcode Fuzzy Hash: 5a530b5871fef9f38d49e1007efbcba268d14f8cd63942632e0f35d20a062ab9
                                                                                        • Instruction Fuzzy Hash: ADE0C231204822AFDB108B28F868AC637E6EF06330F018180F440D32A0C730DC808B80
                                                                                        APIs
                                                                                          • Part of subcall function 0062EBA0: GetProcessHeap.KERNEL32(00000000,00000000,0062EC0A,00000000,80000001,?,0062DB55,7FFF0001), ref: 0062EBAD
                                                                                          • Part of subcall function 0062EBA0: HeapSize.KERNEL32(00000000,?,0062DB55,7FFF0001), ref: 0062EBB4
                                                                                        • GetProcessHeap.KERNEL32(00000000,'b,00000000,0062EA27,00000000), ref: 0062EC41
                                                                                        • RtlFreeHeap.NTDLL(00000000), ref: 0062EC48
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$Process$FreeSize
                                                                                        • String ID: 'b
                                                                                        • API String ID: 1305341483-118111435
                                                                                        • Opcode ID: 7d549be9fc4259f531326d5ab177737651b8d075d33844b15be97c1f9c191fdc
                                                                                        • Instruction ID: be34adbb9e9942862ff76d2076dc73471fded70d77aefcd99d7afe57c767dd9e
                                                                                        • Opcode Fuzzy Hash: 7d549be9fc4259f531326d5ab177737651b8d075d33844b15be97c1f9c191fdc
                                                                                        • Instruction Fuzzy Hash: EFC012325066306BD6512790BD1DFDB6B1ADF45712F090409F40566250876058404AE5
                                                                                        APIs
                                                                                          • Part of subcall function 0062DD05: GetTickCount.KERNEL32 ref: 0062DD0F
                                                                                          • Part of subcall function 0062DD05: InterlockedExchange.KERNEL32(006336B4,00000001), ref: 0062DD44
                                                                                          • Part of subcall function 0062DD05: GetCurrentThreadId.KERNEL32 ref: 0062DD53
                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,74DF0F10,?,00000000,?,0062A445), ref: 0062E558
                                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,74DF0F10,?,00000000,?,0062A445), ref: 0062E583
                                                                                        • CloseHandle.KERNEL32(00000000,?,74DF0F10,?,00000000,?,0062A445), ref: 0062E5B2
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                        • String ID:
                                                                                        • API String ID: 3683885500-0
                                                                                        • Opcode ID: f93781cbe27c8b252af0887b8ab5483448431b230bd39c76c8ace0314e28adfc
                                                                                        • Instruction ID: 0db8b884007eebd005ebf1a8f292d526c5f343b08ee944331cdafa3131bbdee2
                                                                                        • Opcode Fuzzy Hash: f93781cbe27c8b252af0887b8ab5483448431b230bd39c76c8ace0314e28adfc
                                                                                        • Instruction Fuzzy Hash: 612105B2A406213AE6647B21BC17FAB3A0FDF51750F00042CFA0AB52D3EA52D910CAF5
                                                                                        APIs
                                                                                        • Sleep.KERNELBASE(000003E8), ref: 006288A5
                                                                                          • Part of subcall function 0062F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0062E342,00000000,75A8EA50,80000001,00000000,0062E513,?,00000000,00000000,?,000000E4), ref: 0062F089
                                                                                          • Part of subcall function 0062F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0062E342,00000000,75A8EA50,80000001,00000000,0062E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0062F093
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$FileSystem$Sleep
                                                                                        • String ID: localcfg$rresolv
                                                                                        • API String ID: 1561729337-486471987
                                                                                        • Opcode ID: 14193fcac3cdf82ec89c05061a315df6b24cf8771e0fa3ae395e2d6e4e0af7c3
                                                                                        • Instruction ID: 83991c1f0ba16e0f8e41f40bb9b68c839382fc45b53649d5ff0fddf1fff49b50
                                                                                        • Opcode Fuzzy Hash: 14193fcac3cdf82ec89c05061a315df6b24cf8771e0fa3ae395e2d6e4e0af7c3
                                                                                        • Instruction Fuzzy Hash: 38210971189B226EF354B7657C63FAA3AEBDB00710F90002DF504961C3EE9955844DFA
                                                                                        APIs
                                                                                        • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,006322F8,006242B6,00000000,00000001,006322F8,00000000,?,006298FD), ref: 00624021
                                                                                        • GetLastError.KERNEL32(?,006298FD,00000001,00000100,006322F8,0062A3C7), ref: 0062402C
                                                                                        • Sleep.KERNEL32(000001F4,?,006298FD,00000001,00000100,006322F8,0062A3C7), ref: 00624046
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateErrorFileLastSleep
                                                                                        • String ID:
                                                                                        • API String ID: 408151869-0
                                                                                        • Opcode ID: 136ecc17d963e3bfa619a7ac4cddc44a52bf5661c6ffaa7d17b451d03b7bed18
                                                                                        • Instruction ID: e024d781974abee58d02defa61bfd4fbcf35c167f3c7213dca92ad0392d3c3a3
                                                                                        • Opcode Fuzzy Hash: 136ecc17d963e3bfa619a7ac4cddc44a52bf5661c6ffaa7d17b451d03b7bed18
                                                                                        • Instruction Fuzzy Hash: C6F0A7316405116BE7354B28BC49B5A3263FB81720F254B24F3B5E61E0CB3058C5DF54
                                                                                        APIs
                                                                                        • GetEnvironmentVariableA.KERNEL32(0062DC19,?,00000104), ref: 0062DB7F
                                                                                        • lstrcpyA.KERNEL32(?,006328F8), ref: 0062DBA4
                                                                                        • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000080,00000000), ref: 0062DBC2
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateEnvironmentFileVariablelstrcpy
                                                                                        • String ID:
                                                                                        • API String ID: 2536392590-0
                                                                                        • Opcode ID: 865fa356beab63fcf0e9ab154127a8b75af6befbd556d0ad1412dc6ee19632f2
                                                                                        • Instruction ID: a115acbbb89a27753a96891e379684e8ebb229b067de610cc97a531ec55490f6
                                                                                        • Opcode Fuzzy Hash: 865fa356beab63fcf0e9ab154127a8b75af6befbd556d0ad1412dc6ee19632f2
                                                                                        • Instruction Fuzzy Hash: D1F0B4B0100609ABEF10DF64EC59FD93B6ABB14308F204194FB51A40D0D7F2D549CF54
                                                                                        APIs
                                                                                        • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0062EC5E
                                                                                        • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0062EC72
                                                                                        • GetTickCount.KERNEL32 ref: 0062EC78
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$CountFileInformationSystemTickVolume
                                                                                        • String ID:
                                                                                        • API String ID: 1209300637-0
                                                                                        • Opcode ID: 30cb74b25070ef25c50a9c79f6cdf4b7aff3bdc978eed975aee5f34394320f84
                                                                                        • Instruction ID: bcc46add32e766b3e898cbc519a3f30ec91c1cc70b8a54f24797fbc61fec5ed0
                                                                                        • Opcode Fuzzy Hash: 30cb74b25070ef25c50a9c79f6cdf4b7aff3bdc978eed975aee5f34394320f84
                                                                                        • Instruction Fuzzy Hash: E7E0BFF5810104BFEB05EBB0DD5EE7B77BDFB08314F501650B911D61A0DA709A088BA0
                                                                                        APIs
                                                                                        • gethostname.WS2_32(?,00000080), ref: 006230D8
                                                                                        • gethostbyname.WS2_32(?), ref: 006230E2
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: gethostbynamegethostname
                                                                                        • String ID:
                                                                                        • API String ID: 3961807697-0
                                                                                        • Opcode ID: 83b43cc0d789ac238a70407081c7856cce5a54ae24fad3a5273df21b0f2db49f
                                                                                        • Instruction ID: 4b6eb30f3e1c254a4d002e96b2fba697c94f0bb78edae6891d2b9ced422b7b63
                                                                                        • Opcode Fuzzy Hash: 83b43cc0d789ac238a70407081c7856cce5a54ae24fad3a5273df21b0f2db49f
                                                                                        • Instruction Fuzzy Hash: E9E09B71900129ABDF00DBA8EC89FCB77ECFF04304F080061F945E3250EA34E5088BA4
                                                                                        APIs
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0062EBFE,7FFF0001,?,0062DB55,7FFF0001), ref: 0062EBD3
                                                                                        • RtlAllocateHeap.NTDLL(00000000,?,0062DB55,7FFF0001), ref: 0062EBDA
