Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
H3nfKrgQbi.exe

Overview

General Information

Sample name:H3nfKrgQbi.exe
Analysis ID:1515108
MD5:1c5083792acfccf5d90db80884569ace
SHA1:6be243663a2d173dcd728146f2a3d1a5a974ff38
SHA256:27ca44d4fca5a29c0018efeebbda04250739a546e4b7879bd5a547aaea1de80d
Tags:exeuser-aachum
Infos:

Detection

Tofsee
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Tofsee
AI detected suspicious sample
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious New Service Creation
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: Windows Defender Exclusions Added - Registry
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • H3nfKrgQbi.exe (PID: 7092 cmdline: "C:\Users\user\Desktop\H3nfKrgQbi.exe" MD5: 1C5083792ACFCCF5D90DB80884569ACE)
    • cmd.exe (PID: 6496 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\bazwewbz\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1520 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\wuefhdgm.exe" C:\Windows\SysWOW64\bazwewbz\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7156 cmdline: "C:\Windows\System32\sc.exe" create bazwewbz binPath= "C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exe /d\"C:\Users\user\Desktop\H3nfKrgQbi.exe\"" type= own start= auto DisplayName= "wifi support" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 2684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6004 cmdline: "C:\Windows\System32\sc.exe" description bazwewbz "wifi internet conection" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7148 cmdline: "C:\Windows\System32\sc.exe" start bazwewbz MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 4984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 1600 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 1996 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7092 -s 1188 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • wuefhdgm.exe (PID: 5864 cmdline: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exe /d"C:\Users\user\Desktop\H3nfKrgQbi.exe" MD5: E8162D23E2C2202690CEB6F6E48A723E)
    • svchost.exe (PID: 6496 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
    • WerFault.exe (PID: 6844 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5864 -s 536 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 6416 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 1292 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5864 -ip 5864 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 1352 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 7092 -ip 7092 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 1892 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
TofseeAccording to PCrisk, Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various account credentials, updating itself, and more.Cyber criminals mainly use this program as an email-oriented tool (they target users' email accounts), however, having Tofsee installed can also lead to many other problems.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee
{"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
SourceRuleDescriptionAuthorStrings
0000000C.00000002.2105550467.0000000002528000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x10003:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.2105496878.00000000024DD000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x1037b:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
    00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
    • 0x2544:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
    • 0xee95:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
    00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmpMALWARE_Win_TofseeDetects TofseeditekSHen
    • 0x1123e:$s1: n%systemroot%\system32\cmd.exe
    • 0x10310:$s2: loader_id
    • 0x10340:$s3: start_srv
    • 0x10370:$s4: lid_file_upd
    • 0x10364:$s5: localcfg
    • 0x10a94:$s6: Incorrect respons
    • 0x10b74:$s7: mx connect error
    • 0x10af0:$s8: Error sending command (sent = %d/%d)
    • 0x10c28:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
    Click to see the 24 entries
    SourceRuleDescriptionAuthorStrings
    0.2.H3nfKrgQbi.exe.400000.0.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
      0.2.H3nfKrgQbi.exe.400000.0.raw.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
      • 0x2544:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
      • 0xee95:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
      0.2.H3nfKrgQbi.exe.400000.0.raw.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
      • 0x1123e:$s1: n%systemroot%\system32\cmd.exe
      • 0x10310:$s2: loader_id
      • 0x10340:$s3: start_srv
      • 0x10370:$s4: lid_file_upd
      • 0x10364:$s5: localcfg
      • 0x10a94:$s6: Incorrect respons
      • 0x10b74:$s7: mx connect error
      • 0x10af0:$s8: Error sending command (sent = %d/%d)
      • 0x10c28:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
      12.2.wuefhdgm.exe.400000.0.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
        12.2.wuefhdgm.exe.400000.0.raw.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
        • 0x2544:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
        • 0xee95:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
        Click to see the 39 entries

        System Summary

        barindex
        Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exe /d"C:\Users\user\Desktop\H3nfKrgQbi.exe", ParentImage: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exe, ParentProcessId: 5864, ParentProcessName: wuefhdgm.exe, ProcessCommandLine: svchost.exe, ProcessId: 6496, ProcessName: svchost.exe
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\sc.exe" create bazwewbz binPath= "C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exe /d\"C:\Users\user\Desktop\H3nfKrgQbi.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create bazwewbz binPath= "C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exe /d\"C:\Users\user\Desktop\H3nfKrgQbi.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\H3nfKrgQbi.exe", ParentImage: C:\Users\user\Desktop\H3nfKrgQbi.exe, ParentProcessId: 7092, ParentProcessName: H3nfKrgQbi.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create bazwewbz binPath= "C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exe /d\"C:\Users\user\Desktop\H3nfKrgQbi.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 7156, ProcessName: sc.exe
        Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 52.101.42.0, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\SysWOW64\svchost.exe, Initiated: true, ProcessId: 6496, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49705
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exe /d"C:\Users\user\Desktop\H3nfKrgQbi.exe", ParentImage: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exe, ParentProcessId: 5864, ParentProcessName: wuefhdgm.exe, ProcessCommandLine: svchost.exe, ProcessId: 6496, ProcessName: svchost.exe
        Source: Registry Key setAuthor: Christian Burkard (Nextron Systems): Data: Details: 0, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 6496, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\bazwewbz
        Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\sc.exe" create bazwewbz binPath= "C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exe /d\"C:\Users\user\Desktop\H3nfKrgQbi.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create bazwewbz binPath= "C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exe /d\"C:\Users\user\Desktop\H3nfKrgQbi.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\H3nfKrgQbi.exe", ParentImage: C:\Users\user\Desktop\H3nfKrgQbi.exe, ParentProcessId: 7092, ParentProcessName: H3nfKrgQbi.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create bazwewbz binPath= "C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exe /d\"C:\Users\user\Desktop\H3nfKrgQbi.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 7156, ProcessName: sc.exe
        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 6416, ProcessName: svchost.exe
        No Suricata rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: vanaheim.cn:443Avira URL Cloud: Label: phishing
        Source: jotunheim.name:443Avira URL Cloud: Label: malware
        Source: 0.2.H3nfKrgQbi.exe.24a0e67.1.raw.unpackMalware Configuration Extractor: Tofsee {"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
        Source: vanaheim.cnVirustotal: Detection: 15%Perma Link
        Source: jotunheim.name:443Virustotal: Detection: 12%Perma Link
        Source: vanaheim.cn:443Virustotal: Detection: 7%Perma Link
        Source: H3nfKrgQbi.exeReversingLabs: Detection: 44%
        Source: H3nfKrgQbi.exeVirustotal: Detection: 44%Perma Link
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
        Source: C:\Users\user\AppData\Local\Temp\wuefhdgm.exeJoe Sandbox ML: detected
        Source: H3nfKrgQbi.exeJoe Sandbox ML: detected

        Compliance

        barindex
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeUnpacked PE file: 0.2.H3nfKrgQbi.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exeUnpacked PE file: 12.2.wuefhdgm.exe.400000.0.unpack
        Source: H3nfKrgQbi.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

        Change of critical system settings

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\bazwewbzJump to behavior

        Networking

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 94.100.180.31 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.42.0 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.204.79 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 142.251.173.27 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 195.58.54.132 443Jump to behavior
        Source: Malware configuration extractorURLs: vanaheim.cn:443
        Source: Malware configuration extractorURLs: jotunheim.name:443
        Source: Joe Sandbox ViewIP Address: 52.101.42.0 52.101.42.0
        Source: Joe Sandbox ViewIP Address: 67.195.204.79 67.195.204.79
        Source: Joe Sandbox ViewIP Address: 94.100.180.31 94.100.180.31
        Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
        Source: Joe Sandbox ViewASN Name: YAHOO-3US YAHOO-3US
        Source: Joe Sandbox ViewASN Name: URALTRANSCOM-ASUA URALTRANSCOM-ASUA
        Source: Joe Sandbox ViewASN Name: MAILRU-ASMailRuRU MAILRU-ASMailRuRU
        Source: global trafficTCP traffic: 192.168.2.5:49705 -> 52.101.42.0:25
        Source: global trafficTCP traffic: 192.168.2.5:49714 -> 67.195.204.79:25
        Source: global trafficTCP traffic: 192.168.2.5:49932 -> 142.251.173.27:25
        Source: global trafficTCP traffic: 192.168.2.5:49934 -> 94.100.180.31:25
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeCode function: 0_2_00402A62 GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,socket,htons,select,recv,htons,htons,htons,GetProcessHeap,HeapAlloc,htons,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree,0_2_00402A62
        Source: global trafficDNS traffic detected: DNS query: microsoft-com.mail.protection.outlook.com
        Source: global trafficDNS traffic detected: DNS query: vanaheim.cn
        Source: global trafficDNS traffic detected: DNS query: yahoo.com
        Source: global trafficDNS traffic detected: DNS query: mta5.am0.yahoodns.net
        Source: global trafficDNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
        Source: global trafficDNS traffic detected: DNS query: google.com
        Source: global trafficDNS traffic detected: DNS query: smtp.google.com
        Source: global trafficDNS traffic detected: DNS query: mail.ru
        Source: global trafficDNS traffic detected: DNS query: mxs.mail.ru
        Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49935 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49933 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49935
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49933

        Spam, unwanted Advertisements and Ransom Demands

        barindex
        Source: Yara matchFile source: 0.2.H3nfKrgQbi.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.wuefhdgm.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.H3nfKrgQbi.exe.24a0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.wuefhdgm.exe.2de0000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.H3nfKrgQbi.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.wuefhdgm.exe.2de0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.svchost.exe.2780000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.H3nfKrgQbi.exe.25c0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.wuefhdgm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.wuefhdgm.exe.2d80000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.svchost.exe.2780000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.wuefhdgm.exe.24f0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2105868697.0000000002DE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.2071128241.00000000025C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.2100698826.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: H3nfKrgQbi.exe PID: 7092, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: wuefhdgm.exe PID: 5864, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6496, type: MEMORYSTR

        System Summary

        barindex
        Source: 0.2.H3nfKrgQbi.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.H3nfKrgQbi.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.wuefhdgm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.wuefhdgm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.3.wuefhdgm.exe.2d80000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.3.wuefhdgm.exe.2d80000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.3.H3nfKrgQbi.exe.25c0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.H3nfKrgQbi.exe.25c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.H3nfKrgQbi.exe.24a0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.H3nfKrgQbi.exe.24a0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.wuefhdgm.exe.2de0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.wuefhdgm.exe.2de0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.H3nfKrgQbi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.H3nfKrgQbi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.H3nfKrgQbi.exe.24a0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.H3nfKrgQbi.exe.24a0e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.wuefhdgm.exe.24f0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.wuefhdgm.exe.24f0e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.wuefhdgm.exe.2de0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 13.2.svchost.exe.2780000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.wuefhdgm.exe.2de0000.2.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 13.2.svchost.exe.2780000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.3.H3nfKrgQbi.exe.25c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.H3nfKrgQbi.exe.25c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.wuefhdgm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.wuefhdgm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.3.wuefhdgm.exe.2d80000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.3.wuefhdgm.exe.2d80000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 13.2.svchost.exe.2780000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 13.2.svchost.exe.2780000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.wuefhdgm.exe.24f0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.wuefhdgm.exe.24f0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000002.2105550467.0000000002528000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: 00000000.00000002.2105496878.00000000024DD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000002.2105868697.0000000002DE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000002.2105868697.0000000002DE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000003.2071128241.00000000025C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000003.2071128241.00000000025C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000003.2100698826.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000003.2100698826.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeCode function: 0_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,0_2_00408E26
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeCode function: 0_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,0_2_00401280
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\bazwewbz\Jump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeCode function: 0_2_0040C9130_2_0040C913
        Source: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exeCode function: 12_2_0040C91312_2_0040C913
        Source: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exeCode function: 12_2_0252812912_2_02528129
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0278C91313_2_0278C913
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeCode function: String function: 024A27AB appears 35 times
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeCode function: String function: 0040EE2A appears 40 times
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeCode function: String function: 00402544 appears 53 times
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5864 -ip 5864
        Source: H3nfKrgQbi.exe, 00000000.00000002.2105548519.000000000258F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs H3nfKrgQbi.exe
        Source: H3nfKrgQbi.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: 0.2.H3nfKrgQbi.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.H3nfKrgQbi.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.wuefhdgm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.wuefhdgm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.3.wuefhdgm.exe.2d80000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.3.wuefhdgm.exe.2d80000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.3.H3nfKrgQbi.exe.25c0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.H3nfKrgQbi.exe.25c0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.H3nfKrgQbi.exe.24a0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.H3nfKrgQbi.exe.24a0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.wuefhdgm.exe.2de0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.wuefhdgm.exe.2de0000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.H3nfKrgQbi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.H3nfKrgQbi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.H3nfKrgQbi.exe.24a0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.H3nfKrgQbi.exe.24a0e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.wuefhdgm.exe.24f0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.wuefhdgm.exe.24f0e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.wuefhdgm.exe.2de0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 13.2.svchost.exe.2780000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.wuefhdgm.exe.2de0000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 13.2.svchost.exe.2780000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.3.H3nfKrgQbi.exe.25c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.H3nfKrgQbi.exe.25c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.wuefhdgm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.wuefhdgm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.3.wuefhdgm.exe.2d80000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.3.wuefhdgm.exe.2d80000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 13.2.svchost.exe.2780000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 13.2.svchost.exe.2780000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.wuefhdgm.exe.24f0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.wuefhdgm.exe.24f0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000002.2105550467.0000000002528000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: 00000000.00000002.2105496878.00000000024DD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000002.2105868697.0000000002DE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000002.2105868697.0000000002DE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000003.2071128241.00000000025C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000003.2071128241.00000000025C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000003.2100698826.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000003.2100698826.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: H3nfKrgQbi.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: classification engineClassification label: mal100.troj.evad.winEXE@32/3@11/5
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeCode function: 0_2_00406A60 lstrcatA,CreateFileA,GetDiskFreeSpaceA,GetLastError,CloseHandle,CloseHandle,CloseHandle,GetLastError,CloseHandle,DeleteFileA,GetLastError,0_2_00406A60
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeCode function: 0_2_024ED3A9 CreateToolhelp32Snapshot,Module32First,0_2_024ED3A9
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exeCode function: 12_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,12_2_00409A6B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_02789A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,13_2_02789A6B
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6412:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4984:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:984:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2684:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:748:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6204:120:WilError_03
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:1352:64:WilError_03
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:1292:64:WilError_03
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeFile created: C:\Users\user\AppData\Local\Temp\wuefhdgm.exeJump to behavior
        Source: H3nfKrgQbi.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: H3nfKrgQbi.exeReversingLabs: Detection: 44%
        Source: H3nfKrgQbi.exeVirustotal: Detection: 44%
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeFile read: C:\Users\user\Desktop\H3nfKrgQbi.exeJump to behavior
        Source: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_12-14976
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_0-14835
        Source: unknownProcess created: C:\Users\user\Desktop\H3nfKrgQbi.exe "C:\Users\user\Desktop\H3nfKrgQbi.exe"
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\bazwewbz\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\wuefhdgm.exe" C:\Windows\SysWOW64\bazwewbz\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create bazwewbz binPath= "C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exe /d\"C:\Users\user\Desktop\H3nfKrgQbi.exe\"" type= own start= auto DisplayName= "wifi support"
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description bazwewbz "wifi internet conection"
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start bazwewbz
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exe C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exe /d"C:\Users\user\Desktop\H3nfKrgQbi.exe"
        Source: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5864 -ip 5864
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 7092 -ip 7092
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7092 -s 1188
        Source: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5864 -s 536
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\bazwewbz\Jump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\wuefhdgm.exe" C:\Windows\SysWOW64\bazwewbz\Jump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create bazwewbz binPath= "C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exe /d\"C:\Users\user\Desktop\H3nfKrgQbi.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description bazwewbz "wifi internet conection"Jump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start bazwewbzJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
        Source: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5864 -ip 5864Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 7092 -ip 7092Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7092 -s 1188Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5864 -s 536Jump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeSection loaded: msvcr100.dllJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeSection loaded: slc.dllJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exeSection loaded: msvcr100.dllJump to behavior
        Source: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: napinsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wshbth.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winrnr.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
        Source: H3nfKrgQbi.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

        Data Obfuscation

        barindex
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeUnpacked PE file: 0.2.H3nfKrgQbi.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Source: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exeUnpacked PE file: 12.2.wuefhdgm.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeUnpacked PE file: 0.2.H3nfKrgQbi.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exeUnpacked PE file: 12.2.wuefhdgm.exe.400000.0.unpack
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeCode function: 0_2_024F0691 push 0000002Bh; iretd 0_2_024F0697
        Source: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exeCode function: 12_2_0253B319 push 0000002Bh; iretd 12_2_0253B31F
        Source: H3nfKrgQbi.exeStatic PE information: section name: .text entropy: 7.876885992304956

        Persistence and Installation Behavior

        barindex
        Source: unknownExecutable created and started: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exe
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exe (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeFile created: C:\Users\user\AppData\Local\Temp\wuefhdgm.exeJump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exe (copy)Jump to dropped file
        Source: C:\Windows\SysWOW64\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bazwewbzJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create bazwewbz binPath= "C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exe /d\"C:\Users\user\Desktop\H3nfKrgQbi.exe\"" type= own start= auto DisplayName= "wifi support"

        Hooking and other Techniques for Hiding and Protection

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeFile deleted: c:\users\user\desktop\h3nfkrgqbi.exeJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00401000
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeCode function: inet_addr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetBestInterface,GetProcessHeap,HeapAlloc,GetAdaptersInfo,HeapReAlloc,GetAdaptersInfo,HeapFree,FreeLibrary,FreeLibrary,13_2_0278199C
        Source: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_12-15824
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-15285
        Source: C:\Windows\SysWOW64\svchost.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_13-7610
        Source: C:\Windows\SysWOW64\svchost.exeEvaded block: after key decisiongraph_13-6147
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_13-6435
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-15275
        Source: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_12-15349
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_0-15021
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_13-7450
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-14849
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_13-6177
        Source: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_12-14991
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeAPI coverage: 5.5 %
        Source: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exeAPI coverage: 4.0 %
        Source: C:\Windows\SysWOW64\svchost.exe TID: 2684Thread sleep count: 39 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exe TID: 2684Thread sleep time: -39000s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeCode function: 0_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,0_2_00401D96
        Source: svchost.exe, 0000000D.00000002.3322886497.0000000002C00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exeAPI call chain: ExitProcess graph end nodegraph_12-15361
        Source: C:\Windows\SysWOW64\svchost.exeAPI call chain: ExitProcess graph end nodegraph_13-6181