                                                                                          • Part of subcall function 0062EB74: GetProcessHeap.KERNEL32(00000000,00000000,0062EC28,00000000,?,0062DB55,7FFF0001), ref: 0062EB81
                                                                                          • Part of subcall function 0062EB74: HeapSize.KERNEL32(00000000,?,0062DB55,7FFF0001), ref: 0062EB88
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$Process$AllocateSize
                                                                                        • String ID:
                                                                                        • API String ID: 2559512979-0
                                                                                        • Opcode ID: 38d65036fc68769719b5a9f0f7284a89f798808022e6d8a9d5431e09047aeac8
                                                                                        • Instruction ID: 281296008b14a77e28a76f2c921af231a285a0587311b7c898e07c5affe9408e
                                                                                        • Opcode Fuzzy Hash: 38d65036fc68769719b5a9f0f7284a89f798808022e6d8a9d5431e09047aeac8
                                                                                        • Instruction Fuzzy Hash: 67C08C336082306BE74127E4BC0CE9A3E9AEF083A3F040018F609C6260CB3048408BE6
                                                                                        APIs
                                                                                        • recv.WS2_32(000000C8,?,00000000,0062CA44), ref: 0062F476
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: recv
                                                                                        • String ID:
                                                                                        • API String ID: 1507349165-0
                                                                                        • Opcode ID: 299be994ad230480c7cbd445994092e64029d8b7de3eefdf88da3b661714c6f0
                                                                                        • Instruction ID: 5a65748f1e7c78e55ac3da021a06885ac90b866fae9087417489909638a4b521
                                                                                        • Opcode Fuzzy Hash: 299be994ad230480c7cbd445994092e64029d8b7de3eefdf88da3b661714c6f0
                                                                                        • Instruction Fuzzy Hash: D3F01272201559AB9B11AF59EC84CEB3BAEFB893507040131FA14D7111D671D9258BA0
                                                                                        APIs
                                                                                        • closesocket.WS2_32(00000000), ref: 00621992
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: closesocket
                                                                                        • String ID:
                                                                                        • API String ID: 2781271927-0
                                                                                        • Opcode ID: ac3834596a69f813cab6dbcf193741f8ddec3cf1b217e6e1246a67ad1969ce83
                                                                                        • Instruction ID: 3b8a78b641c061d498b786680138aa49fafa807fc5942b70f6fed1a6938847ad
                                                                                        • Opcode Fuzzy Hash: ac3834596a69f813cab6dbcf193741f8ddec3cf1b217e6e1246a67ad1969ce83
                                                                                        • Instruction Fuzzy Hash: D0D02232108A313A52003318BC148BFABDDCF05262700803AFC48C0110C630CC8187D5
                                                                                        APIs
                                                                                        • lstrcmpiA.KERNEL32(80000011,00000000), ref: 0062DDB5
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcmpi
                                                                                        • String ID:
                                                                                        • API String ID: 1586166983-0
                                                                                        • Opcode ID: 77cb1902c4c3943bcca0848449ef685df251ffb5e787438cf12d73e6e14d9d50
                                                                                        • Instruction ID: d55c22ac2bf411045f3b42c0467fd0110e8e51ad1285582768c9b78fff79e347
                                                                                        • Opcode Fuzzy Hash: 77cb1902c4c3943bcca0848449ef685df251ffb5e787438cf12d73e6e14d9d50
                                                                                        • Instruction Fuzzy Hash: FBF08C35200E63CBCB24CE24A884696B7EAEF85325F244C3EE155D2290D730DC49CF51
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00629816,EntryPoint), ref: 0062638F
                                                                                        • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00629816,EntryPoint), ref: 006263A9
                                                                                        • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 006263CA
                                                                                        • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 006263EB
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                        • String ID:
                                                                                        • API String ID: 1965334864-0
                                                                                        • Opcode ID: a2303d6d873ad0319893424d85f24fdd4a4090c74dd0a5a73aab40a9714ffe63
                                                                                        • Instruction ID: dcc409c07790f63cd5fa6134c559484692f654c92bc4665e23be23cea4344b6f
                                                                                        • Opcode Fuzzy Hash: a2303d6d873ad0319893424d85f24fdd4a4090c74dd0a5a73aab40a9714ffe63
                                                                                        • Instruction Fuzzy Hash: 8F1173B2600629BFEB259F65EC49F9B3BA9EB047A5F114024F905E7290D671DD008FA4
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00621839,00629646), ref: 00621012
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 006210C2
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 006210E1
                                                                                        • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 00621101
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 00621121
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00621140
                                                                                        • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 00621160
                                                                                        • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 00621180
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0062119F
                                                                                        • GetProcAddress.KERNEL32(00000000,NtClose), ref: 006211BF
                                                                                        • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 006211DF
                                                                                        • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 006211FE
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0062121A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressProc$LibraryLoad
                                                                                        • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                        • API String ID: 2238633743-3228201535
                                                                                        • Opcode ID: f80b82e630f04ef7ae6a830539c2598f8c63444316406b4bdf32f0e8ace759dd
                                                                                        • Instruction ID: 409ef67261651b8e4e810e733882162bda0e98feb9eb9c5321b41d41846586d2
                                                                                        • Opcode Fuzzy Hash: f80b82e630f04ef7ae6a830539c2598f8c63444316406b4bdf32f0e8ace759dd
                                                                                        • Instruction Fuzzy Hash: 0851507154AA31E6D7208B68BC4079636EB675A321F151356A420DA3F0EBF4CBC2CFD1
                                                                                        APIs
                                                                                        • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0062B2B3
                                                                                        • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0062B2C2
                                                                                        • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0062B2D0
                                                                                        • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0062B2E1
                                                                                        • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0062B31A
                                                                                        • GetTimeZoneInformation.KERNEL32(?), ref: 0062B329
                                                                                        • wsprintfA.USER32 ref: 0062B3B7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                        • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                        • API String ID: 766114626-2976066047
                                                                                        • Opcode ID: 0953581f4ad677ddddf43a8375548b9077df21f40b817ae88703bd3dcce9f807
                                                                                        • Instruction ID: a92f14d0c178bcd9c507f5a21e3b7ce214d21d42b967f7cfc89ba4432f0880b7
                                                                                        • Opcode Fuzzy Hash: 0953581f4ad677ddddf43a8375548b9077df21f40b817ae88703bd3dcce9f807
                                                                                        • Instruction Fuzzy Hash: 17511AB1D0022DABEF14DFD5D8958EEBBBAFF48304F146129E601A6150D3B44A8DCBD4
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                        • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                        • API String ID: 2400214276-165278494
                                                                                        • Opcode ID: 2f80c6cf80cfab34b7180d39133f471961f095b9bc7541a23a98b81e4ec1be2b
                                                                                        • Instruction ID: 5b5b4b824dd60a2d732d0e69b09dcb8961c178b16fb7f0feb4b6f091afc0bded
                                                                                        • Opcode Fuzzy Hash: 2f80c6cf80cfab34b7180d39133f471961f095b9bc7541a23a98b81e4ec1be2b
                                                                                        • Instruction Fuzzy Hash: 47616D72940618AFEB609FB4EC45FEA77FAFF08300F144069F968D2261EA719944CF60
                                                                                        APIs
                                                                                        • wsprintfA.USER32 ref: 0062A7FB
                                                                                        • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0062A87E
                                                                                        • send.WS2_32(00000000,?,00000000,00000000), ref: 0062A893
                                                                                        • wsprintfA.USER32 ref: 0062A8AF