        Anti Debugging

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_13-7672
        Source: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_12-16368
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeCode function: 0_2_024A092B mov eax, dword ptr fs:[00000030h]0_2_024A092B
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeCode function: 0_2_024A0D90 mov eax, dword ptr fs:[00000030h]0_2_024A0D90
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeCode function: 0_2_024ECC86 push dword ptr fs:[00000030h]0_2_024ECC86
        Source: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exeCode function: 12_2_024F092B mov eax, dword ptr fs:[00000030h]12_2_024F092B
        Source: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exeCode function: 12_2_024F0D90 mov eax, dword ptr fs:[00000030h]12_2_024F0D90
        Source: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exeCode function: 12_2_0253790E push dword ptr fs:[00000030h]12_2_0253790E
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeCode function: 0_2_0040EBCC GetProcessHeap,RtlAllocateHeap,0_2_0040EBCC
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exeCode function: 12_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,12_2_00409A6B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_02789A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,13_2_02789A6B

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 94.100.180.31 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.42.0 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.204.79 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 142.251.173.27 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 195.58.54.132 443Jump to behavior
        Source: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 2780000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2780000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2780000Jump to behavior
        Source: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2956008Jump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\bazwewbz\Jump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\wuefhdgm.exe" C:\Windows\SysWOW64\bazwewbz\Jump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create bazwewbz binPath= "C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exe /d\"C:\Users\user\Desktop\H3nfKrgQbi.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description bazwewbz "wifi internet conection"Jump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start bazwewbzJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
        Source: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5864 -ip 5864Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 7092 -ip 7092Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7092 -s 1188Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5864 -s 536Jump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeCode function: 0_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00406EDD
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeCode function: 0_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,0_2_0040405E
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeCode function: 0_2_0040EC54 GetSystemTimeAsFileTime,GetVolumeInformationA,GetTickCount,0_2_0040EC54
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeCode function: 0_2_0040B211 FileTimeToSystemTime,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,SystemTimeToFileTime,FileTimeToSystemTime,GetTimeZoneInformation,wsprintfA,0_2_0040B211
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeCode function: 0_2_00409326 GetVersionExA,GetModuleHandleA,GetModuleFileNameA,wsprintfA,wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,0_2_00409326

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: 0.2.H3nfKrgQbi.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.wuefhdgm.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.H3nfKrgQbi.exe.24a0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.wuefhdgm.exe.2de0000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.H3nfKrgQbi.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.wuefhdgm.exe.2de0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.svchost.exe.2780000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.H3nfKrgQbi.exe.25c0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.wuefhdgm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.wuefhdgm.exe.2d80000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.svchost.exe.2780000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.wuefhdgm.exe.24f0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2105868697.0000000002DE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.2071128241.00000000025C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.2100698826.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: H3nfKrgQbi.exe PID: 7092, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: wuefhdgm.exe PID: 5864, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6496, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Source: Yara matchFile source: 0.2.H3nfKrgQbi.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.wuefhdgm.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.H3nfKrgQbi.exe.24a0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.wuefhdgm.exe.2de0000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.H3nfKrgQbi.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.wuefhdgm.exe.2de0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.svchost.exe.2780000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.H3nfKrgQbi.exe.25c0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.wuefhdgm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.wuefhdgm.exe.2d80000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.svchost.exe.2780000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.wuefhdgm.exe.24f0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2105868697.0000000002DE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.2071128241.00000000025C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.2100698826.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: H3nfKrgQbi.exe PID: 7092, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: wuefhdgm.exe PID: 5864, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6496, type: MEMORYSTR
        Source: C:\Users\user\Desktop\H3nfKrgQbi.exeCode function: 0_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,0_2_004088B0
        Source: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exeCode function: 12_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,12_2_004088B0
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_027888B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,13_2_027888B0
        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire Infrastructure1
        Valid Accounts
        41
        Native API
        1
        DLL Side-Loading
        1
        DLL Side-Loading
        3
        Disable or Modify Tools
        OS Credential Dumping2
        System Time Discovery
        Remote Services1
        Archive Collected Data
        1
        Ingress Tool Transfer
        Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts2
        Command and Scripting Interpreter
        1
        Valid Accounts
        1
        Valid Accounts
        1
        Deobfuscate/Decode Files or Information
        LSASS Memory1
        Account Discovery
        Remote Desktop ProtocolData from Removable Media12
        Encrypted Channel
        Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts3
        Service Execution
        14
        Windows Service
        1
        Access Token Manipulation
        3
        Obfuscated Files or Information
        Security Account Manager1
        File and Directory Discovery
        SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Application Layer Protocol
        Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook14
        Windows Service
        22
        Software Packing
        NTDS15
        System Information Discovery
        Distributed Component Object ModelInput Capture112
        Application Layer Protocol
        Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script412
        Process Injection
        1
        DLL Side-Loading
        LSA Secrets111
        Security Software Discovery
        SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        File Deletion
        Cached Domain Credentials11
        Virtualization/Sandbox Evasion
        VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
        Masquerading
        DCSync1
        Process Discovery
        Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        Valid Accounts
        Proc Filesystem1
        System Owner/User Discovery
        Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
        Virtualization/Sandbox Evasion
        /etc/passwd and /etc/shadow1
        System Network Configuration Discovery
        Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
        Access Token Manipulation
        Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd412
        Process Injection
        Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1515108 Sample: H3nfKrgQbi.exe Startdate: 21/09/2024 Architecture: WINDOWS Score: 100 53 yahoo.com 2->53 55 vanaheim.cn 2->55 57 7 other IPs or domains 2->57 65 Multi AV Scanner detection for domain / URL 2->65 67 Found malware configuration 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 10 other signatures 2->71 8 wuefhdgm.exe 2->8         started        11 H3nfKrgQbi.exe 2 2->11         started        14 svchost.exe 6 6 2->14         started        16 svchost.exe 2->16         started        signatures3 process4 file5 81 Detected unpacking (changes PE section rights) 8->81 83 Detected unpacking (overwrites its own PE header) 8->83 85 Found API chain indicative of debugger detection 8->85 91 3 other signatures 8->91 18 svchost.exe 1 8->18         started        22 WerFault.exe 2 8->22         started        51 C:\Users\user\AppData\Local\...\wuefhdgm.exe, PE32 11->51 dropped 87 Uses netsh to modify the Windows network and firewall settings 11->87 89 Modifies the windows firewall 11->89 24 cmd.exe 1 11->24         started        27 netsh.exe 2 11->27         started        29 cmd.exe 2 11->29         started        35 4 other processes 11->35 31 WerFault.exe 2 14->31         started        33 WerFault.exe 2 14->33         started        signatures6 process7 dnsIp8 59 mta5.am0.yahoodns.net 67.195.204.79, 25 YAHOO-3US United States 18->59 61 vanaheim.cn 195.58.54.132, 443, 49706, 49933 URALTRANSCOM-ASUA Russian Federation 18->61 63 3 other IPs or domains 18->63 73 System process connects to network (likely due to code injection or exploit) 18->73 75 Found API chain indicative of debugger detection 18->75 77 Deletes itself after installation 18->77 79 Adds extensions / path to Windows Defender exclusion list (Registry) 18->79 49 C:\Windows\SysWOW64\...\wuefhdgm.exe (copy), PE32 24->49 dropped 37 conhost.exe 24->37         started        39 conhost.exe 27->39         started        41 conhost.exe 29->41         started        43 conhost.exe 35->43         started        45 conhost.exe 35->45         started        47 conhost.exe 35->47         started        file9 signatures10 process11

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand
        SourceDetectionScannerLabelLink
        H3nfKrgQbi.exe45%ReversingLabsWin32.Trojan.Cerbu
        H3nfKrgQbi.exe44%VirustotalBrowse
        H3nfKrgQbi.exe100%Joe Sandbox ML
        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\wuefhdgm.exe100%Joe Sandbox ML
        No Antivirus matches
        SourceDetectionScannerLabelLink
        mxs.mail.ru0%VirustotalBrowse
        mta5.am0.yahoodns.net0%VirustotalBrowse
        microsoft-com.mail.protection.outlook.com0%VirustotalBrowse
        vanaheim.cn16%VirustotalBrowse
        smtp.google.com0%VirustotalBrowse
        google.com0%VirustotalBrowse
        mail.ru0%VirustotalBrowse
        yahoo.com0%VirustotalBrowse
        18.31.95.13.in-addr.arpa0%VirustotalBrowse
        SourceDetectionScannerLabelLink
        jotunheim.name:44313%VirustotalBrowse
        vanaheim.cn:443100%Avira URL Cloudphishing
        jotunheim.name:443100%Avira URL Cloudmalware
        vanaheim.cn:4438%VirustotalBrowse
        NameIPActiveMaliciousAntivirus DetectionReputation
        mxs.mail.ru
        94.100.180.31
        truetrueunknown
        mta5.am0.yahoodns.net
        67.195.204.79
        truetrueunknown
        microsoft-com.mail.protection.outlook.com
        52.101.42.0
        truetrueunknown
        vanaheim.cn
        195.58.54.132
        truetrueunknown
        smtp.google.com
        142.251.173.27
        truefalseunknown
        google.com
        unknown
        unknowntrueunknown
        18.31.95.13.in-addr.arpa
        unknown
        unknowntrueunknown
        yahoo.com
        unknown
        unknowntrueunknown
        mail.ru
        unknown
        unknowntrueunknown
        NameMaliciousAntivirus DetectionReputation
        vanaheim.cn:443true
        • 8%, Virustotal, Browse
        • Avira URL Cloud: phishing
        unknown
        jotunheim.name:443true
        • 13%, Virustotal, Browse
        • Avira URL Cloud: malware
        unknown
        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs
        IPDomainCountryFlagASNASN NameMalicious
        52.101.42.0
        microsoft-com.mail.protection.outlook.comUnited States
        8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
        67.195.204.79
        mta5.am0.yahoodns.netUnited States
        26101YAHOO-3UStrue
        142.251.173.27
        smtp.google.comUnited States
        15169GOOGLEUSfalse
        195.58.54.132
        vanaheim.cnRussian Federation
        41082URALTRANSCOM-ASUAtrue
        94.100.180.31
        mxs.mail.ruRussian Federation
        47764MAILRU-ASMailRuRUtrue
        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1515108
        Start date and time:2024-09-21 17:15:09 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 5m 42s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:24
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:H3nfKrgQbi.exe
        Detection:MAL
        Classification:mal100.troj.evad.winEXE@32/3@11/5
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 99%
        • Number of executed functions: 61
        • Number of non-executed functions: 259
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
        • Excluded IPs from analysis (whitelisted): 20.231.239.246, 20.236.44.162, 20.112.250.133, 20.76.201.171, 20.70.246.20
        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, microsoft.com, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • Report size getting too big, too many NtEnumerateKey calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        TimeTypeDescription
        11:16:51API Interceptor12x Sleep call for process: svchost.exe modified
        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        52.101.42.0874A7cigvX.exeGet hashmaliciousTofseeBrowse
          qkkcfptf.exeGet hashmaliciousTofseeBrowse
            fdnoqmpv.exeGet hashmaliciousTofseeBrowse
              .exeGet hashmaliciousUnknownBrowse
                Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                  rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                    DWoKcG581L.exeGet hashmaliciousTofseeBrowse
                      L7iza9mNDI.exeGet hashmaliciousTofseeBrowse
                        file.exeGet hashmaliciousTofseeBrowse
                          sorteado!!.com.exeGet hashmaliciousUnknownBrowse
                            67.195.204.79vekvtia.exeGet hashmaliciousTofseeBrowse
                              file.exeGet hashmaliciousPhorpiexBrowse
                                RqrQG7s66x.dllGet hashmaliciousUnknownBrowse
                                  7b8wRbnmKu.exeGet hashmaliciousUnknownBrowse
                                    file.msg.scr.exeGet hashmaliciousUnknownBrowse
                                      file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                        l3Qj8QhTYZ.exeGet hashmaliciousPhorpiexBrowse
                                          data.log.exeGet hashmaliciousUnknownBrowse
                                            message.elm.exeGet hashmaliciousUnknownBrowse
                                              Update-KB6734-x86.exeGet hashmaliciousUnknownBrowse
                                                94.100.180.312FnvReiPU6.exeGet hashmaliciousTofseeBrowse
                                                  qkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                    vekvtia.exeGet hashmaliciousTofseeBrowse
                                                      UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                        igvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                          fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                            rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                              setup.exeGet hashmaliciousTofseeBrowse
                                                                m4Jp2TLBHJ.exeGet hashmaliciousTofseeBrowse
                                                                  SecuriteInfo.com.Trojan-Ransom.StopCrypt.22110.437.exeGet hashmaliciousTofseeBrowse
                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    mxs.mail.ru2FnvReiPU6.exeGet hashmaliciousTofseeBrowse
                                                                    • 94.100.180.31
                                                                    874A7cigvX.exeGet hashmaliciousTofseeBrowse
                                                                    • 217.69.139.150
                                                                    RSno9EH0K9.exeGet hashmaliciousTofseeBrowse
                                                                    • 217.69.139.150
                                                                    ODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                                                                    • 217.69.139.150
                                                                    Uc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                    • 217.69.139.150
                                                                    qkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                                    • 94.100.180.31
                                                                    vekvtia.exeGet hashmaliciousTofseeBrowse
                                                                    • 94.100.180.31
                                                                    knkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                    • 217.69.139.150
                                                                    foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                    • 217.69.139.150
                                                                    UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                    • 94.100.180.31
                                                                    mta5.am0.yahoodns.netODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                                                                    • 67.195.228.109
                                                                    igvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                    • 67.195.228.110
                                                                    fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                    • 67.195.228.94
                                                                    SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeGet hashmaliciousTofseeBrowse
                                                                    • 98.136.96.91
                                                                    vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                                                    • 67.195.204.72
                                                                    lYWiDKe1In.exeGet hashmaliciousTofseeBrowse
                                                                    • 98.136.96.91
                                                                    I7ldmFS13W.exeGet hashmaliciousPhorpiexBrowse
                                                                    • 67.195.204.73
                                                                    file.exeGet hashmaliciousPhorpiexBrowse
                                                                    • 67.195.228.110
                                                                    file.exeGet hashmaliciousPhorpiexBrowse
                                                                    • 98.136.96.74
                                                                    file.exeGet hashmaliciousTofseeBrowse
                                                                    • 98.136.96.77
                                                                    vanaheim.cn874A7cigvX.exeGet hashmaliciousTofseeBrowse
                                                                    • 77.232.41.29
                                                                    RSno9EH0K9.exeGet hashmaliciousTofseeBrowse
                                                                    • 77.232.41.29
                                                                    ODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                                                                    • 77.232.41.29
                                                                    Uc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                    • 77.232.41.29
                                                                    qkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                                    • 77.232.41.29
                                                                    vekvtia.exeGet hashmaliciousTofseeBrowse
                                                                    • 77.232.41.29
                                                                    knkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                    • 77.232.41.29
                                                                    foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                    • 77.232.41.29
                                                                    UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                    • 77.232.41.29
                                                                    bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                    • 77.232.41.29
                                                                    microsoft-com.mail.protection.outlook.com2FnvReiPU6.exeGet hashmaliciousTofseeBrowse
                                                                    • 52.101.11.9
                                                                    874A7cigvX.exeGet hashmaliciousTofseeBrowse
                                                                    • 52.101.42.0
                                                                    RSno9EH0K9.exeGet hashmaliciousTofseeBrowse
                                                                    • 52.101.8.49
                                                                    ODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                                                                    • 52.101.11.0
                                                                    Uc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                    • 52.101.8.49
                                                                    qkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                                    • 52.101.42.0
                                                                    vekvtia.exeGet hashmaliciousTofseeBrowse
                                                                    • 52.101.8.49
                                                                    knkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                    • 52.101.11.0
                                                                    foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                    • 52.101.40.26
                                                                    UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                    • 52.101.40.26
                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    URALTRANSCOM-ASUAcQOoKCZyG3.elfGet hashmaliciousMiraiBrowse
                                                                    • 91.215.129.108
                                                                    09M6JXwjtO.elfGet hashmaliciousMiraiBrowse
                                                                    • 195.133.84.147
                                                                    Pb0GaINSjK.elfGet hashmaliciousMiraiBrowse
                                                                    • 194.87.3.81
                                                                    QN5PrDr5St.elfGet hashmaliciousUnknownBrowse
                                                                    • 195.133.84.180
                                                                    8dToMPcvO1.elfGet hashmaliciousMiraiBrowse
                                                                    • 91.215.129.145
                                                                    wsskM49eA3.elfGet hashmaliciousUnknownBrowse
                                                                    • 195.133.89.28
                                                                    quhEKAdhFU.elfGet hashmaliciousMiraiBrowse
                                                                    • 91.215.129.137
                                                                    5z7qDyLr2T.elfGet hashmaliciousMiraiBrowse
                                                                    • 91.215.129.142
                                                                    NwB5j32x4j.elfGet hashmaliciousMiraiBrowse
                                                                    • 91.215.129.123
                                                                    jklarm.elfGet hashmaliciousMiraiBrowse
                                                                    • 91.215.129.126
                                                                    MICROSOFT-CORP-MSN-AS-BLOCKUSOrdem de Compra 457525.xlsGet hashmaliciousUnknownBrowse
                                                                    • 13.107.246.60
                                                                    Copy0761000025.xlsmGet hashmaliciousUnknownBrowse
                                                                    • 13.107.253.72
                                                                    rPO767575.cmdGet hashmaliciousDBatLoaderBrowse
                                                                    • 13.107.137.11
                                                                    160eb3d41a49c24b1ba025424b781ddf3acb8979ffb90269b6a0f701be0c3dfa.25.xlsGet hashmaliciousUnknownBrowse
                                                                    • 13.107.246.60
                                                                    160eb3d41a49c24b1ba025424b781ddf3acb8979ffb90269b6a0f701be0c3dfa.24.xlsGet hashmaliciousUnknownBrowse
                                                                    • 13.107.246.60
                                                                    8zzBr1gT31.elfGet hashmaliciousMiraiBrowse
                                                                    • 22.112.76.125
                                                                    160eb3d41a49c24b1ba025424b781ddf3acb8979ffb90269b6a0f701be0c3dfa.23.xlsGet hashmaliciousUnknownBrowse
                                                                    • 13.107.246.60
                                                                    GyFcTadTZv.elfGet hashmaliciousMiraiBrowse
                                                                    • 13.83.227.6
                                                                    iZP1hJhnmz.elfGet hashmaliciousMiraiBrowse
                                                                    • 22.204.62.58
                                                                    dAlxfXyNm7.elfGet hashmaliciousMiraiBrowse
                                                                    • 20.104.105.19
                                                                    YAHOO-3UShttps://nke.pages.dev/account/js-reporting/?crumb=uZ4.07kERLI&message=javascript_not_enabled&ref=/account/challenge/passwordGet hashmaliciousHTMLPhisherBrowse
                                                                    • 66.218.84.43
                                                                    https://www.google.com/url?q=https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wD5CHARyycT&sa=t&esrc=2Dv8p65dFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Fcells2go.co%2Fone%2F.me%2FCy0cxTT1O745SqR1gfrta/ZGFycmVuLmhvbG1lc0BwZXJyeWhvbWVzLmNvbGet hashmaliciousHTMLPhisherBrowse
                                                                    • 74.6.143.26
                                                                    https://www.getcoloringpages.com/coloring/359Get hashmaliciousUnknownBrowse
                                                                    • 67.195.204.151
                                                                    http://opm.pages.dev/account/js-reporting?crumb=uZ4.07kERLI&message=javascript_not_enabled&ref=/account/challenge/passwordGet hashmaliciousHTMLPhisherBrowse
                                                                    • 66.218.87.15
                                                                    http://jss.pages.dev/account/js-reporting?crumb=uZ4.07kERLI&message=javascript_not_enabled&ref=/account/challenge/passwordGet hashmaliciousHTMLPhisherBrowse
                                                                    • 66.218.84.43
                                                                    https://uAa.iancendit.com/9uCUGa/K%7BEmail%7DGet hashmaliciousHTMLPhisherBrowse
                                                                    • 74.6.143.26
                                                                    874A7cigvX.exeGet hashmaliciousTofseeBrowse
                                                                    • 67.195.204.74
                                                                    vekvtia.exeGet hashmaliciousTofseeBrowse
                                                                    • 67.195.204.79
                                                                    UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                    • 67.195.204.77
                                                                    bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                    • 67.195.204.77
                                                                    MAILRU-ASMailRuRU8zzBr1gT31.elfGet hashmaliciousMiraiBrowse
                                                                    • 5.61.23.57
                                                                    2FnvReiPU6.exeGet hashmaliciousTofseeBrowse
                                                                    • 94.100.180.31
                                                                    OuZGkt7xKK.exeGet hashmaliciousCoinhive, XmrigBrowse
                                                                    • 178.237.20.50
                                                                    OuZGkt7xKK.exeGet hashmaliciousCoinhive, XmrigBrowse
                                                                    • 178.237.20.50
                                                                    874A7cigvX.exeGet hashmaliciousTofseeBrowse
                                                                    • 217.69.139.150
                                                                    RSno9EH0K9.exeGet hashmaliciousTofseeBrowse
                                                                    • 217.69.139.150
                                                                    ODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                                                                    • 217.69.139.150
                                                                    Uc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                    • 217.69.139.150
                                                                    qkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                                    • 94.100.180.31
                                                                    vekvtia.exeGet hashmaliciousTofseeBrowse
                                                                    • 94.100.180.31
                                                                    No context
                                                                    No context
                                                                    Process:C:\Users\user\Desktop\H3nfKrgQbi.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):13548032
                                                                    Entropy (8bit):5.249826358334154
                                                                    Encrypted:false
                                                                    SSDEEP:98304:nOMSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZR:O
                                                                    MD5:E8162D23E2C2202690CEB6F6E48A723E
                                                                    SHA1:47E0DA90AD99A4823FA5A800CAD0E8661B19F2F5
                                                                    SHA-256:BF6A0847BA307D698A9655BB00B68923806DFC95497A9D14C2426902B973E461
                                                                    SHA-512:78E1330841312D920F1FA4BDEA784A0D1B3C85068BF80AA2900D219A168AAA1FFC29CD9139F6174C31055DD1717EA84D679C684703399C293341E9135AD4C6FE
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C...........h.J....h......h.K.R....r...........h.N....h.{....h.|....Rich...................PE..L....`.e.................L...........@.......`....@..........................................................................O..d.......(...........................hO..............................(+..@...............$............................text....K.......L.................. ..`.data........`...Z...P..............@....rsrc...(...........................@..@................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    Process:C:\Windows\SysWOW64\cmd.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):13548032
                                                                    Entropy (8bit):5.249826358334154
                                                                    Encrypted:false
                                                                    SSDEEP:98304:nOMSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZR:O
                                                                    MD5:E8162D23E2C2202690CEB6F6E48A723E
                                                                    SHA1:47E0DA90AD99A4823FA5A800CAD0E8661B19F2F5
                                                                    SHA-256:BF6A0847BA307D698A9655BB00B68923806DFC95497A9D14C2426902B973E461
                                                                    SHA-512:78E1330841312D920F1FA4BDEA784A0D1B3C85068BF80AA2900D219A168AAA1FFC29CD9139F6174C31055DD1717EA84D679C684703399C293341E9135AD4C6FE
                                                                    Malicious:true
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C...........h.J....h......h.K.R....r...........h.N....h.{....h.|....Rich...................PE..L....`.e.................L...........@.......`....@..........................................................................O..d.......(...........................hO..............................(+..@...............$............................text....K.......L.................. ..`.data........`...Z...P..............@....rsrc...(...........................@..@................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    Process:C:\Windows\SysWOW64\netsh.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):3773
                                                                    Entropy (8bit):4.7109073551842435
                                                                    Encrypted:false
                                                                    SSDEEP:48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
                                                                    MD5:DA3247A302D70819F10BCEEBAF400503
                                                                    SHA1:2857AA198EE76C86FC929CC3388A56D5FD051844
                                                                    SHA-256:5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
                                                                    SHA-512:48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
                                                                    Malicious:false
                                                                    Preview:..A specified value is not valid.....Usage: add rule name=<string>.. dir=in|out.. action=allow|block|bypass.. [program=<program path>].. [service=<service short name>|any].. [description=<string>].. [enable=yes|no (default=yes)].. [profile=public|private|domain|any[,...]].. [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|.. <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)].. [remoteport=0-65535|<port range>[,...]|any (default=any)].. [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|.. tcp|udp|any (default=any)].. [interfacetype=wireless|lan|ras|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes|deferapp|deferuser|no (default=no)].. [security=authenticate|authenc|authdynenc|authnoencap|
                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                    Entropy (8bit):6.762603190470854
                                                                    TrID:
                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                    File name:H3nfKrgQbi.exe
                                                                    File size:424'960 bytes
                                                                    MD5:1c5083792acfccf5d90db80884569ace
                                                                    SHA1:6be243663a2d173dcd728146f2a3d1a5a974ff38
                                                                    SHA256:27ca44d4fca5a29c0018efeebbda04250739a546e4b7879bd5a547aaea1de80d
                                                                    SHA512:8af309adcaed0055ca8b2c879a1ff16e9d0d853ab3837c94719d09c03bf27b32125581f525ef99caa4488b184bfc5565b033333cd4af9e4240aa23963dd76a1b
                                                                    SSDEEP:6144:+nhYTBI6ONsWWqOaejSlD8viNV43Km3Wlz8+5FXCnFk:2aTy6OlO3GDyYnSC
                                                                    TLSH:81948E6242B17C45F9224F728E1ED6E9365FF9608D19772E221CAA3F25713F2C163B24
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C...............h.J.....h.......h.K.R.....r.............h.N.....h.{.....h.|.....Rich....................PE..L....`.e...........
                                                                    Icon Hash:532555554545610d
                                                                    Entrypoint:0x40409f
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                    DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                    Time Stamp:0x65D960A8 [Sat Feb 24 03:21:12 2024 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:5
                                                                    OS Version Minor:1
                                                                    File Version Major:5
                                                                    File Version Minor:1
                                                                    Subsystem Version Major:5
                                                                    Subsystem Version Minor:1
                                                                    Import Hash:aa1df04aa31b8b76e6674a21e4ac0295
                                                                    Instruction
                                                                    call 00007F1C44862565h
                                                                    jmp 00007F1C4486040Eh
                                                                    mov eax, 00436008h
                                                                    ret
                                                                    mov eax, dword ptr [02450C60h]
                                                                    push esi
                                                                    push 00000014h
                                                                    pop esi
                                                                    test eax, eax
                                                                    jne 00007F1C44860589h
                                                                    mov eax, 00000200h
                                                                    jmp 00007F1C44860588h
                                                                    cmp eax, esi
                                                                    jnl 00007F1C44860589h
                                                                    mov eax, esi
                                                                    mov dword ptr [02450C60h], eax
                                                                    push 00000004h
                                                                    push eax
                                                                    call 00007F1C44862613h
                                                                    pop ecx
                                                                    pop ecx
                                                                    mov dword ptr [0244FC40h], eax
                                                                    test eax, eax
                                                                    jne 00007F1C448605A0h
                                                                    push 00000004h
                                                                    push esi
                                                                    mov dword ptr [02450C60h], esi
                                                                    call 00007F1C448625FAh
                                                                    pop ecx
                                                                    pop ecx
                                                                    mov dword ptr [0244FC40h], eax
                                                                    test eax, eax
                                                                    jne 00007F1C44860587h
                                                                    push 0000001Ah
                                                                    pop eax
                                                                    pop esi
                                                                    ret
                                                                    xor edx, edx
                                                                    mov ecx, 00436008h
                                                                    jmp 00007F1C44860587h
                                                                    mov eax, dword ptr [0244FC40h]
                                                                    mov dword ptr [edx+eax], ecx
                                                                    add ecx, 20h
                                                                    add edx, 04h
                                                                    cmp ecx, 00436288h
                                                                    jl 00007F1C4486056Ch
                                                                    push FFFFFFFEh
                                                                    pop esi
                                                                    xor edx, edx
                                                                    mov ecx, 00436018h
                                                                    push edi
                                                                    mov eax, edx
                                                                    sar eax, 05h
                                                                    mov eax, dword ptr [0244FB40h+eax*4]
                                                                    mov edi, edx
                                                                    and edi, 1Fh
                                                                    shl edi, 06h
                                                                    mov eax, dword ptr [edi+eax]
                                                                    cmp eax, FFFFFFFFh
                                                                    je 00007F1C4486058Ah
                                                                    cmp eax, esi
                                                                    je 00007F1C44860586h
                                                                    test eax, eax
                                                                    jne 00007F1C44860584h
                                                                    mov dword ptr [ecx], esi
                                                                    add ecx, 20h
                                                                    inc edx
                                                                    cmp ecx, 00436078h
                                                                    jl 00007F1C44860550h
                                                                    pop edi
                                                                    xor eax, eax
                                                                    pop esi
                                                                    ret
                                                                    call 00007F1C44862844h
                                                                    cmp byte ptr [00000000h], 00000000h
                                                                    Programming Language:
                                                                    • [C++] VS2010 build 30319
                                                                    • [ASM] VS2010 build 30319
                                                                    • [ C ] VS2010 build 30319
                                                                    • [IMP] VS2008 SP1 build 30729
                                                                    • [RES] VS2010 build 30319
                                                                    • [LNK] VS2010 build 30319
                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x34f040x64.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x20510000x2d128.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x34f680x1c.text
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2b280x40.text
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x10000x224.text
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x10000x34b8c0x34c00b5c820cd68b3873502899a56e26fc4bbFalse0.9168348267180095data7.876885992304956IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                    .data0x360000x201ac840x5a006a292b15a937d27e3a5fed2ef76ed323unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .rsrc0x20510000x2d1280x2d200af7195b1ee32d304a2455e85658a513cFalse0.4510907202216066data5.184601260526752IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                    PAMIYUYOVELURASEYOKODIJEBAWABIBO0x2078ac80x1e31ASCII text, with very long lines (7729), with no line terminatorsTamilIndia0.5899857678871782