                                                                                        • send.WS2_32(00000000,.,00000005,00000000), ref: 0062A8D2
                                                                                        • wsprintfA.USER32 ref: 0062A8E2
                                                                                        • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0062A97C
                                                                                        • wsprintfA.USER32 ref: 0062A9B9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$send$lstrlenrecv
                                                                                        • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                        • API String ID: 3650048968-2394369944
                                                                                        • Opcode ID: 0fafc4a8c61080645eccd34fa70e98e50ed95e7b3d8c880a2524f0256370cbd3
                                                                                        • Instruction ID: b5b601849e25270905fe3931febed8500e11273d321611edacc6d90d84c11f85
                                                                                        • Opcode Fuzzy Hash: 0fafc4a8c61080645eccd34fa70e98e50ed95e7b3d8c880a2524f0256370cbd3
                                                                                        • Instruction Fuzzy Hash: 8CA13A71904B35ABEF208AD4FC95FEE776BAB01304F240026F941A6291D6B18D89CF97
                                                                                        APIs
                                                                                        • ShellExecuteExW.SHELL32(?), ref: 0062139A
                                                                                        • lstrlenW.KERNEL32(-00000003), ref: 00621571
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExecuteShelllstrlen
                                                                                        • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDu$uac$useless$wusa.exe
                                                                                        • API String ID: 1628651668-179334549
                                                                                        • Opcode ID: 8f3753b929661c8856aa2269f4cccbfe19be3de25c0b34e38a82f79dd4a424aa
                                                                                        • Instruction ID: 8fcfb4ff85ddaefd17b11cd0d1fa7a1a825a3c2a7dbe586dc77c57cbb4524345
                                                                                        • Opcode Fuzzy Hash: 8f3753b929661c8856aa2269f4cccbfe19be3de25c0b34e38a82f79dd4a424aa
                                                                                        • Instruction Fuzzy Hash: 01F199B1508761DFD320CF64D888BAAB7E6FB9A300F10492DF5969B390D7749944CF92
                                                                                        APIs
                                                                                        • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,74DEF380), ref: 00622A83
                                                                                        • HeapAlloc.KERNEL32(00000000,?,74DEF380), ref: 00622A86
                                                                                        • socket.WS2_32(00000002,00000002,00000011), ref: 00622AA0
                                                                                        • htons.WS2_32(00000000), ref: 00622ADB
                                                                                        • select.WS2_32 ref: 00622B28
                                                                                        • recv.WS2_32(?,00000000,00001000,00000000), ref: 00622B4A
                                                                                        • htons.WS2_32(?), ref: 00622B71
                                                                                        • htons.WS2_32(?), ref: 00622B8C
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00622BFB
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                        • String ID:
                                                                                        • API String ID: 1639031587-0
                                                                                        • Opcode ID: 8a34af8bb21f680b7027f48cde6b655a4f221e81fc4c0ea8273a22a2880dc5ac
                                                                                        • Instruction ID: 17a243d0b18a90d6b8b1e9a321140ef48da6e5019f1523083bc77665191cc83a
                                                                                        • Opcode Fuzzy Hash: 8a34af8bb21f680b7027f48cde6b655a4f221e81fc4c0ea8273a22a2880dc5ac
                                                                                        • Instruction Fuzzy Hash: 3961F471A04726AFD7609F60EC18B6FBBEAFB48745F014809F9459B250D7B0D8448FA2
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,74DF0F10,?,74DF0F10,00000000), ref: 006270C2
                                                                                        • RegEnumValueA.ADVAPI32(74DF0F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,74DF0F10,00000000), ref: 0062719E
                                                                                        • RegCloseKey.ADVAPI32(74DF0F10,?,74DF0F10,00000000), ref: 006271B2
                                                                                        • RegCloseKey.ADVAPI32(74DF0F10), ref: 00627208
                                                                                        • RegCloseKey.ADVAPI32(74DF0F10), ref: 00627291
                                                                                        • ___ascii_stricmp.LIBCMT ref: 006272C2
                                                                                        • RegCloseKey.ADVAPI32(74DF0F10), ref: 006272D0
                                                                                        • RegCloseKey.ADVAPI32(74DF0F10), ref: 00627314
                                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0062738D
                                                                                        • RegCloseKey.ADVAPI32(74DF0F10), ref: 006273D8
                                                                                          • Part of subcall function 0062F1A5: lstrlenA.KERNEL32(00000000,00000000,006322F8,00000000,0062733D,00000000), ref: 0062F1AD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                        • String ID: $"
                                                                                        • API String ID: 4293430545-3817095088
                                                                                        • Opcode ID: 3f8d4d07299cf736dbf84e9e2c88a8ebc120f90bf3b3b720b3e1b3df2b0e0901
                                                                                        • Instruction ID: db4fc598e4665e3fa7d8511b71cd68250c06701502cc7ed53d257a89042400c5
                                                                                        • Opcode Fuzzy Hash: 3f8d4d07299cf736dbf84e9e2c88a8ebc120f90bf3b3b720b3e1b3df2b0e0901
                                                                                        • Instruction Fuzzy Hash: 9AB1737290462AEEEF15DFA0EC45FEE77BAAF04300F100469F501E6190EB719A94CF65
                                                                                        APIs
                                                                                        • GetLocalTime.KERNEL32(?), ref: 0062AD98
                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 0062ADA6
                                                                                          • Part of subcall function 0062AD08: gethostname.WS2_32(?,00000080), ref: 0062AD1C
                                                                                          • Part of subcall function 0062AD08: lstrlenA.KERNEL32(00000000), ref: 0062AD60
                                                                                          • Part of subcall function 0062AD08: lstrlenA.KERNEL32(00000000), ref: 0062AD69
                                                                                          • Part of subcall function 0062AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0062AD7F
                                                                                          • Part of subcall function 006230B5: gethostname.WS2_32(?,00000080), ref: 006230D8
                                                                                          • Part of subcall function 006230B5: gethostbyname.WS2_32(?), ref: 006230E2
                                                                                        • wsprintfA.USER32 ref: 0062AEA5
                                                                                          • Part of subcall function 0062A7A3: inet_ntoa.WS2_32(?), ref: 0062A7A9
                                                                                        • wsprintfA.USER32 ref: 0062AE4F
                                                                                        • wsprintfA.USER32 ref: 0062AE5E
                                                                                          • Part of subcall function 0062EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0062EF92
                                                                                          • Part of subcall function 0062EF7C: lstrlenA.KERNEL32(?), ref: 0062EF99
                                                                                          • Part of subcall function 0062EF7C: lstrlenA.KERNEL32(00000000), ref: 0062EFA0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                        • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                        • API String ID: 3631595830-1816598006
                                                                                        • Opcode ID: 2ae4167b3d326163288bdc186463c90bd0f7fd3bfb70c6b9eb51fe2b4e60bb05
                                                                                        • Instruction ID: d677b2a7868c89216841974db6917b1405e19b94e083ec74c3aa1b2419a726a7
                                                                                        • Opcode Fuzzy Hash: 2ae4167b3d326163288bdc186463c90bd0f7fd3bfb70c6b9eb51fe2b4e60bb05
                                                                                        • Instruction Fuzzy Hash: D14132B290061CABEF25EFA0DC46EEE7BAEFF08300F14442AF91592152E671D958CF55
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(iphlpapi.dll,74DF23A0,?,000DBBA0,?,00000000,00622F0F,?,006220FF,00632000), ref: 00622E01
                                                                                        • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00622F0F,?,006220FF,00632000), ref: 00622E11
                                                                                        • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00622E2E
                                                                                        • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00622F0F,?,006220FF,00632000), ref: 00622E4C
                                                                                        • HeapAlloc.KERNEL32(00000000,?,00000000,00622F0F,?,006220FF,00632000), ref: 00622E4F
                                                                                        • htons.WS2_32(00000035), ref: 00622E88
                                                                                        • inet_addr.WS2_32(?), ref: 00622E93
                                                                                        • gethostbyname.WS2_32(?), ref: 00622EA6
                                                                                        • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00622F0F,?,006220FF,00632000), ref: 00622EE3