                                                                    PAMIYUYOVELURASEYOKODIJEBAWABIBO0x2078ac80x1e31ASCII text, with very long lines (7729), with no line terminatorsTamilSri Lanka0.5899857678871782
                                                                    ZEZEJEFIJICEDORIJ0x20777580x136fASCII text, with very long lines (4975), with no line terminatorsTamilIndia0.5917587939698492
                                                                    ZEZEJEFIJICEDORIJ0x20777580x136fASCII text, with very long lines (4975), with no line terminatorsTamilSri Lanka0.5917587939698492
                                                                    RT_CURSOR0x207a9380xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.26439232409381663
                                                                    RT_CURSOR0x207b7e00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.3686823104693141
                                                                    RT_CURSOR0x207c0880x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.49060693641618497
                                                                    RT_ICON0x2051d500xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTamilIndia0.43336886993603413
                                                                    RT_ICON0x2051d500xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTamilSri Lanka0.43336886993603413
                                                                    RT_ICON0x2052bf80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTamilIndia0.5397111913357401
                                                                    RT_ICON0x2052bf80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTamilSri Lanka0.5397111913357401
                                                                    RT_ICON0x20534a00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilIndia0.6059907834101382
                                                                    RT_ICON0x20534a00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilSri Lanka0.6059907834101382
                                                                    RT_ICON0x2053b680x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTamilIndia0.6770231213872833
                                                                    RT_ICON0x2053b680x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTamilSri Lanka0.6770231213872833
                                                                    RT_ICON0x20540d00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TamilIndia0.33184647302904563
                                                                    RT_ICON0x20540d00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TamilSri Lanka0.33184647302904563
                                                                    RT_ICON0x20566780x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TamilIndia0.4075984990619137
                                                                    RT_ICON0x20566780x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TamilSri Lanka0.4075984990619137
                                                                    RT_ICON0x20577200x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TamilIndia0.47295081967213115
                                                                    RT_ICON0x20577200x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TamilSri Lanka0.47295081967213115
                                                                    RT_ICON0x20580a80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TamilIndia0.5531914893617021
                                                                    RT_ICON0x20580a80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TamilSri Lanka0.5531914893617021
                                                                    RT_ICON0x20585880xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilIndia0.3662046908315565
                                                                    RT_ICON0x20585880xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilSri Lanka0.3662046908315565
                                                                    RT_ICON0x20594300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilIndia0.45216606498194944
                                                                    RT_ICON0x20594300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilSri Lanka0.45216606498194944
                                                                    RT_ICON0x2059cd80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilIndia0.4573732718894009
                                                                    RT_ICON0x2059cd80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilSri Lanka0.4573732718894009
                                                                    RT_ICON0x205a3a00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilIndia0.4588150289017341
                                                                    RT_ICON0x205a3a00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilSri Lanka0.4588150289017341
                                                                    RT_ICON0x205a9080x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilIndia0.2697095435684647
                                                                    RT_ICON0x205a9080x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilSri Lanka0.2697095435684647
                                                                    RT_ICON0x205ceb00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilIndia0.3074577861163227
                                                                    RT_ICON0x205ceb00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilSri Lanka0.3074577861163227
                                                                    RT_ICON0x205df580x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilIndia0.35726950354609927
                                                                    RT_ICON0x205df580x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilSri Lanka0.35726950354609927
                                                                    RT_ICON0x205e4280xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilIndia0.5676972281449894
                                                                    RT_ICON0x205e4280xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilSri Lanka0.5676972281449894
                                                                    RT_ICON0x205f2d00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilIndia0.5478339350180506
                                                                    RT_ICON0x205f2d00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilSri Lanka0.5478339350180506
                                                                    RT_ICON0x205fb780x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilIndia0.6163294797687862
                                                                    RT_ICON0x205fb780x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilSri Lanka0.6163294797687862
                                                                    RT_ICON0x20600e00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilIndia0.462344398340249
                                                                    RT_ICON0x20600e00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilSri Lanka0.462344398340249
                                                                    RT_ICON0x20626880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilIndia0.48874296435272047
                                                                    RT_ICON0x20626880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilSri Lanka0.48874296435272047
                                                                    RT_ICON0x20637300x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilIndia0.49508196721311476
                                                                    RT_ICON0x20637300x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilSri Lanka0.49508196721311476
                                                                    RT_ICON0x20640b80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilIndia0.44858156028368795
                                                                    RT_ICON0x20640b80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilSri Lanka0.44858156028368795
                                                                    RT_ICON0x20645880xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilIndia0.39152452025586354
                                                                    RT_ICON0x20645880xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilSri Lanka0.39152452025586354
                                                                    RT_ICON0x20654300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilIndia0.5144404332129964
                                                                    RT_ICON0x20654300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilSri Lanka0.5144404332129964
                                                                    RT_ICON0x2065cd80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilIndia0.5783410138248848
                                                                    RT_ICON0x2065cd80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilSri Lanka0.5783410138248848
                                                                    RT_ICON0x20663a00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilIndia0.5823699421965318
                                                                    RT_ICON0x20663a00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilSri Lanka0.5823699421965318
                                                                    RT_ICON0x20669080x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilIndia0.3878630705394191
                                                                    RT_ICON0x20669080x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilSri Lanka0.3878630705394191
                                                                    RT_ICON0x2068eb00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilIndia0.42964352720450283
                                                                    RT_ICON0x2068eb00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilSri Lanka0.42964352720450283
                                                                    RT_ICON0x2069f580x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilIndia0.4151639344262295
                                                                    RT_ICON0x2069f580x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilSri Lanka0.4151639344262295
                                                                    RT_ICON0x206a8e00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilIndia0.48847517730496454
                                                                    RT_ICON0x206a8e00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilSri Lanka0.48847517730496454
                                                                    RT_ICON0x206adc00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilIndia0.48933901918976547
                                                                    RT_ICON0x206adc00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilSri Lanka0.48933901918976547
                                                                    RT_ICON0x206bc680x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilIndia0.46886281588447654
                                                                    RT_ICON0x206bc680x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilSri Lanka0.46886281588447654
                                                                    RT_ICON0x206c5100x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilIndia0.434971098265896
                                                                    RT_ICON0x206c5100x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilSri Lanka0.434971098265896
                                                                    RT_ICON0x206ca780x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilIndia0.27977178423236515
                                                                    RT_ICON0x206ca780x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilSri Lanka0.27977178423236515
                                                                    RT_ICON0x206f0200x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilIndia0.2903377110694184
                                                                    RT_ICON0x206f0200x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilSri Lanka0.2903377110694184
                                                                    RT_ICON0x20700c80x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilIndia0.31024590163934423
                                                                    RT_ICON0x20700c80x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilSri Lanka0.31024590163934423
                                                                    RT_ICON0x2070a500x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilIndia0.3377659574468085
                                                                    RT_ICON0x2070a500x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilSri Lanka0.3377659574468085
                                                                    RT_ICON0x2070f200xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTamilIndia0.3829957356076759
                                                                    RT_ICON0x2070f200xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTamilSri Lanka0.3829957356076759
                                                                    RT_ICON0x2071dc80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTamilIndia0.5424187725631769
                                                                    RT_ICON0x2071dc80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTamilSri Lanka0.5424187725631769
                                                                    RT_ICON0x20726700x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilIndia0.6215437788018433
                                                                    RT_ICON0x20726700x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilSri Lanka0.6215437788018433
                                                                    RT_ICON0x2072d380x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTamilIndia0.6596820809248555
                                                                    RT_ICON0x2072d380x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTamilSri Lanka0.6596820809248555
                                                                    RT_ICON0x20732a00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600TamilIndia0.5139004149377593
                                                                    RT_ICON0x20732a00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600TamilSri Lanka0.5139004149377593
                                                                    RT_ICON0x20758480x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224TamilIndia0.5382270168855535
                                                                    RT_ICON0x20758480x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224TamilSri Lanka0.5382270168855535
                                                                    RT_ICON0x20768f00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400TamilIndia0.5217213114754098
                                                                    RT_ICON0x20768f00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400TamilSri Lanka0.5217213114754098
                                                                    RT_ICON0x20772780x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088TamilIndia0.5815602836879432
                                                                    RT_ICON0x20772780x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088TamilSri Lanka0.5815602836879432
                                                                    RT_STRING0x207c8780x506dataTamilIndia0.44712286158631415
                                                                    RT_STRING0x207c8780x506dataTamilSri Lanka0.44712286158631415
                                                                    RT_STRING0x207cd800x6fadataTamilIndia0.4232922732362822
                                                                    RT_STRING0x207cd800x6fadataTamilSri Lanka0.4232922732362822
                                                                    RT_STRING0x207d4800x2ccdataTamilIndia0.48463687150837986
                                                                    RT_STRING0x207d4800x2ccdataTamilSri Lanka0.48463687150837986
                                                                    RT_STRING0x207d7500x606dataTamilIndia0.4383916990920882
                                                                    RT_STRING0x207d7500x606dataTamilSri Lanka0.4383916990920882
                                                                    RT_STRING0x207dd580x3ccdataTamilIndia0.45267489711934156
                                                                    RT_STRING0x207dd580x3ccdataTamilSri Lanka0.45267489711934156
                                                                    RT_ACCELERATOR0x207a9000x38dataTamilIndia0.9107142857142857
                                                                    RT_ACCELERATOR0x207a9000x38dataTamilSri Lanka0.9107142857142857
                                                                    RT_GROUP_CURSOR0x207c5f00x30data0.9375
                                                                    RT_GROUP_ICON0x20645200x68dataTamilIndia0.7115384615384616
                                                                    RT_GROUP_ICON0x20645200x68dataTamilSri Lanka0.7115384615384616
                                                                    RT_GROUP_ICON0x20585100x76dataTamilIndia0.6610169491525424
                                                                    RT_GROUP_ICON0x20585100x76dataTamilSri Lanka0.6610169491525424
                                                                    RT_GROUP_ICON0x205e3c00x68dataTamilIndia0.7115384615384616
                                                                    RT_GROUP_ICON0x205e3c00x68dataTamilSri Lanka0.7115384615384616
                                                                    RT_GROUP_ICON0x206ad480x76dataTamilIndia0.6779661016949152
                                                                    RT_GROUP_ICON0x206ad480x76dataTamilSri Lanka0.6779661016949152
                                                                    RT_GROUP_ICON0x20776e00x76dataTamilIndia0.6864406779661016
                                                                    RT_GROUP_ICON0x20776e00x76dataTamilSri Lanka0.6864406779661016
                                                                    RT_GROUP_ICON0x2070eb80x68dataTamilIndia0.7019230769230769
                                                                    RT_GROUP_ICON0x2070eb80x68dataTamilSri Lanka0.7019230769230769
                                                                    RT_VERSION0x207c6200x254data0.5436241610738255
                                                                    DLLImport
                                                                    KERNEL32.dllInterlockedDecrement, GetCurrentProcess, InterlockedCompareExchange, SetVolumeMountPointW, CreateHardLinkA, GetModuleHandleW, CreateNamedPipeW, EnumCalendarInfoExW, GetNumberFormatA, CreateActCtxW, TlsSetValue, LoadLibraryW, GetLocaleInfoW, GetCalendarInfoA, CreateEventA, GetFileAttributesA, GetTimeFormatW, GetModuleFileNameW, FindNextVolumeMountPointW, GetTempPathW, GetShortPathNameA, CreateJobObjectA, VerifyVersionInfoW, InterlockedExchange, GlobalUnfix, GetLogicalDriveStringsA, GetLastError, GetCurrentDirectoryW, GetProcAddress, GetLongPathNameA, PeekConsoleInputW, EnumSystemCodePagesW, GetConsoleDisplayMode, SetComputerNameA, GetCommState, GetProcessVersion, SetThreadPriorityBoost, InterlockedExchangeAdd, CreateFileMappingA, LocalAlloc, GetFileType, FoldStringW, SetEnvironmentVariableA, EnumDateFormatsA, GetProcessShutdownParameters, LoadLibraryExA, VirtualProtect, GetFileTime, WaitForDebugEvent, OpenEventW, SetFileShortNameA, GetVersionExA, GetDiskFreeSpaceExW, GetWindowsDirectoryW, LocalFree, LCMapStringW, CommConfigDialogW, CloseHandle, GetStringTypeW, CreateFileW, IsProcessorFeaturePresent, MultiByteToWideChar, WriteConsoleW, InterlockedIncrement, GetConsoleAliasExesLengthA, SetEndOfFile, GetConsoleAliasExesA, EnumCalendarInfoA, GlobalMemoryStatus, LoadModule, SetDefaultCommConfigA, SetStdHandle, FlushFileBuffers, HeapAlloc, HeapReAlloc, ExitProcess, DecodePointer, GetCommandLineW, HeapSetInformation, GetStartupInfoW, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, EncodePointer, TerminateProcess, WriteFile, HeapCreate, HeapFree, TlsAlloc, TlsGetValue, TlsFree, SetLastError, GetCurrentThreadId, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, Sleep, SetFilePointer, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, RtlUnwind, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapSize
                                                                    USER32.dllDrawStateA, SetCaretPos, LoadMenuA, CharUpperA, GetMenu, InsertMenuItemW, GetWindowLongW, GetSysColor, GetMenuStringA
                                                                    GDI32.dllGetBkMode, GetCharWidthFloatA, CreateDCA, GetCharWidth32A, GetTextMetricsA, GetTextCharset, GetCharWidthI
                                                                    WINHTTP.dllWinHttpConnect
                                                                    Language of compilation systemCountry where language is spokenMap
                                                                    TamilIndia
                                                                    TamilSri Lanka
                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Sep 21, 2024 17:16:10.205862999 CEST4970525192.168.2.552.101.42.0
                                                                    Sep 21, 2024 17:16:11.215965033 CEST4970525192.168.2.552.101.42.0
                                                                    Sep 21, 2024 17:16:12.944139957 CEST49706443192.168.2.5195.58.54.132
                                                                    Sep 21, 2024 17:16:12.944241047 CEST44349706195.58.54.132192.168.2.5
                                                                    Sep 21, 2024 17:16:12.944335938 CEST49706443192.168.2.5195.58.54.132
                                                                    Sep 21, 2024 17:16:13.215941906 CEST4970525192.168.2.552.101.42.0
                                                                    Sep 21, 2024 17:16:17.215964079 CEST4970525192.168.2.552.101.42.0
                                                                    Sep 21, 2024 17:16:25.216008902 CEST4970525192.168.2.552.101.42.0
                                                                    Sep 21, 2024 17:16:30.232304096 CEST4971425192.168.2.567.195.204.79
                                                                    Sep 21, 2024 17:16:31.231663942 CEST4971425192.168.2.567.195.204.79
                                                                    Sep 21, 2024 17:16:33.247344017 CEST4971425192.168.2.567.195.204.79
                                                                    Sep 21, 2024 17:16:37.262929916 CEST4971425192.168.2.567.195.204.79
                                                                    Sep 21, 2024 17:16:45.278599024 CEST4971425192.168.2.567.195.204.79
                                                                    Sep 21, 2024 17:16:50.306384087 CEST4993225192.168.2.5142.251.173.27
                                                                    Sep 21, 2024 17:16:51.309954882 CEST4993225192.168.2.5142.251.173.27
                                                                    Sep 21, 2024 17:16:52.935004950 CEST49706443192.168.2.5195.58.54.132
                                                                    Sep 21, 2024 17:16:52.935117960 CEST44349706195.58.54.132192.168.2.5
                                                                    Sep 21, 2024 17:16:52.935249090 CEST49706443192.168.2.5195.58.54.132
                                                                    Sep 21, 2024 17:16:53.053417921 CEST49933443192.168.2.5195.58.54.132
                                                                    Sep 21, 2024 17:16:53.053447008 CEST44349933195.58.54.132192.168.2.5
                                                                    Sep 21, 2024 17:16:53.053522110 CEST49933443192.168.2.5195.58.54.132
                                                                    Sep 21, 2024 17:16:53.309983015 CEST4993225192.168.2.5142.251.173.27
                                                                    Sep 21, 2024 17:16:57.309947014 CEST4993225192.168.2.5142.251.173.27
                                                                    Sep 21, 2024 17:17:05.309945107 CEST4993225192.168.2.5142.251.173.27
                                                                    Sep 21, 2024 17:17:10.310090065 CEST4993425192.168.2.594.100.180.31
                                                                    Sep 21, 2024 17:17:11.325793982 CEST4993425192.168.2.594.100.180.31
                                                                    Sep 21, 2024 17:17:13.341335058 CEST4993425192.168.2.594.100.180.31
                                                                    Sep 21, 2024 17:17:17.356898069 CEST4993425192.168.2.594.100.180.31
                                                                    Sep 21, 2024 17:17:25.356960058 CEST4993425192.168.2.594.100.180.31
                                                                    Sep 21, 2024 17:17:33.044723034 CEST49933443192.168.2.5195.58.54.132
                                                                    Sep 21, 2024 17:17:33.044806004 CEST44349933195.58.54.132192.168.2.5
                                                                    Sep 21, 2024 17:17:33.044969082 CEST49933443192.168.2.5195.58.54.132
                                                                    Sep 21, 2024 17:17:33.154776096 CEST49935443192.168.2.5195.58.54.132
                                                                    Sep 21, 2024 17:17:33.154879093 CEST44349935195.58.54.132192.168.2.5
                                                                    Sep 21, 2024 17:17:33.154994011 CEST49935443192.168.2.5195.58.54.132
                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Sep 21, 2024 17:16:09.945190907 CEST5035553192.168.2.51.1.1.1
                                                                    Sep 21, 2024 17:16:10.192397118 CEST53503551.1.1.1192.168.2.5
                                                                    Sep 21, 2024 17:16:12.935652018 CEST6122453192.168.2.51.1.1.1
                                                                    Sep 21, 2024 17:16:12.943625927 CEST53612241.1.1.1192.168.2.5
                                                                    Sep 21, 2024 17:16:30.216813087 CEST5856453192.168.2.51.1.1.1
                                                                    Sep 21, 2024 17:16:30.223870993 CEST53585641.1.1.1192.168.2.5
                                                                    Sep 21, 2024 17:16:30.224750042 CEST5627053192.168.2.51.1.1.1
                                                                    Sep 21, 2024 17:16:30.231553078 CEST53562701.1.1.1192.168.2.5
                                                                    Sep 21, 2024 17:16:38.129618883 CEST5365193162.159.36.2192.168.2.5
                                                                    Sep 21, 2024 17:16:38.761280060 CEST5378853192.168.2.51.1.1.1
                                                                    Sep 21, 2024 17:16:38.931525946 CEST53537881.1.1.1192.168.2.5
                                                                    Sep 21, 2024 17:16:50.247973919 CEST5672153192.168.2.51.1.1.1
                                                                    Sep 21, 2024 17:16:50.290038109 CEST53567211.1.1.1192.168.2.5
                                                                    Sep 21, 2024 17:16:50.295911074 CEST5950753192.168.2.51.1.1.1
                                                                    Sep 21, 2024 17:16:50.303103924 CEST53595071.1.1.1192.168.2.5
                                                                    Sep 21, 2024 17:16:53.044939041 CEST6223853192.168.2.51.1.1.1
                                                                    Sep 21, 2024 17:16:53.052836895 CEST53622381.1.1.1192.168.2.5
                                                                    Sep 21, 2024 17:17:10.295361996 CEST5406053192.168.2.51.1.1.1
                                                                    Sep 21, 2024 17:17:10.302165985 CEST53540601.1.1.1192.168.2.5
                                                                    Sep 21, 2024 17:17:10.302874088 CEST4936553192.168.2.51.1.1.1
                                                                    Sep 21, 2024 17:17:10.309432983 CEST53493651.1.1.1192.168.2.5
                                                                    Sep 21, 2024 17:18:11.630193949 CEST5939353192.168.2.51.1.1.1
                                                                    Sep 21, 2024 17:18:11.664124012 CEST53593931.1.1.1192.168.2.5
                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                    Sep 21, 2024 17:16:09.945190907 CEST192.168.2.51.1.1.10x4195Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                    Sep 21, 2024 17:16:12.935652018 CEST192.168.2.51.1.1.10xda29Standard query (0)vanaheim.cnA (IP address)IN (0x0001)false
                                                                    Sep 21, 2024 17:16:30.216813087 CEST192.168.2.51.1.1.10x3ceeStandard query (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                    Sep 21, 2024 17:16:30.224750042 CEST192.168.2.51.1.1.10x716aStandard query (0)mta5.am0.yahoodns.netA (IP address)IN (0x0001)false
                                                                    Sep 21, 2024 17:16:38.761280060 CEST192.168.2.51.1.1.10x4cc4Standard query (0)18.31.95.13.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                    Sep 21, 2024 17:16:50.247973919 CEST192.168.2.51.1.1.10x8ccaStandard query (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                    Sep 21, 2024 17:16:50.295911074 CEST192.168.2.51.1.1.10x5515Standard query (0)smtp.google.comA (IP address)IN (0x0001)false
                                                                    Sep 21, 2024 17:16:53.044939041 CEST192.168.2.51.1.1.10x35bfStandard query (0)vanaheim.cnA (IP address)IN (0x0001)false
                                                                    Sep 21, 2024 17:17:10.295361996 CEST192.168.2.51.1.1.10xa03eStandard query (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                    Sep 21, 2024 17:17:10.302874088 CEST192.168.2.51.1.1.10x4e9cStandard query (0)mxs.mail.ruA (IP address)IN (0x0001)false
                                                                    Sep 21, 2024 17:18:11.630193949 CEST192.168.2.51.1.1.10x9ae8Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                    Sep 21, 2024 17:16:10.192397118 CEST1.1.1.1192.168.2.50x4195No error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false
                                                                    Sep 21, 2024 17:16:10.192397118 CEST1.1.1.1192.168.2.50x4195No error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false
                                                                    Sep 21, 2024 17:16:10.192397118 CEST1.1.1.1192.168.2.50x4195No error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false
                                                                    Sep 21, 2024 17:16:10.192397118 CEST1.1.1.1192.168.2.50x4195No error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false
                                                                    Sep 21, 2024 17:16:12.943625927 CEST1.1.1.1192.168.2.50xda29No error (0)vanaheim.cn195.58.54.132A (IP address)IN (0x0001)false
                                                                    Sep 21, 2024 17:16:30.223870993 CEST1.1.1.1192.168.2.50x3ceeNo error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                    Sep 21, 2024 17:16:30.223870993 CEST1.1.1.1192.168.2.50x3ceeNo error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                    Sep 21, 2024 17:16:30.223870993 CEST1.1.1.1192.168.2.50x3ceeNo error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                    Sep 21, 2024 17:16:30.231553078 CEST1.1.1.1192.168.2.50x716aNo error (0)mta5.am0.yahoodns.net67.195.204.79A (IP address)IN (0x0001)false
                                                                    Sep 21, 2024 17:16:30.231553078 CEST1.1.1.1192.168.2.50x716aNo error (0)mta5.am0.yahoodns.net98.136.96.76A (IP address)IN (0x0001)false
                                                                    Sep 21, 2024 17:16:30.231553078 CEST1.1.1.1192.168.2.50x716aNo error (0)mta5.am0.yahoodns.net67.195.204.77A (IP address)IN (0x0001)false
                                                                    Sep 21, 2024 17:16:30.231553078 CEST1.1.1.1192.168.2.50x716aNo error (0)mta5.am0.yahoodns.net67.195.204.72A (IP address)IN (0x0001)false
                                                                    Sep 21, 2024 17:16:30.231553078 CEST1.1.1.1192.168.2.50x716aNo error (0)mta5.am0.yahoodns.net67.195.228.106A (IP address)IN (0x0001)false
                                                                    Sep 21, 2024 17:16:30.231553078 CEST1.1.1.1192.168.2.50x716aNo error (0)mta5.am0.yahoodns.net98.136.96.91A (IP address)IN (0x0001)false
                                                                    Sep 21, 2024 17:16:30.231553078 CEST1.1.1.1192.168.2.50x716aNo error (0)mta5.am0.yahoodns.net98.136.96.74A (IP address)IN (0x0001)false
                                                                    Sep 21, 2024 17:16:30.231553078 CEST1.1.1.1192.168.2.50x716aNo error (0)mta5.am0.yahoodns.net67.195.228.110A (IP address)IN (0x0001)false
                                                                    Sep 21, 2024 17:16:38.931525946 CEST1.1.1.1192.168.2.50x4cc4Name error (3)18.31.95.13.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                    Sep 21, 2024 17:16:50.290038109 CEST1.1.1.1192.168.2.50x8ccaNo error (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                    Sep 21, 2024 17:16:50.303103924 CEST1.1.1.1192.168.2.50x5515No error (0)smtp.google.com142.251.173.27A (IP address)IN (0x0001)false
                                                                    Sep 21, 2024 17:16:50.303103924 CEST1.1.1.1192.168.2.50x5515No error (0)smtp.google.com74.125.206.26A (IP address)IN (0x0001)false
                                                                    Sep 21, 2024 17:16:50.303103924 CEST1.1.1.1192.168.2.50x5515No error (0)smtp.google.com74.125.206.27A (IP address)IN (0x0001)false
                                                                    Sep 21, 2024 17:16:50.303103924 CEST1.1.1.1192.168.2.50x5515No error (0)smtp.google.com142.251.173.26A (IP address)IN (0x0001)false
                                                                    Sep 21, 2024 17:16:50.303103924 CEST1.1.1.1192.168.2.50x5515No error (0)smtp.google.com64.233.167.27A (IP address)IN (0x0001)false
                                                                    Sep 21, 2024 17:16:53.052836895 CEST1.1.1.1192.168.2.50x35bfNo error (0)vanaheim.cn195.58.54.132A (IP address)IN (0x0001)false
                                                                    Sep 21, 2024 17:17:10.302165985 CEST1.1.1.1192.168.2.50xa03eNo error (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                    Sep 21, 2024 17:17:10.309432983 CEST1.1.1.1192.168.2.50x4e9cNo error (0)mxs.mail.ru94.100.180.31A (IP address)IN (0x0001)false
                                                                    Sep 21, 2024 17:17:10.309432983 CEST1.1.1.1192.168.2.50x4e9cNo error (0)mxs.mail.ru217.69.139.150A (IP address)IN (0x0001)false
                                                                    Sep 21, 2024 17:18:11.664124012 CEST1.1.1.1192.168.2.50x9ae8No error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false
                                                                    Sep 21, 2024 17:18:11.664124012 CEST1.1.1.1192.168.2.50x9ae8No error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false
                                                                    Sep 21, 2024 17:18:11.664124012 CEST1.1.1.1192.168.2.50x9ae8No error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false
                                                                    Sep 21, 2024 17:18:11.664124012 CEST1.1.1.1192.168.2.50x9ae8No error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false

                                                                    Click to jump to process

                                                                    Click to jump to process

                                                                    Click to dive into process behavior distribution

                                                                    Click to jump to process

                                                                    Target ID:0
                                                                    Start time:11:16:04
                                                                    Start date:21/09/2024
                                                                    Path:C:\Users\user\Desktop\H3nfKrgQbi.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\Desktop\H3nfKrgQbi.exe"
                                                                    Imagebase:0x400000
                                                                    File size:424'960 bytes
                                                                    MD5 hash:1C5083792ACFCCF5D90DB80884569ACE
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2105496878.00000000024DD000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                                                    • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000003.2071128241.00000000025C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000003.2071128241.00000000025C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000003.2071128241.00000000025C0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    Target ID:2
                                                                    Start time:11:16:05
                                                                    Start date:21/09/2024
                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\bazwewbz\
                                                                    Imagebase:0x790000
                                                                    File size:236'544 bytes
                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    Target ID:3
                                                                    Start time:11:16:05
                                                                    Start date:21/09/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff6d64d0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    Target ID:4
                                                                    Start time:11:16:05
                                                                    Start date:21/09/2024
                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\wuefhdgm.exe" C:\Windows\SysWOW64\bazwewbz\
                                                                    Imagebase:0x790000
                                                                    File size:236'544 bytes
                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    Target ID:5
                                                                    Start time:11:16:05
                                                                    Start date:21/09/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff6d64d0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    Target ID:6
                                                                    Start time:11:16:06
                                                                    Start date:21/09/2024
                                                                    Path:C:\Windows\SysWOW64\sc.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\sc.exe" create bazwewbz binPath= "C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exe /d\"C:\Users\user\Desktop\H3nfKrgQbi.exe\"" type= own start= auto DisplayName= "wifi support"
                                                                    Imagebase:0x750000
                                                                    File size:61'440 bytes
                                                                    MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate
                                                                    Has exited:true

                                                                    Target ID:7
                                                                    Start time:11:16:06
                                                                    Start date:21/09/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff6d64d0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    Target ID:8
                                                                    Start time:11:16:06
                                                                    Start date:21/09/2024
                                                                    Path:C:\Windows\SysWOW64\sc.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\sc.exe" description bazwewbz "wifi internet conection"
                                                                    Imagebase:0x750000
                                                                    File size:61'440 bytes
                                                                    MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate
                                                                    Has exited:true

                                                                    Target ID:9
                                                                    Start time:11:16:06
                                                                    Start date:21/09/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff6d64d0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    Target ID:10
                                                                    Start time:11:16:07
                                                                    Start date:21/09/2024
                                                                    Path:C:\Windows\SysWOW64\sc.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\sc.exe" start bazwewbz
                                                                    Imagebase:0x750000
                                                                    File size:61'440 bytes
                                                                    MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate
                                                                    Has exited:true

                                                                    Target ID:11
                                                                    Start time:11:16:07
                                                                    Start date:21/09/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff6d64d0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    Target ID:12
                                                                    Start time:11:16:07
                                                                    Start date:21/09/2024
                                                                    Path:C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exe /d"C:\Users\user\Desktop\H3nfKrgQbi.exe"
                                                                    Imagebase:0x400000
                                                                    File size:13'548'032 bytes
                                                                    MD5 hash:E8162D23E2C2202690CEB6F6E48A723E
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000C.00000002.2105550467.0000000002528000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: unknown
                                                                    • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: ditekSHen
                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2105868697.0000000002DE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2105868697.0000000002DE0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000002.2105868697.0000000002DE0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000003.2100698826.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000003.2100698826.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000003.2100698826.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    Target ID:13
                                                                    Start time:11:16:07
                                                                    Start date:21/09/2024
                                                                    Path:C:\Windows\SysWOW64\svchost.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:svchost.exe
                                                                    Imagebase:0x500000
                                                                    File size:46'504 bytes
                                                                    MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                    Reputation:high
                                                                    Has exited:false

                                                                    Target ID:14
                                                                    Start time:11:16:07
                                                                    Start date:21/09/2024
                                                                    Path:C:\Windows\System32\svchost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                    Imagebase:0x7ff7e52b0000
                                                                    File size:55'320 bytes
                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    Target ID:15
                                                                    Start time:11:16:07
                                                                    Start date:21/09/2024
                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5864 -ip 5864
                                                                    Imagebase:0x110000
                                                                    File size:483'680 bytes
                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    Target ID:16
                                                                    Start time:11:16:07
                                                                    Start date:21/09/2024
                                                                    Path:C:\Windows\SysWOW64\netsh.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                    Imagebase:0x1080000
                                                                    File size:82'432 bytes
                                                                    MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    Target ID:17
                                                                    Start time:11:16:07
                                                                    Start date:21/09/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff6d64d0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    Target ID:18
                                                                    Start time:11:16:07
                                                                    Start date:21/09/2024
                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 7092 -ip 7092
                                                                    Imagebase:0x110000
                                                                    File size:483'680 bytes
                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    Target ID:19
                                                                    Start time:11:16:07
                                                                    Start date:21/09/2024
                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7092 -s 1188
                                                                    Imagebase:0x110000
                                                                    File size:483'680 bytes
                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    Target ID:20
                                                                    Start time:11:16:07
                                                                    Start date:21/09/2024
                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5864 -s 536
                                                                    Imagebase:0x110000
                                                                    File size:483'680 bytes
                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    Target ID:23
                                                                    Start time:11:16:50
                                                                    Start date:21/09/2024
                                                                    Path:C:\Windows\System32\svchost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                    Imagebase:0x7ff7e52b0000
                                                                    File size:55'320 bytes
                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:false