                                                                                        • HeapFree.KERNEL32(00000000,?,00000000,00622F0F,?,006220FF,00632000), ref: 00622EE6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                        • String ID: GetNetworkParams$iphlpapi.dll
                                                                                        • API String ID: 929413710-2099955842
                                                                                        • Opcode ID: 0cfce7c553b29f4568a6b2b55e81417803173907460d985a3f10244bf980096b
                                                                                        • Instruction ID: 5d559c00577ef64884e5056b0517be979685e842561abe2a8372caf171b14c3b
                                                                                        • Opcode Fuzzy Hash: 0cfce7c553b29f4568a6b2b55e81417803173907460d985a3f10244bf980096b
                                                                                        • Instruction Fuzzy Hash: 9E31C731900A17BBEB109BB8AC68AAF77BAEF04760F150115F954E73A0D730D945AF90
                                                                                        APIs
                                                                                        • GetVersionExA.KERNEL32(?,?,00629DD7,?,00000022,?,?,00000000,00000001), ref: 00629340
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00629DD7,?,00000022,?,?,00000000,00000001), ref: 0062936E
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00629DD7,?,00000022,?,?,00000000,00000001), ref: 00629375
                                                                                        • wsprintfA.USER32 ref: 006293CE
                                                                                        • wsprintfA.USER32 ref: 0062940C
                                                                                        • wsprintfA.USER32 ref: 0062948D
                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 006294F1
                                                                                        • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00629526
                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00629571
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                        • String ID: runas
                                                                                        • API String ID: 3696105349-4000483414
                                                                                        • Opcode ID: b2492595f9220d5c647a07eda9ac2a2c3e8366f4f500f04951c30f780c4d6206
                                                                                        • Instruction ID: 3b23700a5bdf6d2e3302140e1091711d0f829cd7355265ef7ceb74335b71ed9d
                                                                                        • Opcode Fuzzy Hash: b2492595f9220d5c647a07eda9ac2a2c3e8366f4f500f04951c30f780c4d6206
                                                                                        • Instruction Fuzzy Hash: E0A191B1900629AFFB25DFA0EC95FDE3BAEEB44740F10402AFA0596151E775D944CFA0
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 00622078
                                                                                        • GetTickCount.KERNEL32 ref: 006220D4
                                                                                        • GetTickCount.KERNEL32 ref: 006220DB
                                                                                        • GetTickCount.KERNEL32 ref: 0062212B
                                                                                        • GetTickCount.KERNEL32 ref: 00622132
                                                                                        • GetTickCount.KERNEL32 ref: 00622142
                                                                                          • Part of subcall function 0062F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0062E342,00000000,75A8EA50,80000001,00000000,0062E513,?,00000000,00000000,?,000000E4), ref: 0062F089
                                                                                          • Part of subcall function 0062F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0062E342,00000000,75A8EA50,80000001,00000000,0062E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0062F093
                                                                                          • Part of subcall function 0062E854: lstrcpyA.KERNEL32(00000001,?,?,0062D8DF,00000001,localcfg,except_info,00100000,00630264), ref: 0062E88B
                                                                                          • Part of subcall function 0062E854: lstrlenA.KERNEL32(00000001,?,0062D8DF,00000001,localcfg,except_info,00100000,00630264), ref: 0062E899
                                                                                          • Part of subcall function 00621C5F: wsprintfA.USER32 ref: 00621CE1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                        • String ID: ha$localcfg$net_type$rbl_bl$rbl_ip
                                                                                        • API String ID: 3976553417-4192562019
                                                                                        • Opcode ID: 9e26af18b60360c8c713053192abe63274cea62f395b5b0bf17e255c17267e0e
                                                                                        • Instruction ID: be0fb01884fcded25f9ffc023b42e229c4bb8dc9d87774d7ec2c81c8986aac94
                                                                                        • Opcode Fuzzy Hash: 9e26af18b60360c8c713053192abe63274cea62f395b5b0bf17e255c17267e0e
                                                                                        • Instruction Fuzzy Hash: EF51F570904B576EE728EF34FD79B973BE7EB11310F10102DE601862A1DBB49A88CE95
                                                                                        APIs
                                                                                        • wsprintfA.USER32 ref: 0062B467
                                                                                          • Part of subcall function 0062EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0062EF92
                                                                                          • Part of subcall function 0062EF7C: lstrlenA.KERNEL32(?), ref: 0062EF99
                                                                                          • Part of subcall function 0062EF7C: lstrlenA.KERNEL32(00000000), ref: 0062EFA0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$wsprintf
                                                                                        • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                        • API String ID: 1220175532-2340906255
                                                                                        • Opcode ID: bd6d7ef4a0e706b731dea710e0126b74499667b2d359474d127497a7018b7c33
                                                                                        • Instruction ID: d788ae7113e136b5f4c6f97f7bc28a13bbbf93d31f6cbd958b46c5905130b2da
                                                                                        • Opcode Fuzzy Hash: bd6d7ef4a0e706b731dea710e0126b74499667b2d359474d127497a7018b7c33
                                                                                        • Instruction Fuzzy Hash: 6F4174B25405287EEF00AB94ECC2CFF7B6EEF49348F140129F904A2142DB71AA158BB5
                                                                                        APIs
                                                                                          • Part of subcall function 0062A4C7: GetTickCount.KERNEL32 ref: 0062A4D1
                                                                                          • Part of subcall function 0062A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0062A4FA
                                                                                        • GetTickCount.KERNEL32 ref: 0062C31F
                                                                                        • GetTickCount.KERNEL32 ref: 0062C32B
                                                                                        • GetTickCount.KERNEL32 ref: 0062C363
                                                                                        • GetTickCount.KERNEL32 ref: 0062C378
                                                                                        • GetTickCount.KERNEL32 ref: 0062C44D
                                                                                        • InterlockedIncrement.KERNEL32(0062C4E4), ref: 0062C4AE
                                                                                        • CreateThread.KERNEL32(00000000,00000000,0062B535,00000000,?,0062C4E0), ref: 0062C4C1
                                                                                        • CloseHandle.KERNEL32(00000000,?,0062C4E0,00633588,00628810), ref: 0062C4CC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 1553760989-1857712256
                                                                                        • Opcode ID: 79c464a42ba66bd5be480acccabdcc9f17023f7e04567fd7cd3782e3bec69891
                                                                                        • Instruction ID: 95e306a2a66a1f79564602282b5a598fcdda8d985541a9e83db495bbe1145a1f
                                                                                        • Opcode Fuzzy Hash: 79c464a42ba66bd5be480acccabdcc9f17023f7e04567fd7cd3782e3bec69891
                                                                                        • Instruction Fuzzy Hash: 7D518AB1A00B518FD764DF69D69452ABBEAFB48310B509D3EE18BC7A90D770F8448F50
                                                                                        APIs
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0062BE4F
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0062BE5B
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0062BE67
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0062BF6A
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0062BF7F
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0062BF94
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcmpi
                                                                                        • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                        • API String ID: 1586166983-1625972887
                                                                                        • Opcode ID: 42958b537ad3846ed0ef462470acc32080eec09db6ca04f67bcfc4a4b2a17679
                                                                                        • Instruction ID: 33b040b87c04b229c0cd0a2a7d1332e116ac9911dad17f5f4d13ad066a8ce17b
                                                                                        • Opcode Fuzzy Hash: 42958b537ad3846ed0ef462470acc32080eec09db6ca04f67bcfc4a4b2a17679
                                                                                        • Instruction Fuzzy Hash: AF51D471A00A26EFDB118F64EE50B99BBABEF04384F156069E9819B351D730ED45CF90
                                                                                        APIs
                                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,74DE8A60,?,?,?,?,00629A60,?,?,00629E9D), ref: 00626A7D
                                                                                        • GetDiskFreeSpaceA.KERNEL32(00629E9D,00629A60,?,?,?,006322F8,?,?,?,00629A60,?,?,00629E9D), ref: 00626ABB
                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,00629A60,?,?,00629E9D), ref: 00626B40
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00629A60,?,?,00629E9D), ref: 00626B4E
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00629A60,?,?,00629E9D), ref: 00626B5F
                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,00629A60,?,?,00629E9D), ref: 00626B6F
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00629A60,?,?,00629E9D), ref: 00626B7D