                                                                    Reset < >

                                                                      Execution Graph

                                                                      Execution Coverage:3.6%
                                                                      Dynamic/Decrypted Code Coverage:31%
                                                                      Signature Coverage:25.4%
                                                                      Total number of Nodes:1563
                                                                      Total number of Limit Nodes:18
                                                                      execution_graph 14817 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 14936 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14817->14936 14819 409a95 14820 409aa3 GetModuleHandleA GetModuleFileNameA 14819->14820 14826 40a3c7 14819->14826 14821 409ac4 14820->14821 14823 409afd GetCommandLineA 14821->14823 14822 40a41c CreateThread WSAStartup 15105 40e52e 14822->15105 16005 40405e CreateEventA 14822->16005 14835 409b22 14823->14835 14824 40a406 DeleteFileA 14824->14826 14829 40a40d 14824->14829 14826->14822 14826->14824 14828 40a3ed GetLastError 14826->14828 14826->14829 14827 40a445 15124 40eaaf 14827->15124 14828->14829 14832 40a3f8 Sleep 14828->14832 14829->14822 14831 40a44d 15128 401d96 14831->15128 14832->14824 14834 40a457 15176 4080c9 14834->15176 14838 409c0c 14835->14838 14844 409b47 14835->14844 14937 4096aa 14838->14937 14848 409b96 lstrlenA 14844->14848 14850 409b58 14844->14850 14845 40a1d2 14851 40a1e3 GetCommandLineA 14845->14851 14846 409c39 14849 40a167 GetModuleHandleA GetModuleFileNameA 14846->14849 14943 404280 CreateEventA 14846->14943 14848->14850 14853 409c05 ExitProcess 14849->14853 14854 40a189 14849->14854 14850->14853 14858 40675c 21 API calls 14850->14858 14878 40a205 14851->14878 14854->14853 14862 40a1b2 GetDriveTypeA 14854->14862 14860 409be3 14858->14860 14860->14853 15042 406a60 CreateFileA 14860->15042 14862->14853 14863 40a1c5 14862->14863 15086 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 14863->15086 14869 40a491 14870 40a49f GetTickCount 14869->14870 14872 40a4be Sleep 14869->14872 14877 40a4b7 GetTickCount 14869->14877 15222 40c913 14869->15222 14870->14869 14870->14872 14872->14869 14874 409ca0 GetTempPathA 14875 409e3e 14874->14875 14876 409cba 14874->14876 14881 409e6b GetEnvironmentVariableA 14875->14881 14885 409e04 14875->14885 14998 4099d2 lstrcpyA 14876->14998 14877->14872 14882 40a285 lstrlenA 14878->14882 14894 40a239 14878->14894 14881->14885 14886 409e7d 14881->14886 14882->14894 15081 40ec2e 14885->15081 14887 4099d2 16 API calls 14886->14887 14888 409e9d 14887->14888 14888->14885 14893 409eb0 lstrcpyA lstrlenA 14888->14893 14891 409d5f 15061 406cc9 14891->15061 14892 40a3c2 15098 4098f2 14892->15098 14896 409ef4 14893->14896 15094 406ec3 14894->15094 14899 406dc2 6 API calls 14896->14899 14902 409f03 14896->14902 14898 40a35f 14898->14892 14898->14898 14906 40a37b 14898->14906 14899->14902 14900 40a39d StartServiceCtrlDispatcherA 14900->14892 14903 409f32 RegOpenKeyExA 14902->14903 14907 409f0e 14902->14907 14904 409f48 RegSetValueExA RegCloseKey 14903->14904 14910 409f70 14903->14910 14904->14910 14905 409cf6 15005 409326 14905->15005 14906->14900 14907->14902 14916 409f9d GetModuleHandleA GetModuleFileNameA 14910->14916 14911 409e0c DeleteFileA 14911->14875 14912 409dde GetFileAttributesExA 14912->14911 14913 409df7 14912->14913 14913->14885 14915 409dff 14913->14915 15071 4096ff 14915->15071 14918 409fc2 14916->14918 14919 40a093 14916->14919 14918->14919 14925 409ff1 GetDriveTypeA 14918->14925 14920 40a103 CreateProcessA 14919->14920 14921 40a0a4 wsprintfA 14919->14921 14922 40a13a 14920->14922 14923 40a12a DeleteFileA 14920->14923 15077 402544 14921->15077 14922->14885 14928 4096ff 3 API calls 14922->14928 14923->14922 14925->14919 14927 40a00d 14925->14927 14930 40a02d lstrcatA 14927->14930 14928->14885 14932 40a046 14930->14932 14933 40a052 lstrcatA 14932->14933 14934 40a064 lstrcatA 14932->14934 14933->14934 14934->14919 14935 40a081 lstrcatA 14934->14935 14935->14919 14936->14819 14938 4096b9 14937->14938 15325 4073ff 14938->15325 14940 4096e2 14942 4096f7 14940->14942 15345 40704c 14940->15345 14942->14845 14942->14846 14944 4042a5 14943->14944 14945 40429d 14943->14945 15370 403ecd 14944->15370 14945->14849 14970 40675c 14945->14970 14947 4042b0 15374 404000 14947->15374 14950 4043c1 CloseHandle 14950->14945 14951 4042ce 15380 403f18 WriteFile 14951->15380 14956 4043ba CloseHandle 14956->14950 14957 404318 14958 403f18 4 API calls 14957->14958 14959 404331 14958->14959 14960 403f18 4 API calls 14959->14960 14961 40434a 14960->14961 15388 40ebcc GetProcessHeap RtlAllocateHeap 14961->15388 14964 403f18 4 API calls 14965 404389 14964->14965 14966 40ec2e codecvt 4 API calls 14965->14966 14967 40438f 14966->14967 14968 403f8c 4 API calls 14967->14968 14969 40439f CloseHandle CloseHandle 14968->14969 14969->14945 14971 406784 CreateFileA 14970->14971 14972 40677a SetFileAttributesA 14970->14972 14973 4067a4 CreateFileA 14971->14973 14974 4067b5 14971->14974 14972->14971 14973->14974 14975 4067c5 14974->14975 14976 4067ba SetFileAttributesA 14974->14976 14977 406977 14975->14977 14978 4067cf GetFileSize 14975->14978 14976->14975 14977->14849 14977->14874 14977->14875 14979 4067e5 14978->14979 14997 406965 14978->14997 14980 4067ed ReadFile 14979->14980 14979->14997 14982 406811 SetFilePointer 14980->14982 14980->14997 14981 40696e CloseHandle 14981->14977 14983 40682a ReadFile 14982->14983 14982->14997 14984 406848 SetFilePointer 14983->14984 14983->14997 14985 406867 14984->14985 14984->14997 14986 4068d5 14985->14986 14987 406878 ReadFile 14985->14987 14986->14981 14989 40ebcc 4 API calls 14986->14989 14988 4068d0 14987->14988 14991 406891 14987->14991 14988->14986 14990 4068f8 14989->14990 14992 406900 SetFilePointer 14990->14992 14990->14997 14991->14987 14991->14988 14993 40695a 14992->14993 14994 40690d ReadFile 14992->14994 14996 40ec2e codecvt 4 API calls 14993->14996 14994->14993 14995 406922 14994->14995 14995->14981 14996->14997 14997->14981 14999 4099eb 14998->14999 15000 409a2f lstrcatA 14999->15000 15001 40ee2a 15000->15001 15002 409a4b lstrcatA 15001->15002 15003 406a60 13 API calls 15002->15003 15004 409a60 15003->15004 15004->14875 15004->14905 15055 406dc2 15004->15055 15394 401910 15005->15394 15008 40934a GetModuleHandleA GetModuleFileNameA 15010 40937f 15008->15010 15011 4093a4 15010->15011 15012 4093d9 15010->15012 15014 4093c3 wsprintfA 15011->15014 15013 409401 wsprintfA 15012->15013 15016 409415 15013->15016 15014->15016 15015 4094a0 15396 406edd 15015->15396 15016->15015 15019 406cc9 5 API calls 15016->15019 15018 4094ac 15020 40962f 15018->15020 15021 4094e8 RegOpenKeyExA 15018->15021 15025 409439 15019->15025 15026 409646 15020->15026 15424 401820 15020->15424 15023 409502 15021->15023 15024 4094fb 15021->15024 15029 40951f RegQueryValueExA 15023->15029 15024->15020 15028 40958a 15024->15028 15409 40ef1e lstrlenA 15025->15409 15035 4095d6 15026->15035 15404 4091eb 15026->15404 15028->15026 15031 409593 15028->15031 15032 409530 15029->15032 15033 409539 15029->15033 15031->15035 15411 40f0e4 15031->15411 15036 40956e RegCloseKey 15032->15036 15037 409556 RegQueryValueExA 15033->15037 15034 409462 15038 40947e wsprintfA 15034->15038 15035->14911 15035->14912 15036->15024 15037->15032 15037->15036 15038->15015 15040 4095bb 15040->15035 15418 4018e0 15040->15418 15043 406b8c GetLastError 15042->15043 15044 406a8f GetDiskFreeSpaceA 15042->15044 15046 406b86 15043->15046 15045 406ac5 15044->15045 15054 406ad7 15044->15054 15472 40eb0e 15045->15472 15046->14853 15050 406b56 CloseHandle 15050->15046 15053 406b65 GetLastError CloseHandle 15050->15053 15051 406b36 GetLastError CloseHandle 15052 406b7f DeleteFileA 15051->15052 15052->15046 15053->15052 15466 406987 15054->15466 15056 406e24 15055->15056 15057 406dd7 15055->15057 15056->14891 15058 406cc9 5 API calls 15057->15058 15059 406ddc 15058->15059 15059->15056 15059->15059 15060 406e02 GetVolumeInformationA 15059->15060 15060->15056 15062 406cdc GetModuleHandleA GetProcAddress 15061->15062 15063 406dbe lstrcpyA lstrcatA lstrcatA 15061->15063 15064 406d12 GetSystemDirectoryA 15062->15064 15067 406cfd 15062->15067 15063->14905 15065 406d27 GetWindowsDirectoryA 15064->15065 15066 406d1e 15064->15066 15068 406d42 15065->15068 15066->15065 15070 406d8b 15066->15070 15067->15064 15067->15070 15069 40ef1e lstrlenA 15068->15069 15069->15070 15070->15063 15072 402544 15071->15072 15073 40972d RegOpenKeyExA 15072->15073 15074 409740 15073->15074 15075 409765 15073->15075 15076 40974f RegDeleteValueA RegCloseKey 15074->15076 15075->14885 15076->15075 15078 402554 lstrcatA 15077->15078 15079 40ee2a 15078->15079 15080 40a0ec lstrcatA 15079->15080 15080->14920 15082 40ec37 15081->15082 15083 40a15d 15081->15083 15480 40eba0 15082->15480 15083->14849 15083->14853 15087 402544 15086->15087 15088 40919e wsprintfA 15087->15088 15089 4091bb 15088->15089 15483 409064 GetTempPathA 15089->15483 15092 4091d5 ShellExecuteA 15093 4091e7 15092->15093 15093->14853 15095 406ed5 15094->15095 15096 406ecc 15094->15096 15095->14898 15097 406e36 2 API calls 15096->15097 15097->15095 15099 4098f6 15098->15099 15100 404280 30 API calls 15099->15100 15101 409904 Sleep 15099->15101 15102 409915 15099->15102 15100->15099 15101->15099 15101->15102 15104 409947 15102->15104 15490 40977c 15102->15490 15104->14826 15512 40dd05 GetTickCount 15105->15512 15107 40e538 15519 40dbcf 15107->15519 15109 40e544 15110 40e555 GetFileSize 15109->15110 15114 40e5b8 15109->15114 15111 40e5b1 CloseHandle 15110->15111 15112 40e566 15110->15112 15111->15114 15529 40db2e 15112->15529 15538 40e3ca RegOpenKeyExA 15114->15538 15116 40e576 ReadFile 15116->15111 15117 40e58d 15116->15117 15533 40e332 15117->15533 15119 40e5f2 15122 40e3ca 19 API calls 15119->15122 15123 40e629 15119->15123 15122->15123 15123->14827 15125 40eabe 15124->15125 15126 40eaba 15124->15126 15125->15126 15127 40dd05 6 API calls 15125->15127 15126->14831 15127->15126 15129 40ee2a 15128->15129 15130 401db4 GetVersionExA 15129->15130 15131 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 15130->15131 15133 401e24 15131->15133 15134 401e16 GetCurrentProcess 15131->15134 15591 40e819 15133->15591 15134->15133 15136 401e3d 15137 40e819 11 API calls 15136->15137 15138 401e4e 15137->15138 15139 401e77 15138->15139 15598 40df70 15138->15598 15607 40ea84 15139->15607 15143 401e6c 15144 40df70 12 API calls 15143->15144 15144->15139 15145 40e819 11 API calls 15146 401e93 15145->15146 15611 40199c inet_addr LoadLibraryA 15146->15611 15149 40e819 11 API calls 15150 401eb9 15149->15150 15151 401ed8 15150->15151 15153 40f04e 4 API calls 15150->15153 15152 40e819 11 API calls 15151->15152 15155 401eee 15152->15155 15154 401ec9 15153->15154 15156 40ea84 30 API calls 15154->15156 15157 401f0a 15155->15157 15624 401b71 15155->15624 15156->15151 15159 40e819 11 API calls 15157->15159 15161 401f23 15159->15161 15160 401efd 15162 40ea84 30 API calls 15160->15162 15163 401f3f 15161->15163 15628 401bdf 15161->15628 15162->15157 15164 40e819 11 API calls 15163->15164 15167 401f5e 15164->15167 15169 401f77 15167->15169 15170 40ea84 30 API calls 15167->15170 15168 40ea84 30 API calls 15168->15163 15635 4030b5 15169->15635 15170->15169 15174 406ec3 2 API calls 15175 401f8e GetTickCount 15174->15175 15175->14834 15177 406ec3 2 API calls 15176->15177 15178 4080eb 15177->15178 15179 4080f9 15178->15179 15180 4080ef 15178->15180 15181 40704c 16 API calls 15179->15181 15683 407ee6 15180->15683 15184 408110 15181->15184 15183 4080f4 15185 40675c 21 API calls 15183->15185 15194 408269 CreateThread 15183->15194 15184->15183 15187 408156 RegOpenKeyExA 15184->15187 15186 408244 15185->15186 15192 40ec2e codecvt 4 API calls 15186->15192 15186->15194 15187->15183 15188 40816d RegQueryValueExA 15187->15188 15189 4081f7 15188->15189 15190 40818d 15188->15190 15191 40820d RegCloseKey 15189->15191 15193 40ec2e codecvt 4 API calls 15189->15193 15190->15189 15195 40ebcc 4 API calls 15190->15195 15191->15183 15192->15194 15200 4081dd 15193->15200 15201 405e6c 15194->15201 15983 40877e 15194->15983 15196 4081a0 15195->15196 15196->15191 15197 4081aa RegQueryValueExA 15196->15197 15197->15189 15198 4081c4 15197->15198 15199 40ebcc 4 API calls 15198->15199 15199->15200 15200->15191 15751 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15201->15751 15203 405e71 15752 40e654 15203->15752 15205 405ec1 15206 403132 15205->15206 15207 40df70 12 API calls 15206->15207 15208 40313b 15207->15208 15209 40c125 15208->15209 15763 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15209->15763 15211 40c12d 15212 40e654 13 API calls 15211->15212 15213 40c2bd 15212->15213 15214 40e654 13 API calls 15213->15214 15215 40c2c9 15214->15215 15216 40e654 13 API calls 15215->15216 15217 40a47a 15216->15217 15218 408db1 15217->15218 15219 408dbc 15218->15219 15220 40e654 13 API calls 15219->15220 15221 408dec Sleep 15220->15221 15221->14869 15223 40c92f 15222->15223 15224 40c93c 15223->15224 15764 40c517 15223->15764 15226 40ca2b 15224->15226 15227 40e819 11 API calls 15224->15227 15226->14869 15228 40c96a 15227->15228 15229 40e819 11 API calls 15228->15229 15230 40c97d 15229->15230 15231 40e819 11 API calls 15230->15231 15232 40c990 15231->15232 15233 40c9aa 15232->15233 15234 40ebcc 4 API calls 15232->15234 15233->15226 15781 402684 15233->15781 15234->15233 15239 40ca26 15788 40c8aa 15239->15788 15242 40ca44 15243 40ca4b closesocket 15242->15243 15244 40ca83 15242->15244 15243->15239 15245 40ea84 30 API calls 15244->15245 15246 40caac 15245->15246 15247 40f04e 4 API calls 15246->15247 15248 40cab2 15247->15248 15249 40ea84 30 API calls 15248->15249 15250 40caca 15249->15250 15251 40ea84 30 API calls 15250->15251 15252 40cad9 15251->15252 15796 40c65c 15252->15796 15255 40cb60 closesocket 15255->15226 15257 40dad2 closesocket 15258 40e318 23 API calls 15257->15258 15258->15226 15259 40df4c 20 API calls 15285 40cb70 15259->15285 15264 40c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15264->15285 15265 40e654 13 API calls 15265->15285 15271 40ea84 30 API calls 15271->15285 15272 40d815 wsprintfA 15272->15285 15273 40cc1c GetTempPathA 15273->15285 15274 40d569 closesocket Sleep 15843 40e318 15274->15843 15275 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15275->15285 15276 40c517 23 API calls 15276->15285 15278 40e8a1 30 API calls 15278->15285 15279 40d582 ExitProcess 15280 40cfe3 GetSystemDirectoryA 15280->15285 15281 40675c 21 API calls 15281->15285 15282 40d027 GetSystemDirectoryA 15282->15285 15283 40cfad GetEnvironmentVariableA 15283->15285 15284 40d105 lstrcatA 15284->15285 15285->15257 15285->15259 15285->15264 15285->15265 15285->15271 15285->15272 15285->15273 15285->15274 15285->15275 15285->15276 15285->15278 15285->15280 15285->15281 15285->15282 15285->15283 15285->15284 15286 40ef1e lstrlenA 15285->15286 15287 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15285->15287 15288 40cc9f CreateFileA 15285->15288 15289 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15285->15289 15290 40d15b CreateFileA 15285->15290 15295 40d149 SetFileAttributesA 15285->15295 15297 40d36e GetEnvironmentVariableA 15285->15297 15298 40d1bf SetFileAttributesA 15285->15298 15300 407ead 6 API calls 15285->15300 15301 40d22d GetEnvironmentVariableA 15285->15301 15303 40d3af lstrcatA 15285->15303 15305 407fcf 64 API calls 15285->15305 15306 40d3f2 CreateFileA 15285->15306 15312 40d26e lstrcatA 15285->15312 15314 40d4b1 CreateProcessA 15285->15314 15315 40d3e0 SetFileAttributesA 15285->15315 15316 40d2b1 CreateFileA 15285->15316 15318 40d452 SetFileAttributesA 15285->15318 15320 407ee6 64 API calls 15285->15320 15321 40d29f SetFileAttributesA 15285->15321 15324 40d31d SetFileAttributesA 15285->15324 15804 40c75d 15285->15804 15816 407e2f 15285->15816 15838 407ead 15285->15838 15848 4031d0 15285->15848 15865 403c09 15285->15865 15875 403a00 15285->15875 15879 40e7b4 15285->15879 15882 40c06c 15285->15882 15888 406f5f GetUserNameA 15285->15888 15899 40e854 15285->15899 15909 407dd6 15285->15909 15286->15285 15287->15285 15288->15285 15291 40ccc6 WriteFile 15288->15291 15289->15285 15290->15285 15292 40d182 WriteFile CloseHandle 15290->15292 15293 40cdcc CloseHandle 15291->15293 15294 40cced CloseHandle 15291->15294 15292->15285 15293->15285 15299 40cd2f 15294->15299 15295->15290 15296 40cd16 wsprintfA 15296->15299 15297->15285 15298->15285 15299->15296 15825 407fcf 15299->15825 15300->15285 15301->15285 15303->15285 15303->15306 15305->15285 15306->15285 15309 40d415 WriteFile CloseHandle 15306->15309 15307 40cd81 WaitForSingleObject CloseHandle CloseHandle 15310 40f04e 4 API calls 15307->15310 15308 40cda5 15311 407ee6 64 API calls 15308->15311 15309->15285 15310->15308 15313 40cdbd DeleteFileA 15311->15313 15312->15285 15312->15316 15313->15285 15314->15285 15317 40d4e8 CloseHandle CloseHandle 15314->15317 15315->15306 15316->15285 15319 40d2d8 WriteFile CloseHandle 15316->15319 15317->15285 15318->15285 15319->15285 15320->15285 15321->15316 15324->15285 15326 40741b 15325->15326 15327 406dc2 6 API calls 15326->15327 15328 40743f 15327->15328 15329 407469 RegOpenKeyExA 15328->15329 15331 4077f9 15329->15331 15341 407487 ___ascii_stricmp 15329->15341 15330 407703 RegEnumKeyA 15332 407714 RegCloseKey 15330->15332 15330->15341 15331->14940 15332->15331 15333 40f1a5 lstrlenA 15333->15341 15334 4074d2 RegOpenKeyExA 15334->15341 15335 40772c 15337 407742 RegCloseKey 15335->15337 15338 40774b 15335->15338 15336 407521 RegQueryValueExA 15336->15341 15337->15338 15339 4077ec RegCloseKey 15338->15339 15339->15331 15340 4076e4 RegCloseKey 15340->15341 15341->15330 15341->15333 15341->15334 15341->15335 15341->15336 15341->15340 15343 40777e GetFileAttributesExA 15341->15343 15344 407769 15341->15344 15342 4077e3 RegCloseKey 15342->15339 15343->15344 15344->15342 15346 407073 15345->15346 15347 4070b9 RegOpenKeyExA 15346->15347 15348 4070d0 15347->15348 15362 4071b8 15347->15362 15349 406dc2 6 API calls 15348->15349 15352 4070d5 15349->15352 15350 40719b RegEnumValueA 15351 4071af RegCloseKey 15350->15351 15350->15352 15351->15362 15352->15350 15354 4071d0 15352->15354 15368 40f1a5 lstrlenA 15352->15368 15355 407205 RegCloseKey 15354->15355 15356 407227 15354->15356 15355->15362 15357 4072b8 ___ascii_stricmp 15356->15357 15358 40728e RegCloseKey 15356->15358 15359 4072cd RegCloseKey 15357->15359 15360 4072dd 15357->15360 15358->15362 15359->15362 15361 407311 RegCloseKey 15360->15361 15364 407335 15360->15364 15361->15362 15362->14942 15363 4073d5 RegCloseKey 15365 4073e4 15363->15365 15364->15363 15366 40737e GetFileAttributesExA 15364->15366 15367 407397 15364->15367 15366->15367 15367->15363 15369 40f1c3 15368->15369 15369->15352 15371 403ee2 15370->15371 15372 403edc 15370->15372 15371->14947 15373 406dc2 6 API calls 15372->15373 15373->15371 15375 40400b CreateFileA 15374->15375 15376 40402c GetLastError 15375->15376 15377 404052 15375->15377 15376->15377 15378 404037 15376->15378 15377->14945 15377->14950 15377->14951 15378->15377 15379 404041 Sleep 15378->15379 15379->15375 15379->15377 15381 403f7c 15380->15381 15382 403f4e GetLastError 15380->15382 15384 403f8c ReadFile 15381->15384 15382->15381 15383 403f5b WaitForSingleObject GetOverlappedResult 15382->15383 15383->15381 15385 403ff0 15384->15385 15386 403fc2 GetLastError 15384->15386 15385->14956 15385->14957 15386->15385 15387 403fcf WaitForSingleObject GetOverlappedResult 15386->15387 15387->15385 15391 40eb74 15388->15391 15392 40eb7b GetProcessHeap HeapSize 15391->15392 15393 404350 15391->15393 15392->15393 15393->14964 15395 401924 GetVersionExA 15394->15395 15395->15008 15397 406f55 15396->15397 15398 406eef AllocateAndInitializeSid 15396->15398 15397->15018 15399 406f44 15398->15399 15400 406f1c CheckTokenMembership 15398->15400 15399->15397 15430 406e36 GetUserNameW 15399->15430 15401 406f3b FreeSid 15400->15401 15402 406f2e 15400->15402 15401->15399 15402->15401 15405 409308 15404->15405 15407 40920e 15404->15407 15405->15035 15406 4092f1 Sleep 15406->15407 15407->15405 15407->15406 15408 4092bf ShellExecuteA 15407->15408 15408->15405 15408->15407 15410 40ef32 15409->15410 15410->15034 15412 40f0f1 15411->15412 15413 40f0ed 15411->15413 15414 40f119 15412->15414 15415 40f0fa lstrlenA SysAllocStringByteLen 15412->15415 15413->15040 15417 40f11c MultiByteToWideChar 15414->15417 15416 40f117 15415->15416 15415->15417 15416->15040 15417->15416 15419 401820 17 API calls 15418->15419 15420 4018f2 15419->15420 15421 4018f9 15420->15421 15433 401280 15420->15433 15421->15035 15423 401908 15423->15035 15445 401000 15424->15445 15426 401839 15427 401851 GetCurrentProcess 15426->15427 15428 40183d 15426->15428 15429 401864 15427->15429 15428->15026 15429->15026 15431 406e97 15430->15431 15432 406e5f LookupAccountNameW 15430->15432 15431->15397 15432->15431 15434 4012e1 15433->15434 15435 4016f9 GetLastError 15434->15435 15436 4013a8 15434->15436 15437 401699 15435->15437 15436->15437 15438 401570 lstrlenW 15436->15438 15439 4015be GetStartupInfoW 15436->15439 15440 4015ff CreateProcessWithLogonW 15436->15440 15444 401668 CloseHandle 15436->15444 15437->15423 15438->15436 15439->15436 15441 4016bf GetLastError 15440->15441 15442 40163f WaitForSingleObject 15440->15442 15441->15437 15442->15436 15443 401659 CloseHandle 15442->15443 15443->15436 15444->15436 15446 40100d LoadLibraryA 15445->15446 15450 401023 15445->15450 15448 401021 15446->15448 15446->15450 15447 4010b5 GetProcAddress 15449 4010d1 GetProcAddress 15447->15449 15451 40127b 15447->15451 15448->15426 15449->15451 15452 4010f0 GetProcAddress 15449->15452 15450->15447 15465 4010ae 15450->15465 15451->15426 15452->15451 15453 401110 GetProcAddress 15452->15453 15453->15451 15454 401130 GetProcAddress 15453->15454 15454->15451 15455 40114f GetProcAddress 15454->15455 15455->15451 15456 40116f GetProcAddress 15455->15456 15456->15451 15457 40118f GetProcAddress 15456->15457 15457->15451 15458 4011ae GetProcAddress 15457->15458 15458->15451 15459 4011ce GetProcAddress 15458->15459 15459->15451 15460 4011ee GetProcAddress 15459->15460 15460->15451 15461 401209 GetProcAddress 15460->15461 15461->15451 15462 401225 GetProcAddress 15461->15462 15462->15451 15463 401241 GetProcAddress 15462->15463 15463->15451 15464 40125c GetProcAddress 15463->15464 15464->15451 15465->15426 15468 4069b9 WriteFile 15466->15468 15469 406a3c 15468->15469 15471 4069ff 15468->15471 15469->15050 15469->15051 15470 406a10 WriteFile 15470->15469 15470->15471 15471->15469 15471->15470 15473 40eb17 15472->15473 15474 40eb21 15472->15474 15476 40eae4 15473->15476 15474->15054 15477 40eb02 GetProcAddress 15476->15477 15478 40eaed LoadLibraryA 15476->15478 15477->15474 15478->15477 15479 40eb01 15478->15479 15479->15474 15481 40eba7 GetProcessHeap HeapSize 15480->15481 15482 40ebbf GetProcessHeap HeapFree 15480->15482 15481->15482 15482->15083 15484 40908d 15483->15484 15485 4090e2 wsprintfA 15484->15485 15486 40ee2a 15485->15486 15487 4090fd CreateFileA 15486->15487 15488 40911a lstrlenA WriteFile CloseHandle 15487->15488 15489 40913f 15487->15489 15488->15489 15489->15092 15489->15093 15491 40ee2a 15490->15491 15492 409794 CreateProcessA 15491->15492 15493 4097c2 15492->15493 15494 4097bb 15492->15494 15495 4097d4 GetThreadContext 15493->15495 15494->15104 15496 409801 15495->15496 15497 4097f5 15495->15497 15504 40637c 15496->15504 15498 4097f6 TerminateProcess 15497->15498 15498->15494 15500 409816 15500->15498 15501 40981e WriteProcessMemory 15500->15501 15501->15497 15502 40983b SetThreadContext 15501->15502 15502->15497 15503 409858 ResumeThread 15502->15503 15503->15494 15505 406386 15504->15505 15506 40638a GetModuleHandleA VirtualAlloc 15504->15506 15505->15500 15507 4063f5 15506->15507 15508 4063b6 15506->15508 15507->15500 15509 4063be VirtualAllocEx 15508->15509 15509->15507 15510 4063d6 15509->15510 15511 4063df WriteProcessMemory 15510->15511 15511->15507 15513 40dd41 InterlockedExchange 15512->15513 15514 40dd20 GetCurrentThreadId 15513->15514 15515 40dd4a 15513->15515 15516 40dd53 GetCurrentThreadId 15514->15516 15517 40dd2e GetTickCount 15514->15517 15515->15516 15516->15107 15517->15515 15518 40dd39 Sleep 15517->15518 15518->15513 15520 40dbf0 15519->15520 15552 40db67 GetEnvironmentVariableA 15520->15552 15522 40dc19 15523 40dcda 15522->15523 15524 40db67 3 API calls 15522->15524 15523->15109 15525 40dc5c 15524->15525 15525->15523 15526 40db67 3 API calls 15525->15526 15527 40dc9b 15526->15527 15527->15523 15528 40db67 3 API calls 15527->15528 15528->15523 15530 40db55 15529->15530 15531 40db3a 15529->15531 15530->15111 15530->15116 15556 40ebed 15531->15556 15565 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15533->15565 15535 40e3be 15535->15111 15536 40e342 15536->15535 15568 40de24 15536->15568 15539 40e528 15538->15539 15540 40e3f4 15538->15540 15539->15119 15541 40e434 RegQueryValueExA 15540->15541 15542 40e458 15541->15542 15543 40e51d RegCloseKey 15541->15543 15544 40e46e RegQueryValueExA 15542->15544 15543->15539 15544->15542 15545 40e488 15544->15545 15545->15543 15546 40db2e 8 API calls 15545->15546 15547 40e499 15546->15547 15547->15543 15548 40e4b9 RegQueryValueExA 15547->15548 15549 40e4e8 15547->15549 15548->15547 15548->15549 15549->15543 15550 40e332 14 API calls 15549->15550 15551 40e513 15550->15551 15551->15543 15553 40dbca 15552->15553 15555 40db89 lstrcpyA CreateFileA 15552->15555 15553->15522 15555->15522 15557 40ec01 15556->15557 15558 40ebf6 15556->15558 15559 40eba0 codecvt 2 API calls 15557->15559 15560 40ebcc 4 API calls 15558->15560 15561 40ec0a GetProcessHeap HeapReAlloc 15559->15561 15562 40ebfe 15560->15562 15563 40eb74 2 API calls 15561->15563 15562->15530 15564 40ec28 15563->15564 15564->15530 15579 40eb41 15565->15579 15569 40de3a 15568->15569 15572 40de4e 15569->15572 15583 40dd84 15569->15583 15572->15536 15573 40de9e 15573->15572 15574 40ebed 8 API calls 15573->15574 15577 40def6 15574->15577 15575 40de76 15587 40ddcf 15575->15587 15577->15572 15578 40ddcf lstrcmpA 15577->15578 15578->15572 15580 40eb4a 15579->15580 15582 40eb54 15579->15582 15581 40eae4 2 API calls 15580->15581 15581->15582 15582->15536 15584 40ddc5 15583->15584 15585 40dd96 15583->15585 15584->15573 15584->15575 15585->15584 15586 40ddad lstrcmpiA 15585->15586 15586->15584 15586->15585 15588 40de20 15587->15588 15589 40dddd 15587->15589 15588->15572 15589->15588 15590 40ddfa lstrcmpA 15589->15590 15590->15589 15592 40dd05 6 API calls 15591->15592 15593 40e821 15592->15593 15594 40dd84 lstrcmpiA 15593->15594 15595 40e82c 15594->15595 15596 40e844 15595->15596 15639 402480 15595->15639 15596->15136 15599 40dd05 6 API calls 15598->15599 15600 40df7c 15599->15600 15601 40dd84 lstrcmpiA 15600->15601 15606 40df89 15601->15606 15602 40dfc4 15602->15143 15603 40ddcf lstrcmpA 15603->15606 15604 40ec2e codecvt 4 API calls 15604->15606 15605 40dd84 lstrcmpiA 15605->15606 15606->15602 15606->15603 15606->15604 15606->15605 15608 40ea98 15607->15608 15648 40e8a1 15608->15648 15610 401e84 15610->15145 15612 4019d5 GetProcAddress GetProcAddress GetProcAddress 15611->15612 15615 4019ce 15611->15615 15613 401ab3 FreeLibrary 15612->15613 15614 401a04 15612->15614 15613->15615 15614->15613 15616 401a14 GetProcessHeap 15614->15616 15615->15149 15616->15615 15618 401a2e HeapAlloc 15616->15618 15618->15615 15619 401a42 15618->15619 15620 401a52 HeapReAlloc 15619->15620 15622 401a62 15619->15622 15620->15622 15621 401aa1 FreeLibrary 15621->15615 15622->15621 15623 401a96 HeapFree 15622->15623 15623->15621 15676 401ac3 LoadLibraryA 15624->15676 15627 401bcf 15627->15160 15629 401ac3 12 API calls 15628->15629 15630 401c09 15629->15630 15631 401c41 15630->15631 15632 401c0d GetComputerNameA 15630->15632 15631->15168 15633 401c45 GetVolumeInformationA 15632->15633 15634 401c1f 15632->15634 15633->15631 15634->15631 15634->15633 15636 40ee2a 15635->15636 15637 4030d0 gethostname gethostbyname 15636->15637 15638 401f82 15637->15638 15638->15174 15638->15175 15642 402419 lstrlenA 15639->15642 15641 402491 15641->15596 15643 40243d lstrlenA 15642->15643 15647 402474 15642->15647 15644 402464 lstrlenA 15643->15644 15645 40244e lstrcmpiA 15643->15645 15644->15643 15644->15647 15645->15644 15646 40245c 15645->15646 15646->15644 15646->15647 15647->15641 15649 40dd05 6 API calls 15648->15649 15650 40e8b4 15649->15650 15651 40dd84 lstrcmpiA 15650->15651 15652 40e8c0 15651->15652 15653 40e90a 15652->15653 15654 40e8c8 lstrcpynA 15652->15654 15656 402419 4 API calls 15653->15656 15664 40ea27 15653->15664 15655 40e8f5 15654->15655 15669 40df4c 15655->15669 15657 40e926 lstrlenA lstrlenA 15656->15657 15659 40e96a 15657->15659 15660 40e94c lstrlenA 15657->15660 15663 40ebcc 4 API calls 15659->15663 15659->15664 15660->15659 15661 40e901 15662 40dd84 lstrcmpiA 15661->15662 15662->15653 15665 40e98f 15663->15665 15664->15610 15665->15664 15666 40df4c 20 API calls 15665->15666 15667 40ea1e 15666->15667 15668 40ec2e codecvt 4 API calls 15667->15668 15668->15664 15670 40dd05 6 API calls 15669->15670 15671 40df51 15670->15671 15672 40f04e 4 API calls 15671->15672 15673 40df58 15672->15673 15674 40de24 10 API calls 15673->15674 15675 40df63 15674->15675 15675->15661 15677 401ae2 GetProcAddress 15676->15677 15680 401b68 GetComputerNameA GetVolumeInformationA 15676->15680 15678 401af5 15677->15678 15677->15680 15679 40ebed 8 API calls 15678->15679 15681 401b29 15678->15681 15679->15678 15680->15627 15681->15680 15681->15681 15682 40ec2e codecvt 4 API calls 15681->15682 15682->15680 15684 406ec3 2 API calls 15683->15684 15685 407ef4 15684->15685 15686 4073ff 17 API calls 15685->15686 15695 407fc9 15685->15695 15687 407f16 15686->15687 15687->15695 15696 407809 GetUserNameA 15687->15696 15689 407f63 15690 40ef1e lstrlenA 15689->15690 15689->15695 15691 407fa6 15690->15691 15692 40ef1e lstrlenA 15691->15692 15693 407fb7 15692->15693 15720 407a95 RegOpenKeyExA 15693->15720 15695->15183 15697 40783d LookupAccountNameA 15696->15697 15698 407a8d 15696->15698 15697->15698 15699 407874 GetLengthSid GetFileSecurityA 15697->15699 15698->15689 15699->15698 15700 4078a8 GetSecurityDescriptorOwner 15699->15700 15701 4078c5 EqualSid 15700->15701 15702 40791d GetSecurityDescriptorDacl 15700->15702 15701->15702 15703 4078dc LocalAlloc 15701->15703 15702->15698 15704 407941 15702->15704 15703->15702 15705 4078ef InitializeSecurityDescriptor 15703->15705 15704->15698 15708 40795b GetAce 15704->15708 15710 407980 EqualSid 15704->15710 15711 4079be EqualSid 15704->15711 15712 407a3d 15704->15712 15714 40799d DeleteAce 15704->15714 15706 407916 LocalFree 15705->15706 15707 4078fb SetSecurityDescriptorOwner 15705->15707 15706->15702 15707->15706 15709 40790b SetFileSecurityA 15707->15709 15708->15704 15709->15706 15710->15704 15711->15704 15712->15698 15713 407a43 LocalAlloc 15712->15713 15713->15698 15715 407a56 InitializeSecurityDescriptor 15713->15715 15714->15704 15716 407a62 SetSecurityDescriptorDacl 15715->15716 15717 407a86 LocalFree 15715->15717 15716->15717 15718 407a73 SetFileSecurityA 15716->15718 15717->15698 15718->15717 15719 407a83 15718->15719 15719->15717 15721 407ac4 15720->15721 15722 407acb GetUserNameA 15720->15722 15721->15695 15723 407da7 RegCloseKey 15722->15723 15724 407aed LookupAccountNameA 15722->15724 15723->15721 15724->15723 15725 407b24 RegGetKeySecurity 15724->15725 15725->15723 15726 407b49 GetSecurityDescriptorOwner 15725->15726 15727 407b63 EqualSid 15726->15727 15728 407bb8 GetSecurityDescriptorDacl 15726->15728 15727->15728 15729 407b74 LocalAlloc 15727->15729 15730 407da6 15728->15730 15737 407bdc 15728->15737 15729->15728 15731 407b8a InitializeSecurityDescriptor 15729->15731 15730->15723 15732 407bb1 LocalFree 15731->15732 15733 407b96 SetSecurityDescriptorOwner 15731->15733 15732->15728 15733->15732 15735 407ba6 RegSetKeySecurity 15733->15735 15734 407bf8 GetAce 15734->15737 15735->15732 15736 407c1d EqualSid 15736->15737 15737->15730 15737->15734 15737->15736 15738 407cd9 15737->15738 15739 407c5f EqualSid 15737->15739 15740 407c3a DeleteAce 15737->15740 15738->15730 15741 407d5a LocalAlloc 15738->15741 15742 407cf2 RegOpenKeyExA 15738->15742 15739->15737 15740->15737 15741->15730 15743 407d70 InitializeSecurityDescriptor 15741->15743 15742->15741 15747 407d0f 15742->15747 15744 407d7c SetSecurityDescriptorDacl 15743->15744 15745 407d9f LocalFree 15743->15745 15744->15745 15746 407d8c RegSetKeySecurity 15744->15746 15745->15730 15746->15745 15748 407d9c 15746->15748 15749 407d43 RegSetValueExA 15747->15749 15748->15745 15749->15741 15750 407d54 15749->15750 15750->15741 15751->15203 15753 40dd05 6 API calls 15752->15753 15756 40e65f 15753->15756 15754 40e6a5 15755 40ebcc 4 API calls 15754->15755 15759 40e6f5 15754->15759 15757 40e6b0 15755->15757 15756->15754 15758 40e68c lstrcmpA 15756->15758 15757->15759 15760 40e6b7 15757->15760 15761 40e6e0 lstrcpynA 15757->15761 15758->15756 15759->15760 15762 40e71d lstrcmpA 15759->15762 15760->15205 15761->15759 15762->15759 15763->15211 15765 40c525 15764->15765 15766 40c532 15764->15766 15765->15766 15768 40ec2e codecvt 4 API calls 15765->15768 15767 40c548 15766->15767 15916 40e7ff 15766->15916 15770 40e7ff lstrcmpiA 15767->15770 15777 40c54f 15767->15777 15768->15766 15771 40c615 15770->15771 15772 40ebcc 4 API calls 15771->15772 15771->15777 15772->15777 15773 40c5d1 15775 40ebcc 4 API calls 15773->15775 15775->15777 15776 40e819 11 API calls 15778 40c5b7 15776->15778 15777->15224 15779 40f04e 4 API calls 15778->15779 15780 40c5bf 15779->15780 15780->15767 15780->15773 15782 402692 inet_addr 15781->15782 15783 40268e 15781->15783 15782->15783 15784 40269e gethostbyname 15782->15784 15785 40f428 15783->15785 15784->15783 15919 40f315 15785->15919 15790 40c8d2 15788->15790 15789 40c907 15789->15226 15790->15789 15791 40c517 23 API calls 15790->15791 15791->15789 15792 40f43e 15793 40f473 recv 15792->15793 15794 40f458 15793->15794 15795 40f47c 15793->15795 15794->15793 15794->15795 15795->15242 15797 40c670 15796->15797 15798 40c67d 15796->15798 15799 40ebcc 4 API calls 15797->15799 15800 40ebcc 4 API calls 15798->15800 15802 40c699 15798->15802 15799->15798 15800->15802 15801 40c6f3 15801->15255 15801->15285 15802->15801 15803 40c73c send 15802->15803 15803->15801 15805 40c770 15804->15805 15806 40c77d 15804->15806 15807 40ebcc 4 API calls 15805->15807 15808 40c799 15806->15808 15809 40ebcc 4 API calls 15806->15809 15807->15806 15810 40ebcc 4 API calls 15808->15810 15812 40c7b5 15808->15812 15809->15808 15810->15812 15811 40f43e recv 15813 40c7cb 15811->15813 15812->15811 15814 40f43e recv 15813->15814 15815 40c7d3 15813->15815 15814->15815 15815->15285 15932 407db7 15816->15932 15819 407e70 15820 407e96 15819->15820 15822 40f04e 4 API calls 15819->15822 15820->15285 15821 40f04e 4 API calls 15823 407e4c 15821->15823 15822->15820 15823->15819 15824 40f04e 4 API calls 15823->15824 15824->15819 15826 406ec3 2 API calls 15825->15826 15827 407fdd 15826->15827 15828 4073ff 17 API calls 15827->15828 15837 4080c2 CreateProcessA 15827->15837 15829 407fff 15828->15829 15830 407809 21 API calls 15829->15830 15829->15837 15831 40804d 15830->15831 15832 40ef1e lstrlenA 15831->15832 15831->15837 15833 40809e 15832->15833 15834 40ef1e lstrlenA 15833->15834 15835 4080af 15834->15835 15836 407a95 24 API calls 15835->15836 15836->15837 15837->15307 15837->15308 15839 407db7 2 API calls 15838->15839 15840 407eb8 15839->15840 15841 40f04e 4 API calls 15840->15841 15842 407ece DeleteFileA 15841->15842 15842->15285 15844 40dd05 6 