                                                                                        • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00629A60,?,?,00629E9D), ref: 00626B80
                                                                                        • GetLastError.KERNEL32(?,?,?,00629A60,?,?,00629E9D,?,?,?,?,?,00629E9D,?,00000022,?), ref: 00626B96
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                        • String ID:
                                                                                        • API String ID: 3188212458-0
                                                                                        • Opcode ID: d23c255ad0d6f25bdb75b7162b0e5ba4d2a91c120658c403a2cfcdf17a03639d
                                                                                        • Instruction ID: 377c6ce8127437beda8d87ea16b43c939df60e174787ab9a822e3058c1801036
                                                                                        • Opcode Fuzzy Hash: d23c255ad0d6f25bdb75b7162b0e5ba4d2a91c120658c403a2cfcdf17a03639d
                                                                                        • Instruction Fuzzy Hash: A831107290061EAFDB019FA4ED94ADEBB7BEB48300F14406AF211E3251D7309A558FA1
                                                                                        APIs
                                                                                        • GetUserNameA.ADVAPI32(?,0062D7C3), ref: 00626F7A
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0062D7C3), ref: 00626FC1
                                                                                        • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00626FE8
                                                                                        • LocalFree.KERNEL32(00000120), ref: 0062701F
                                                                                        • wsprintfA.USER32 ref: 00627036
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                        • String ID: /%d$|
                                                                                        • API String ID: 676856371-4124749705
                                                                                        • Opcode ID: 7b5c8d21c6944e5eefff18d0a53704f3037a85bce0dbea05d0321e5a46d9340a
                                                                                        • Instruction ID: 58f37c82f1b8815db0bf45c3d13206b67327589623b3d25c02bb4543537d03d5
                                                                                        • Opcode Fuzzy Hash: 7b5c8d21c6944e5eefff18d0a53704f3037a85bce0dbea05d0321e5a46d9340a
                                                                                        • Instruction Fuzzy Hash: F1313A72904118ABDB01DFA8EC59EDE7BBDEF04310F048066F859DB241EA35DA08CF94
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,006322F8,000000E4,00626DDC,000000C8), ref: 00626CE7
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00626CEE
                                                                                        • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00626D14
                                                                                        • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00626D2B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                        • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                        • API String ID: 1082366364-3395550214
                                                                                        • Opcode ID: 7ca13c0d8a0751ff717cd055931d44d142bd048a19f8675e2b672cfefec26675
                                                                                        • Instruction ID: 98237a5f2176c508feb0751aa9eda347675db7f6dc96f6c77e4233130624b231
                                                                                        • Opcode Fuzzy Hash: 7ca13c0d8a0751ff717cd055931d44d142bd048a19f8675e2b672cfefec26675
                                                                                        • Instruction Fuzzy Hash: 84213B71741A6A3AF7215732BCAAFB72E4F8F13704F0C8454F404A6291CA9588498BE5
                                                                                        APIs
                                                                                        • CreateProcessA.KERNEL32(00000000,00629947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,006322F8), ref: 006297B1
                                                                                        • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,006322F8), ref: 006297EB
                                                                                        • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,006322F8), ref: 006297F9
                                                                                        • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,006322F8), ref: 00629831
                                                                                        • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,006322F8), ref: 0062984E
                                                                                        • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,006322F8), ref: 0062985B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                        • String ID: D
                                                                                        • API String ID: 2981417381-2746444292
                                                                                        • Opcode ID: d76a61b6b0d4b443ed478bed895208cda647981e51d7288db8535900e384f885
                                                                                        • Instruction ID: eb68cabe878bfd40850ca9a7b1028cfce94cd14c5e26f55a49d7b878d01775d4
                                                                                        • Opcode Fuzzy Hash: d76a61b6b0d4b443ed478bed895208cda647981e51d7288db8535900e384f885
                                                                                        • Instruction Fuzzy Hash: B8210C71901229BBEB219FA1EC49EEF7B7EEF05754F000465F919E1150EB719A44CEA0
                                                                                        APIs
                                                                                          • Part of subcall function 0062DD05: GetTickCount.KERNEL32 ref: 0062DD0F
                                                                                          • Part of subcall function 0062DD05: InterlockedExchange.KERNEL32(006336B4,00000001), ref: 0062DD44
                                                                                          • Part of subcall function 0062DD05: GetCurrentThreadId.KERNEL32 ref: 0062DD53
                                                                                          • Part of subcall function 0062DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0062DDB5
                                                                                        • lstrcpynA.KERNEL32(?,00621E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0062EAAA,?,?), ref: 0062E8DE
                                                                                        • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0062EAAA,?,?,00000001,?,00621E84,?), ref: 0062E935
                                                                                        • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0062EAAA,?,?,00000001,?,00621E84,?,0000000A), ref: 0062E93D
                                                                                        • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0062EAAA,?,?,00000001,?,00621E84,?), ref: 0062E94F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                        • String ID: flags_upd$localcfg
                                                                                        • API String ID: 204374128-3505511081
                                                                                        • Opcode ID: f45b2e7e7a163ad9b85ec47ed8308d876b2f7a77be1fadb6abe135ba0b14524e
                                                                                        • Instruction ID: 58a376ae873e689a602f392bfeec4c3f51d5d2515ba2281db92ad1d00b5aa3c4
                                                                                        • Opcode Fuzzy Hash: f45b2e7e7a163ad9b85ec47ed8308d876b2f7a77be1fadb6abe135ba0b14524e
                                                                                        • Instruction Fuzzy Hash: B9514F7290061AAFCF00EFA8D985DAEB7FAFF48304F14052EE415A7211DB35EA158F54
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Code
                                                                                        • String ID:
                                                                                        • API String ID: 3609698214-0
                                                                                        • Opcode ID: db82284509f46e561837fb23430583331bcdbb877ea0ee005df754dc475e0496
                                                                                        • Instruction ID: f0ce5efd64fc38ddf9f5c4fc6a9137442ed92106a05a5e3908281ce8f8aadd26
                                                                                        • Opcode Fuzzy Hash: db82284509f46e561837fb23430583331bcdbb877ea0ee005df754dc475e0496
                                                                                        • Instruction Fuzzy Hash: F021A472204525FFEB1467A0FD49DEF3A6EDB44351B101415F502E1190EB319A00DBB4
                                                                                        APIs
                                                                                        • GetTempPathA.KERNEL32(00000400,?,00000000,006322F8), ref: 0062907B
                                                                                        • wsprintfA.USER32 ref: 006290E9
                                                                                        • CreateFileA.KERNEL32(006322F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0062910E
                                                                                        • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00629122
                                                                                        • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0062912D
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00629134
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                        • String ID:
                                                                                        • API String ID: 2439722600-0
                                                                                        • Opcode ID: b6db242d06adce9ba9c39c7378854e57dd459dbf18fd02bbb43a0206f1afd85f
                                                                                        • Instruction ID: 180d9c4f20edc562b4feb8b1741395585a03ad63169dec3bf353bcd798c8381e
                                                                                        • Opcode Fuzzy Hash: b6db242d06adce9ba9c39c7378854e57dd459dbf18fd02bbb43a0206f1afd85f
                                                                                        • Instruction Fuzzy Hash: BB1187B26405247BF7646B72EC1EFAF367FDBC4B00F008069BB0AA5151EA704A159AA5
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 0062DD0F
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0062DD20
                                                                                        • GetTickCount.KERNEL32 ref: 0062DD2E
                                                                                        • Sleep.KERNEL32(00000000,?,74DF0F10,?,00000000,0062E538,?,74DF0F10,?,00000000,?,0062A445), ref: 0062DD3B
                                                                                        • InterlockedExchange.KERNEL32(006336B4,00000001), ref: 0062DD44
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0062DD53
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 3819781495-0
                                                                                        • Opcode ID: 5db5d968a3af636bda0e1180ced112e1d47ea40d64682e1da9637a7d794c28b4
                                                                                        • Instruction ID: 204008ed161ce310ac9214e060d3681696ba8c80891bc0f319c832f18b32d95b
                                                                                        • Opcode Fuzzy Hash: 5db5d968a3af636bda0e1180ced112e1d47ea40d64682e1da9637a7d794c28b4
                                                                                        • Instruction Fuzzy Hash: 8AF08272104A24AFE7845B66BDC9B697BA7EB45312F102415F509C6361C72095498FE2
                                                                                        APIs
                                                                                        • gethostname.WS2_32(?,00000080), ref: 0062AD1C
                                                                                        • lstrlenA.KERNEL32(00000000), ref: 0062AD60
                                                                                        • lstrlenA.KERNEL32(00000000), ref: 0062AD69
                                                                                        • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0062AD7F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$gethostnamelstrcpy
                                                                                        • String ID: LocalHost
                                                                                        • API String ID: 3695455745-3154191806
                                                                                        • Opcode ID: 0d40db74cd863e86bf267c284ea8be1cf37f75ee7027fd78b58055d2d6bc7be2
                                                                                        • Instruction ID: 596ca830b4ef7c8e2e7deecd5f0e0c1d92945ed67aa6297114657e7e9fef45c7
                                                                                        • Opcode Fuzzy Hash: 0d40db74cd863e86bf267c284ea8be1cf37f75ee7027fd78b58055d2d6bc7be2
                                                                                        • Instruction Fuzzy Hash: 860189308445A95FDF3107A8B844BE43F679F92706F100856D0C0CB611D79488478F97
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 00624BDD
                                                                                        • GetTickCount.KERNEL32 ref: 00624BEC
                                                                                        • Sleep.KERNEL32(00000000,?,%FROM_EMAIL,00625D02,00000000,?,0062B85C,?,00000080,?,00000000,00000000,?,%FROM_EMAIL), ref: 00624BF9
                                                                                        • InterlockedExchange.KERNEL32(00A2C0B8,00000001), ref: 00624C02
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID: %FROM_EMAIL
                                                                                        • API String ID: 2207858713-2903620461
                                                                                        • Opcode ID: 75ddeec875c4736c5c2deb1a07063dee35934b3fc179d63138af4c06d762d21c
                                                                                        • Instruction ID: d6bf5ba3a5fd9990653510e36884a01caf87e769d3179bd686c5486b1e11afad
                                                                                        • Opcode Fuzzy Hash: 75ddeec875c4736c5c2deb1a07063dee35934b3fc179d63138af4c06d762d21c
                                                                                        • Instruction Fuzzy Hash: F1E07D3330122417D70013B97C80F96735EDB45363F020072FB08C2150CE52D40145F1
                                                                                        APIs
                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,006298FD,00000001,00000100,006322F8,0062A3C7), ref: 00624290
                                                                                        • CloseHandle.KERNEL32(0062A3C7), ref: 006243AB
                                                                                        • CloseHandle.KERNEL32(00000001), ref: 006243AE
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseHandle$CreateEvent
                                                                                        • String ID:
                                                                                        • API String ID: 1371578007-0
                                                                                        • Opcode ID: 4faee7ab246ff4d8c4d12c13bff7e80f9bd3a10c161715e7b8e71485e65bfa8b
                                                                                        • Instruction ID: efd1a05e79e1a5129a9d9cf2a5eaad52c831219913e6c8dbe30667cb90ecad19
                                                                                        • Opcode Fuzzy Hash: 4faee7ab246ff4d8c4d12c13bff7e80f9bd3a10c161715e7b8e71485e65bfa8b
                                                                                        • Instruction Fuzzy Hash: 8341A2B1D00629BADB10ABA2ED46FEF7FBAEF00320F105155F615A6281DB348641DFA0
                                                                                        APIs
                                                                                        • IsBadReadPtr.KERNEL32(?,00000014), ref: 0062609C
                                                                                        • LoadLibraryA.KERNEL32(?,?,006264CF,00000000), ref: 006260C3
                                                                                        • GetProcAddress.KERNEL32(?,00000014), ref: 0062614A
                                                                                        • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0062619E
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Read$AddressLibraryLoadProc
                                                                                        • String ID:
                                                                                        • API String ID: 2438460464-0
                                                                                        • Opcode ID: 5bb2a92f659c88fff28ff53bec97f5dbe357053372a323f5691121037a0fcc8b
                                                                                        • Instruction ID: a12d9b344a181d011afc14ca41e4383f18bca77d4e5e46389ab5d0d1504fda38
                                                                                        • Opcode Fuzzy Hash: 5bb2a92f659c88fff28ff53bec97f5dbe357053372a323f5691121037a0fcc8b
                                                                                        • Instruction Fuzzy Hash: 70416A71A00925ABEB14CF58E888AA9B7B6EF14354F248068F815D7391D730FD65DF80
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 14ee3f7efd04f151e7898dd417f281f310062d58ca638073aa4507504ab825e1
                                                                                        • Instruction ID: a3642f6eecd9b28691f1bbcca503cc68962f1d0061f17126d4f63f14edd8062b
                                                                                        • Opcode Fuzzy Hash: 14ee3f7efd04f151e7898dd417f281f310062d58ca638073aa4507504ab825e1
                                                                                        • Instruction Fuzzy Hash: E831C071A0062ABBDB108FA5DC91ABEB7F5FF48701F10445AE544EA241E378DA51CF64
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 0062272E
                                                                                        • htons.WS2_32(00000001), ref: 00622752
                                                                                        • htons.WS2_32(0000000F), ref: 006227D5
                                                                                        • htons.WS2_32(00000001), ref: 006227E3
                                                                                        • sendto.WS2_32(?,00632BF8,00000009,00000000,00000010,00000010), ref: 00622802
                                                                                          • Part of subcall function 0062EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0062EBFE,7FFF0001,?,0062DB55,7FFF0001), ref: 0062EBD3
                                                                                          • Part of subcall function 0062EBCC: RtlAllocateHeap.NTDLL(00000000,?,0062DB55,7FFF0001), ref: 0062EBDA
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                        • String ID:
                                                                                        • API String ID: 1128258776-0
                                                                                        • Opcode ID: f16ed51fb49a9a33db4c36be5bce6f0bdb3f87d9655e265ee77acd972725b5cc
                                                                                        • Instruction ID: b8f8eaa7244d9538ae162b5412fa0d9048b29ef49bb46755179c878dfce9d1bf
                                                                                        • Opcode Fuzzy Hash: f16ed51fb49a9a33db4c36be5bce6f0bdb3f87d9655e265ee77acd972725b5cc
                                                                                        • Instruction Fuzzy Hash: 97314C38244393BFD7108F74FCB09A2B7A2EF19318B19506DD856CB362D632D842DB90
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,006322F8), ref: 0062915F
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 00629166
                                                                                        • CharToOemA.USER32(?,?), ref: 00629174
                                                                                        • wsprintfA.USER32 ref: 006291A9
                                                                                          • Part of subcall function 00629064: GetTempPathA.KERNEL32(00000400,?,00000000,006322F8), ref: 0062907B
                                                                                          • Part of subcall function 00629064: wsprintfA.USER32 ref: 006290E9
                                                                                          • Part of subcall function 00629064: CreateFileA.KERNEL32(006322F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0062910E
                                                                                          • Part of subcall function 00629064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00629122
                                                                                          • Part of subcall function 00629064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0062912D
                                                                                          • Part of subcall function 00629064: CloseHandle.KERNEL32(00000000), ref: 00629134
                                                                                        • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 006291E1
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                        • String ID:
                                                                                        • API String ID: 3857584221-0
                                                                                        • Opcode ID: 444cf5aecb4fdb403d601c5022c0b78de1ae499acddb85c3925adcfafde92bb8
                                                                                        • Instruction ID: 135098fea4265545d6a7c53653550a5b2b8211c82016c80c240cdd5861685ac6
                                                                                        • Opcode Fuzzy Hash: 444cf5aecb4fdb403d601c5022c0b78de1ae499acddb85c3925adcfafde92bb8
                                                                                        • Instruction Fuzzy Hash: 320175F69005197BEB60ABA19D8DEDF7B7DDB95701F0000A5B749E2050D6B09789CFB0
                                                                                        APIs
                                                                                        • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00622491,?,?,?,0062E844,-00000030,?,?,?,00000001), ref: 00622429
                                                                                        • lstrlenA.KERNEL32(?,?,00622491,?,?,?,0062E844,-00000030,?,?,?,00000001,00621E3D,00000001,localcfg,lid_file_upd), ref: 0062243E
                                                                                        • lstrcmpiA.KERNEL32(?,?), ref: 00622452
                                                                                        • lstrlenA.KERNEL32(?,?,00622491,?,?,?,0062E844,-00000030,?,?,?,00000001,00621E3D,00000001,localcfg,lid_file_upd), ref: 00622467
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$lstrcmpi
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 1808961391-1857712256
                                                                                        • Opcode ID: 10716da99685e5b26585d12948f48b749a1c99813399c94034162d1c7101421e
                                                                                        • Instruction ID: 4d7e3ccf520b1e00828cb9f68dcaf5d690836d96d257b759efa9e5f6bfa27c51
                                                                                        • Opcode Fuzzy Hash: 10716da99685e5b26585d12948f48b749a1c99813399c94034162d1c7101421e
                                                                                        • Instruction Fuzzy Hash: 9D011A3160062ABF8F11EF69DC908DE7BEAEF44354B51C425F8599B210E330EA448E90
                                                                                        APIs
                                                                                        • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00626F0F
                                                                                        • CheckTokenMembership.ADVAPI32(00000000,?,*pb), ref: 00626F24
                                                                                        • FreeSid.ADVAPI32(?), ref: 00626F3E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                        • String ID: *pb
                                                                                        • API String ID: 3429775523-1176003494
                                                                                        • Opcode ID: 97e947a2a0eb9274b3087d07087060fbc84e5cf12458eeb1edd0398c789dacf7
                                                                                        • Instruction ID: 29399f3c87b1dc0e417e1090f6e82c15888200cba0648e83732aa65240f55d22
                                                                                        • Opcode Fuzzy Hash: 97e947a2a0eb9274b3087d07087060fbc84e5cf12458eeb1edd0398c789dacf7
                                                                                        • Instruction Fuzzy Hash: 50011EB1904219AFEB14DFE4FDD5AAD77BAEB04300F105869F205E2161E7709948CF54
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf
                                                                                        • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                        • API String ID: 2111968516-120809033
                                                                                        • Opcode ID: 677f5035059b4030e88ad642c8d97fb2b551b8b93f374aedb6aa04431c79342f
                                                                                        • Instruction ID: a30b78f944f20c7bdb4a2bb333586024162aaea5818b3bf2daac6fe8d39e802b
                                                                                        • Opcode Fuzzy Hash: 677f5035059b4030e88ad642c8d97fb2b551b8b93f374aedb6aa04431c79342f
                                                                                        • Instruction Fuzzy Hash: 1941DF729046A99FDB31CF789C44BEE3BE99F4A300F240455F9A0D7242D635DA05CFA0
                                                                                        APIs
                                                                                          • Part of subcall function 0062DD05: GetTickCount.KERNEL32 ref: 0062DD0F
                                                                                          • Part of subcall function 0062DD05: InterlockedExchange.KERNEL32(006336B4,00000001), ref: 0062DD44
                                                                                          • Part of subcall function 0062DD05: GetCurrentThreadId.KERNEL32 ref: 0062DD53
                                                                                        • lstrcmpA.KERNEL32(74DF0F18,00000000,?,74DF0F10,00000000,?,00625EC1), ref: 0062E693
                                                                                        • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,74DF0F10,00000000,?,00625EC1), ref: 0062E6E9
                                                                                        • lstrcmpA.KERNEL32(89ABCDEF,00000008,?,74DF0F10,00000000,?,00625EC1), ref: 0062E722
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                        • String ID: 89ABCDEF
                                                                                        • API String ID: 3343386518-71641322
                                                                                        • Opcode ID: d14e8beb563956e5619d66891abcd3a956e8ff3740ae13d744ca9c855586bca8
                                                                                        • Instruction ID: 5652e1c6516780bfed3556c95387ef9b21ced4555bdcb3fae78e513abbc499fc
                                                                                        • Opcode Fuzzy Hash: d14e8beb563956e5619d66891abcd3a956e8ff3740ae13d744ca9c855586bca8
                                                                                        • Instruction Fuzzy Hash: 7231BE31604F22DBDB358F64E884BA67BE6AF21321F10843EE45687650D772E884CF81
                                                                                        APIs
                                                                                        • RegCreateKeyExA.ADVAPI32(80000001,0062E2A3,00000000,00000000,00000000,00020106,00000000,0062E2A3,00000000,000000E4), ref: 0062E0B2
                                                                                        • RegSetValueExA.ADVAPI32(0062E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,006322F8), ref: 0062E127
                                                                                        • RegDeleteValueA.ADVAPI32(0062E2A3,?,?,?,?,?,000000C8,006322F8), ref: 0062E158
                                                                                        • RegCloseKey.ADVAPI32(0062E2A3,?,?,?,?,000000C8,006322F8,?,?,?,?,?,?,?,?,0062E2A3), ref: 0062E161
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Value$CloseCreateDelete
                                                                                        • String ID:
                                                                                        • API String ID: 2667537340-0
                                                                                        • Opcode ID: f579254a75ede5e39529f704a8e717be68d8d6f4e04bb4c5f1f84a2ce4f3cafb
                                                                                        • Instruction ID: 274a9b1e23f2b54e0b89f1f4cee749c56a5f800e475bad485b51dd04295bb477
                                                                                        • Opcode Fuzzy Hash: f579254a75ede5e39529f704a8e717be68d8d6f4e04bb4c5f1f84a2ce4f3cafb
                                                                                        • Instruction Fuzzy Hash: F3216F71A00229BBDF209FA4EC89EDE7F7AEF09750F004071F904E6151E7728A25DBA0
                                                                                        APIs
                                                                                        • WriteFile.KERNEL32(00000000,00000000,0062A3C7,00000000,00000000,000007D0,00000001), ref: 00623F44
                                                                                        • GetLastError.KERNEL32 ref: 00623F4E
                                                                                        • WaitForSingleObject.KERNEL32(00000004,?), ref: 00623F5F
                                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00623F72
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3373104450-0
                                                                                        • Opcode ID: 33e633220db2eaa5d18ee3b97b426eac1c455a6a2ab19fe2179fc438f66f661d
                                                                                        • Instruction ID: ed3451978ad26edb41431b822ea1bc3312ec76997682c72c663013d131db9870
                                                                                        • Opcode Fuzzy Hash: 33e633220db2eaa5d18ee3b97b426eac1c455a6a2ab19fe2179fc438f66f661d
                                                                                        • Instruction Fuzzy Hash: FB01D372911129ABEB01DF91EE84BEE7BBDEB04395F104025FA01E6250D7349A158BB2
                                                                                        APIs
                                                                                        • ReadFile.KERNEL32(00000000,00000000,0062A3C7,00000000,00000000,000007D0,00000001), ref: 00623FB8
                                                                                        • GetLastError.KERNEL32 ref: 00623FC2
                                                                                        • WaitForSingleObject.KERNEL32(00000004,?), ref: 00623FD3
                                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00623FE6
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                        • String ID:
                                                                                        • API String ID: 888215731-0
                                                                                        • Opcode ID: d1fcd7958cde56c0a8c49f20e6f828fea5e3a9a6004174dcafa6f86201b628b8
                                                                                        • Instruction ID: d53429803a2165d7d05b2db0fec3cdd5874ba04d00f52268054f47054d2c13ad
                                                                                        • Opcode Fuzzy Hash: d1fcd7958cde56c0a8c49f20e6f828fea5e3a9a6004174dcafa6f86201b628b8
                                                                                        • Instruction Fuzzy Hash: D001057291022AABDF01DF90EE85BEA3B79AB04355F004011ED02E2190D7349A14CFB1
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 0062A4D1
                                                                                        • GetTickCount.KERNEL32 ref: 0062A4E4
                                                                                        • Sleep.KERNEL32(00000000,?,0062C2E9,0062C4E0,00000000,localcfg,?,0062C4E0,00633588,00628810), ref: 0062A4F1
                                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 0062A4FA
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: 55eb867184b44f833747a3413df8bad69b6c8f92832e482ff5ff73b2c53edc81
                                                                                        • Instruction ID: 2ab1a855f4c199b60bbeef26360a781252c5f9f868e5aced33f72607663ba58e
                                                                                        • Opcode Fuzzy Hash: 55eb867184b44f833747a3413df8bad69b6c8f92832e482ff5ff73b2c53edc81
                                                                                        • Instruction Fuzzy Hash: 9EE0263320022457D70067E5BD84FAA33CAEB4D761F110061FA04E3240C796E84549F3
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 00624E9E
                                                                                        • GetTickCount.KERNEL32 ref: 00624EAD
                                                                                        • Sleep.KERNEL32(0000000A,?,00000001), ref: 00624EBA
                                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 00624EC3
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: 8ef0c14118ce07d9ddcdac3fea88e336c08111beaa93400f40ca82ebf487b83b
                                                                                        • Instruction ID: e589274cc4c834dfc2ed3f5acfa007284ea15ab36a794cd3c04d950a39b48b34
                                                                                        • Opcode Fuzzy Hash: 8ef0c14118ce07d9ddcdac3fea88e336c08111beaa93400f40ca82ebf487b83b
                                                                                        • Instruction Fuzzy Hash: 7EE0263220062417F70023B9FC80F5A664BAB55360F020131E608C2180CA56D80209F1
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 00623103
                                                                                        • GetTickCount.KERNEL32 ref: 0062310F
                                                                                        • Sleep.KERNEL32(00000000), ref: 0062311C
                                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 00623128
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: 673d8eda3b33e16c99cf4294e84c2fc6d034537f992d7663e507bffd5b6cfc82
                                                                                        • Instruction ID: 30c9153a7e8d264c42bf9155c257fd6dc20cb1b66c2246fc9806a08a92c84a11
                                                                                        • Opcode Fuzzy Hash: 673d8eda3b33e16c99cf4294e84c2fc6d034537f992d7663e507bffd5b6cfc82
                                                                                        • Instruction Fuzzy Hash: D1E02B31300335AFEB002B75BE48B897B5BDF84761F111031F601D26B0C7548D258DB1
                                                                                        APIs
                                                                                        • WriteFile.KERNEL32(00629A60,?,?,00000000,00000000,00629A60,?,00000000), ref: 006269F9
                                                                                        • WriteFile.KERNEL32(00629A60,?,00629A60,00000000,00000000), ref: 00626A27
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: FileWrite
                                                                                        • String ID: ,kb
                                                                                        • API String ID: 3934441357-3953382542
                                                                                        • Opcode ID: dd5d75ed604f95efd200486039156732f028315ddc3a4ca8561cd8b1cf260107
                                                                                        • Instruction ID: 4c1b1061f458856687256d61478238be18fff399b5fc758eb20449f09e46cb1b
                                                                                        • Opcode Fuzzy Hash: dd5d75ed604f95efd200486039156732f028315ddc3a4ca8561cd8b1cf260107
                                                                                        • Instruction Fuzzy Hash: CA313872A00619EFDB24DF68E985BAAB7F5EB04315F10846AF801E7240D770EE54CFA1
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 536389180-1857712256
                                                                                        • Opcode ID: 2ead68a1faa20498879c2e06c7175a5df96238c58ed4149aeb4d3b7f93a4450b
                                                                                        • Instruction ID: 53af403c44d1ddbfc43830f1a81c9114c59d02ea16b7a5e9b7de5fc237e543b6
                                                                                        • Opcode Fuzzy Hash: 2ead68a1faa20498879c2e06c7175a5df96238c58ed4149aeb4d3b7f93a4450b
                                                                                        • Instruction Fuzzy Hash: D921D532612A31AFDB108FB4EC9159A77BBEF20351B294859D401DB291CF34ED48CF51
                                                                                        APIs
                                                                                        Strings
                                                                                        • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0062C057
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTickwsprintf
                                                                                        • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                        • API String ID: 2424974917-1012700906
                                                                                        • Opcode ID: c5aeb4513c354700d7e8763f37e58d36e5465b95cc328fc9ce5edd3f622cae83
                                                                                        • Instruction ID: d9e3b3ea432da0992692f664e1f0e5075fd303a87514d44502adc608c1c10241
                                                                                        • Opcode Fuzzy Hash: c5aeb4513c354700d7e8763f37e58d36e5465b95cc328fc9ce5edd3f622cae83
                                                                                        • Instruction Fuzzy Hash: 0E118672100100EFDB429BA9CD44E567FA6FF88318B34919CF6188A166D633D867EB90
                                                                                        APIs
                                                                                          • Part of subcall function 006230FA: GetTickCount.KERNEL32 ref: 00623103
                                                                                          • Part of subcall function 006230FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00623128
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00623929
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00623939
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                        • String ID: %FROM_EMAIL
                                                                                        • API String ID: 3716169038-2903620461
                                                                                        • Opcode ID: b456b495f62a90dd7b05f6868c6ac86d119256324a8e55d52ddd3ee38e86739f
                                                                                        • Instruction ID: 9727c5d1660a2d1c9b68d1b08e8573b2940171c1efe422e7c2864d6b68bae03e
                                                                                        • Opcode Fuzzy Hash: b456b495f62a90dd7b05f6868c6ac86d119256324a8e55d52ddd3ee38e86739f
                                                                                        • Instruction Fuzzy Hash: 16116AB1900625EFD760DF0AE481A9CF3F6FB09715F10851EE84497391D7B4AA80CFA4
                                                                                        APIs
                                                                                        • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0062BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0062ABB9
                                                                                        • InterlockedIncrement.KERNEL32(00633640), ref: 0062ABE1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: IncrementInterlockedlstrcpyn
                                                                                        • String ID: %FROM_EMAIL
                                                                                        • API String ID: 224340156-2903620461
                                                                                        • Opcode ID: 76736b2b1d9658d79be901fdaeedc8cc25712d4924d74904e5f1196b08c869cb
                                                                                        • Instruction ID: dc0ef67f1fc5a7a6967618cbe56c4df80379ba25b58e21b325973179b660021a
                                                                                        • Opcode Fuzzy Hash: 76736b2b1d9658d79be901fdaeedc8cc25712d4924d74904e5f1196b08c869cb
                                                                                        • Instruction Fuzzy Hash: 1E019E315082A4AFDB11CF58E991E967BA7AF15315F1544C4E58087353C3B0EA44CF92
                                                                                        APIs
                                                                                        • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 006226C3
                                                                                        • inet_ntoa.WS2_32(?), ref: 006226E4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: gethostbyaddrinet_ntoa
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 2112563974-1857712256
                                                                                        • Opcode ID: 2ed44bc4779b2b92e73cb32d725285046c7bcfc845b02a22d2d89f573855d26d
                                                                                        • Instruction ID: a646c20ddbd07a6a1b04a8e96421b10d20f7218da2922e5178e84982614139f6
                                                                                        • Opcode Fuzzy Hash: 2ed44bc4779b2b92e73cb32d725285046c7bcfc845b02a22d2d89f573855d26d
                                                                                        • Instruction Fuzzy Hash: 06F0123324861A7BEB046FA4FC19E9A379EDF09750F144465F908DA190DB71D9409B98
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(ntdll.dll,0062EB54,_alldiv,0062F0B7,80000001,00000000,00989680,00000000,?,?,?,0062E342,00000000,75A8EA50,80000001,00000000), ref: 0062EAF2
                                                                                        • GetProcAddress.KERNEL32(76E90000,00000000), ref: 0062EB07
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID: ntdll.dll
                                                                                        • API String ID: 2574300362-2227199552
                                                                                        • Opcode ID: 25d0a873e718d76b7030445c0289f84f5198e39835d2e8cc4da00c3261fe0db2
                                                                                        • Instruction ID: 12ceb255e403e34a29ae0b1fd7ac9248cacbb158e00eebc59e04a146d0485089
                                                                                        • Opcode Fuzzy Hash: 25d0a873e718d76b7030445c0289f84f5198e39835d2e8cc4da00c3261fe0db2
                                                                                        • Instruction Fuzzy Hash: 6AD0C934A04712AB9F164F64EF5B95576EBAB55702B406065A41AC1320E731D888DA80
                                                                                        APIs
                                                                                          • Part of subcall function 00622D21: GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,00622F01,?,006220FF,00632000), ref: 00622D3A
                                                                                          • Part of subcall function 00622D21: LoadLibraryA.KERNEL32(?), ref: 00622D4A
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00622F73
                                                                                        • HeapFree.KERNEL32(00000000), ref: 00622F7A
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2951374424.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_620000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                        • String ID:
                                                                                        • API String ID: 1017166417-0
                                                                                        • Opcode ID: 955abf861a39d4104a740272ccbb38fc8d2e2f99dfc2576420e9992e4a91ce3c
                                                                                        • Instruction ID: 29b4d6b8b573432d90dbc731d1e1452a52604fdeed939f199631ec6285943ebc
                                                                                        • Opcode Fuzzy Hash: 955abf861a39d4104a740272ccbb38fc8d2e2f99dfc2576420e9992e4a91ce3c
                                                                                        • Instruction Fuzzy Hash: 9951AD7190062AAFDF019F64E8989FAB776FF15304F1045A9EC96D7310E7329A19CF90