API calls 15843->15844 15845 40e31d 15844->15845 15936 40e177 15845->15936 15847 40e326 15847->15279 15849 4031f3 15848->15849 15859 4031ec 15848->15859 15850 40ebcc 4 API calls 15849->15850 15857 4031fc 15850->15857 15851 403459 15853 40f04e 4 API calls 15851->15853 15852 40349d 15854 40ec2e codecvt 4 API calls 15852->15854 15855 40345f 15853->15855 15854->15859 15856 4030fa 4 API calls 15855->15856 15856->15859 15858 40ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15857->15858 15857->15859 15860 40344d 15857->15860 15863 403141 lstrcmpiA 15857->15863 15864 40344b 15857->15864 15962 4030fa GetTickCount 15857->15962 15858->15857 15859->15285 15861 40ec2e codecvt 4 API calls 15860->15861 15861->15864 15863->15857 15864->15851 15864->15852 15866 4030fa 4 API calls 15865->15866 15867 403c1a 15866->15867 15868 403ce6 15867->15868 15967 403a72 15867->15967 15868->15285 15871 403a72 9 API calls 15873 403c5e 15871->15873 15872 403a72 9 API calls 15872->15873 15873->15868 15873->15872 15874 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15873->15874 15874->15873 15876 403a10 15875->15876 15877 4030fa 4 API calls 15876->15877 15878 403a1a 15877->15878 15878->15285 15880 40dd05 6 API calls 15879->15880 15881 40e7be 15880->15881 15881->15285 15883 40c07e wsprintfA 15882->15883 15887 40c105 15882->15887 15976 40bfce GetTickCount wsprintfA 15883->15976 15885 40c0ef 15977 40bfce GetTickCount wsprintfA 15885->15977 15887->15285 15889 407047 15888->15889 15890 406f88 LookupAccountNameA 15888->15890 15889->15285 15892 407025 15890->15892 15893 406fcb 15890->15893 15894 406edd 5 API calls 15892->15894 15896 406fdb ConvertSidToStringSidA 15893->15896 15895 40702a wsprintfA 15894->15895 15895->15889 15896->15892 15897 406ff1 15896->15897 15898 407013 LocalFree 15897->15898 15898->15892 15900 40dd05 6 API calls 15899->15900 15901 40e85c 15900->15901 15902 40dd84 lstrcmpiA 15901->15902 15903 40e867 15902->15903 15904 40e885 lstrcpyA 15903->15904 15978 4024a5 15903->15978 15981 40dd69 15904->15981 15910 407db7 2 API calls 15909->15910 15911 407de1 15910->15911 15912 40f04e 4 API calls 15911->15912 15915 407e16 15911->15915 15913 407df2 15912->15913 15914 40f04e 4 API calls 15913->15914 15913->15915 15914->15915 15915->15285 15917 40dd84 lstrcmpiA 15916->15917 15918 40c58e 15917->15918 15918->15767 15918->15773 15918->15776 15920 40f33b 15919->15920 15928 40ca1d 15919->15928 15921 40f347 htons socket 15920->15921 15922 40f382 ioctlsocket 15921->15922 15923 40f374 closesocket 15921->15923 15924 40f3aa connect select 15922->15924 15925 40f39d 15922->15925 15923->15928 15927 40f3f2 __WSAFDIsSet 15924->15927 15924->15928 15926 40f39f closesocket 15925->15926 15926->15928 15927->15926 15929 40f403 ioctlsocket 15927->15929 15928->15239 15928->15792 15931 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 15929->15931 15931->15928 15933 407dc8 InterlockedExchange 15932->15933 15934 407dc0 Sleep 15933->15934 15935 407dd4 15933->15935 15934->15933 15935->15819 15935->15821 15937 40e184 15936->15937 15938 40e2e4 15937->15938 15939 40e223 15937->15939 15952 40dfe2 15937->15952 15938->15847 15939->15938 15941 40dfe2 8 API calls 15939->15941 15945 40e23c 15941->15945 15942 40e1be 15942->15939 15943 40dbcf 3 API calls 15942->15943 15946 40e1d6 15943->15946 15944 40e21a CloseHandle 15944->15939 15945->15938 15956 40e095 RegCreateKeyExA 15945->15956 15946->15939 15946->15944 15947 40e1f9 WriteFile 15946->15947 15947->15944 15949 40e213 15947->15949 15949->15944 15950 40e2a3 15950->15938 15951 40e095 4 API calls 15950->15951 15951->15938 15953 40dffc 15952->15953 15955 40e024 15952->15955 15954 40db2e 8 API calls 15953->15954 15953->15955 15954->15955 15955->15942 15957 40e172 15956->15957 15959 40e0c0 15956->15959 15957->15950 15958 40e13d 15960 40e14e RegDeleteValueA RegCloseKey 15958->15960 15959->15958 15961 40e115 RegSetValueExA 15959->15961 15960->15957 15961->15958 15961->15959 15963 403122 InterlockedExchange 15962->15963 15964 40312e 15963->15964 15965 40310f GetTickCount 15963->15965 15964->15857 15965->15964 15966 40311a Sleep 15965->15966 15966->15963 15968 40f04e 4 API calls 15967->15968 15975 403a83 15968->15975 15969 403ac1 15969->15868 15969->15871 15970 403be6 15971 40ec2e codecvt 4 API calls 15970->15971 15971->15969 15972 403bc0 15972->15970 15974 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15972->15974 15973 403b66 lstrlenA 15973->15969 15973->15975 15974->15972 15975->15969 15975->15972 15975->15973 15976->15885 15977->15887 15979 402419 4 API calls 15978->15979 15980 4024b6 15979->15980 15980->15904 15982 40dd79 lstrlenA 15981->15982 15982->15285 15984 408791 15983->15984 15985 40879f 15983->15985 15986 40f04e 4 API calls 15984->15986 15987 4087bc 15985->15987 15988 40f04e 4 API calls 15985->15988 15986->15985 15989 40e819 11 API calls 15987->15989 15988->15987 15990 4087d7 15989->15990 16003 408803 15990->16003 16034 4026b2 gethostbyaddr 15990->16034 15993 4087eb 15995 40e8a1 30 API calls 15993->15995 15993->16003 15995->16003 15998 40e819 11 API calls 15998->16003 15999 4088a0 Sleep 15999->16003 16001 4026b2 2 API calls 16001->16003 16002 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 16002->16003 16003->15998 16003->15999 16003->16001 16003->16002 16004 40e8a1 30 API calls 16003->16004 16039 408cee 16003->16039 16047 40c4d6 16003->16047 16050 40c4e2 16003->16050 16053 402011 16003->16053 16088 408328 16003->16088 16004->16003 16006 404084 16005->16006 16007 40407d 16005->16007 16008 403ecd 6 API calls 16006->16008 16009 40408f 16008->16009 16010 404000 3 API calls 16009->16010 16012 404095 16010->16012 16011 404130 16013 403ecd 6 API calls 16011->16013 16012->16011 16015 403f18 4 API calls 16012->16015 16014 404159 CreateNamedPipeA 16013->16014 16016 404167 Sleep 16014->16016 16017 404188 ConnectNamedPipe 16014->16017 16019 4040da 16015->16019 16016->16011 16018 404176 CloseHandle 16016->16018 16020 404195 GetLastError 16017->16020 16025 4041ab 16017->16025 16018->16017 16021 403f8c 4 API calls 16019->16021 16022 40425e DisconnectNamedPipe 16020->16022 16020->16025 16023 4040ec 16021->16023 16022->16017 16024 404127 CloseHandle 16023->16024 16026 404101 16023->16026 16024->16011 16025->16017 16025->16022 16027 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 16025->16027 16030 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 16025->16030 16031 40426a CloseHandle CloseHandle 16025->16031 16028 403f18 4 API calls 16026->16028 16027->16025 16029 40411c ExitProcess 16028->16029 16030->16025 16032 40e318 23 API calls 16031->16032 16033 40427b 16032->16033 16033->16033 16035 4026fb 16034->16035 16036 4026cd 16034->16036 16035->15993 16037 4026e1 inet_ntoa 16036->16037 16038 4026de 16036->16038 16037->16038 16038->15993 16040 408d02 GetTickCount 16039->16040 16041 408dae 16039->16041 16040->16041 16044 408d19 16040->16044 16041->16003 16042 408da1 GetTickCount 16042->16041 16044->16042 16046 408d89 16044->16046 16140 40a677 16044->16140 16143 40a688 16044->16143 16046->16042 16151 40c2dc 16047->16151 16051 40c2dc 141 API calls 16050->16051 16052 40c4ec 16051->16052 16052->16003 16054 402020 16053->16054 16055 40202e 16053->16055 16056 40f04e 4 API calls 16054->16056 16057 40f04e 4 API calls 16055->16057 16059 40204b 16055->16059 16056->16055 16057->16059 16058 40206e GetTickCount 16061 4020db GetTickCount 16058->16061 16069 402090 16058->16069 16059->16058 16060 40f04e 4 API calls 16059->16060 16063 402068 16060->16063 16062 402132 GetTickCount GetTickCount 16061->16062 16074 4020e7 16061->16074 16065 40f04e 4 API calls 16062->16065 16063->16058 16064 4020d4 GetTickCount 16064->16061 16068 402159 16065->16068 16066 40212b GetTickCount 16066->16062 16067 402684 2 API calls 16067->16069 16070 4021b4 16068->16070 16073 40e854 13 API calls 16068->16073 16069->16064 16069->16067 16077 4020ce 16069->16077 16478 401978 16069->16478 16072 40f04e 4 API calls 16070->16072 16076 4021d1 16072->16076 16078 40218e 16073->16078 16074->16066 16079 401978 15 API calls 16074->16079 16080 402125 16074->16080 16483 402ef8 16074->16483 16081 4021f2 16076->16081 16083 40ea84 30 API calls 16076->16083 16077->16064 16082 40e819 11 API calls 16078->16082 16079->16074 16080->16066 16081->16003 16084 40219c 16082->16084 16085 4021ec 16083->16085 16084->16070 16491 401c5f 16084->16491 16086 40f04e 4 API calls 16085->16086 16086->16081 16089 407dd6 6 API calls 16088->16089 16090 40833c 16089->16090 16091 406ec3 2 API calls 16090->16091 16114 408340 16090->16114 16092 40834f 16091->16092 16093 40835c 16092->16093 16097 40846b 16092->16097 16094 4073ff 17 API calls 16093->16094 16116 408373 16094->16116 16095 4085df 16098 408626 GetTempPathA 16095->16098 16106 408762 16095->16106 16115 408638 16095->16115 16096 40675c 21 API calls 16096->16095 16099 4084a7 RegOpenKeyExA 16097->16099 16112 408450 16097->16112 16098->16115 16101 4084c0 RegQueryValueExA 16099->16101 16102 40852f 16099->16102 16104 408521 RegCloseKey 16101->16104 16105 4084dd 16101->16105 16107 408564 RegOpenKeyExA 16102->16107 16122 4085a5 16102->16122 16103 4086ad 16103->16106 16108 407e2f 6 API calls 16103->16108 16104->16102 16105->16104 16113 40ebcc 4 API calls 16105->16113 16111 40ec2e codecvt 4 API calls 16106->16111 16106->16114 16109 408573 RegSetValueExA RegCloseKey 16107->16109 16107->16122 16119 4086bb 16108->16119 16109->16122 16110 40875b DeleteFileA 16110->16106 16111->16114 16112->16095 16112->16096 16118 4084f0 16113->16118 16114->16003 16563 406ba7 IsBadCodePtr 16115->16563 16116->16112 16116->16114 16120 4083ea RegOpenKeyExA 16116->16120 16118->16104 16121 4084f8 RegQueryValueExA 16118->16121 16119->16110 16126 4086e0 lstrcpyA lstrlenA 16119->16126 16120->16112 16123 4083fd RegQueryValueExA 16120->16123 16121->16104 16124 408515 16121->16124 16122->16112 16125 40ec2e codecvt 4 API calls 16122->16125 16127 40842d RegSetValueExA 16123->16127 16128 40841e 16123->16128 16129 40ec2e codecvt 4 API calls 16124->16129 16125->16112 16131 407fcf 64 API calls 16126->16131 16132 408447 RegCloseKey 16127->16132 16128->16127 16128->16132 16130 40851d 16129->16130 16130->16104 16133 408719 CreateProcessA 16131->16133 16132->16112 16134 40873d CloseHandle CloseHandle 16133->16134 16135 40874f 16133->16135 16134->16106 16136 407ee6 64 API calls 16135->16136 16137 408754 16136->16137 16138 407ead 6 API calls 16137->16138 16139 40875a 16138->16139 16139->16110 16146 40a63d 16140->16146 16142 40a685 16142->16044 16144 40a63d GetTickCount 16143->16144 16145 40a696 16144->16145 16145->16044 16147 40a645 16146->16147 16148 40a64d 16146->16148 16147->16142 16149 40a66e 16148->16149 16150 40a65e GetTickCount 16148->16150 16149->16142 16150->16149 16167 40a4c7 GetTickCount 16151->16167 16154 40c300 GetTickCount 16156 40c337 16154->16156 16155 40c326 16155->16156 16157 40c32b GetTickCount 16155->16157 16161 40c363 GetTickCount 16156->16161 16162 40c45e 16156->16162 16157->16156 16158 40c4d2 16158->16003 16159 40c4ab InterlockedIncrement CreateThread 16159->16158 16160 40c4cb CloseHandle 16159->16160 16172 40b535 16159->16172 16160->16158 16161->16162 16163 40c373 16161->16163 16162->16158 16162->16159 16164 40c378 GetTickCount 16163->16164 16165 40c37f 16163->16165 16164->16165 16166 40c43b GetTickCount 16165->16166 16166->16162 16168 40a4f7 InterlockedExchange 16167->16168 16169 40a500 16168->16169 16170 40a4e4 GetTickCount 16168->16170 16169->16154 16169->16155 16169->16162 16170->16169 16171 40a4ef Sleep 16170->16171 16171->16168 16173 40b566 16172->16173 16174 40ebcc 4 API calls 16173->16174 16175 40b587 16174->16175 16176 40ebcc 4 API calls 16175->16176 16224 40b590 16176->16224 16177 40bdcd InterlockedDecrement 16178 40bde2 16177->16178 16180 40ec2e codecvt 4 API calls 16178->16180 16181 40bdea 16180->16181 16183 40ec2e codecvt 4 API calls 16181->16183 16182 40bdb7 Sleep 16182->16224 16184 40bdf2 16183->16184 16186 40be05 16184->16186 16187 40ec2e codecvt 4 API calls 16184->16187 16185 40bdcc 16185->16177 16187->16186 16188 40ebed 8 API calls 16188->16224 16191 40b6b6 lstrlenA 16191->16224 16192 4030b5 2 API calls 16192->16224 16193 40e819 11 API calls 16193->16224 16194 40b6ed lstrcpyA 16247 405ce1 16194->16247 16197 40b731 lstrlenA 16197->16224 16198 40b71f lstrcmpA 16198->16197 16198->16224 16199 40b772 GetTickCount 16199->16224 16200 40bd49 InterlockedIncrement 16341 40a628 16200->16341 16203 40b7ce InterlockedIncrement 16257 40acd7 16203->16257 16204 4038f0 6 API calls 16204->16224 16205 40bc5b InterlockedIncrement 16205->16224 16208 40b912 GetTickCount 16208->16224 16209 40b826 InterlockedIncrement 16209->16199 16210 40b932 GetTickCount 16212 40bc6d InterlockedIncrement 16210->16212 16210->16224 16211 40bcdc closesocket 16211->16224 16212->16224 16213 405ce1 22 API calls 16213->16224 16216 40bba6 InterlockedIncrement 16216->16224 16218 40bc4c closesocket 16218->16224 16221 40ba71 wsprintfA 16275 40a7c1 16221->16275 16223 40a7c1 22 API calls 16223->16224 16224->16177 16224->16182 16224->16185 16224->16188 16224->16191 16224->16192 16224->16193 16224->16194 16224->16197 16224->16198 16224->16199 16224->16200 16224->16203 16224->16204 16224->16205 16224->16208 16224->16209 16224->16210 16224->16211 16224->16213 16224->16216 16224->16218 16224->16221 16224->16223 16225 40ab81 lstrcpynA InterlockedIncrement 16224->16225 16226 40ef1e lstrlenA 16224->16226 16227 405ded 12 API calls 16224->16227 16228 40a688 GetTickCount 16224->16228 16229 403e10 16224->16229 16232 403e4f 16224->16232 16235 40384f 16224->16235 16255 40a7a3 inet_ntoa 16224->16255 16262 40abee 16224->16262 16274 401feb GetTickCount 16224->16274 16295 403cfb 16224->16295 16298 40b3c5 16224->16298 16329 40ab81 16224->16329 16225->16224 16226->16224 16227->16224 16228->16224 16230 4030fa 4 API calls 16229->16230 16231 403e1d 16230->16231 16231->16224 16233 4030fa 4 API calls 16232->16233 16234 403e5c 16233->16234 16234->16224 16236 4030fa 4 API calls 16235->16236 16237 403863 16236->16237 16238 4038b9 16237->16238 16239 403889 16237->16239 16246 4038b2 16237->16246 16350 4035f9 16238->16350 16344 403718 16239->16344 16244 403718 6 API calls 16244->16246 16245 4035f9 6 API calls 16245->16246 16246->16224 16248 405cf4 16247->16248 16249 405cec 16247->16249 16251 404bd1 4 API calls 16248->16251 16356 404bd1 GetTickCount 16249->16356 16252 405d02 16251->16252 16361 405472 16252->16361 16256 40a7b9 16255->16256 16256->16224 16258 40f315 14 API calls 16257->16258 16259 40aceb 16258->16259 16260 40acff 16259->16260 16261 40f315 14 API calls 16259->16261 16260->16224 16261->16260 16263 40abfb 16262->16263 16266 40ac65 16263->16266 16424 402f22 16263->16424 16265 40f315 14 API calls 16265->16266 16266->16265 16267 40ac8a 16266->16267 16268 40ac6f 16266->16268 16267->16224 16270 40ab81 2 API calls 16268->16270 16269 40ac23 16269->16266 16272 402684 2 API calls 16269->16272 16271 40ac81 16270->16271 16432 4038f0 16271->16432 16272->16269 16274->16224 16276 40a87d lstrlenA send 16275->16276 16277 40a7df 16275->16277 16279 40a899 16276->16279 16280 40a8bf 16276->16280 16277->16276 16278 40a8f2 16277->16278 16281 40a80a 16277->16281 16286 40a7fa wsprintfA 16277->16286 16283 40a978 recv 16278->16283 16287 40a9b0 wsprintfA 16278->16287 16289 40a982 16278->16289 16284 40a8a5 wsprintfA 16279->16284 16288 40a89e 16279->16288 16280->16278 16282 40a8c4 send 16280->16282 16281->16276 16281->16281 16282->16278 16285 40a8d8 wsprintfA 16282->16285 16283->16278 16283->16289 16284->16288 16285->16288 16286->16281 16287->16288 16288->16224 16289->16288 16290 4030b5 2 API calls 16289->16290 16291 40ab05 16290->16291 16292 40e819 11 API calls 16291->16292 16293 40ab17 16292->16293 16294 40a7a3 inet_ntoa 16293->16294 16294->16288 16296 4030fa 4 API calls 16295->16296 16297 403d0b 16296->16297 16297->16224 16299 405ce1 22 API calls 16298->16299 16300 40b3e6 16299->16300 16301 405ce1 22 API calls 16300->16301 16303 40b404 16301->16303 16302 40b440 16304 40ef7c 3 API calls 16302->16304 16303->16302 16305 40ef7c 3 API calls 16303->16305 16306 40b458 wsprintfA 16304->16306 16307 40b42b 16305->16307 16308 40ef7c 3 API calls 16306->16308 16309 40ef7c 3 API calls 16307->16309 16310 40b480 16308->16310 16309->16302 16311 40ef7c 3 API calls 16310->16311 16312 40b493 16311->16312 16313 40ef7c 3 API calls 16312->16313 16314 40b4bb 16313->16314 16446 40ad89 GetLocalTime SystemTimeToFileTime 16314->16446 16318 40b4cc 16319 40ef7c 3 API calls 16318->16319 16320 40b4dd 16319->16320 16321 40b211 7 API calls 16320->16321 16322 40b4ec 16321->16322 16323 40ef7c 3 API calls 16322->16323 16324 40b4fd 16323->16324 16325 40b211 7 API calls 16324->16325 16326 40b509 16325->16326 16327 40ef7c 3 API calls 16326->16327 16328 40b51a 16327->16328 16328->16224 16330 40abe9 GetTickCount 16329->16330 16332 40ab8c 16329->16332 16334 40a51d 16330->16334 16331 40aba8 lstrcpynA 16331->16332 16332->16330 16332->16331 16333 40abe1 InterlockedIncrement 16332->16333 16333->16332 16335 40a4c7 4 API calls 16334->16335 16336 40a52c 16335->16336 16337 40a542 GetTickCount 16336->16337 16339 40a539 GetTickCount 16336->16339 16337->16339 16340 40a56c 16339->16340 16340->16224 16342 40a4c7 4 API calls 16341->16342 16343 40a633 16342->16343 16343->16224 16345 40f04e 4 API calls 16344->16345 16347 40372a 16345->16347 16346 403847 16346->16244 16346->16246 16347->16346 16348 4037b3 GetCurrentThreadId 16347->16348 16348->16347 16349 4037c8 GetCurrentThreadId 16348->16349 16349->16347 16351 40f04e 4 API calls 16350->16351 16355 40360c 16351->16355 16352 4036f1 16352->16245 16352->16246 16353 4036da GetCurrentThreadId 16353->16352 16354 4036e5 GetCurrentThreadId 16353->16354 16354->16352 16355->16352 16355->16353 16357 404bff InterlockedExchange 16356->16357 16358 404c08 16357->16358 16359 404bec GetTickCount 16357->16359 16358->16248 16359->16358 16360 404bf7 Sleep 16359->16360 16360->16357 16380 404763 16361->16380 16363 405b58 16390 404699 16363->16390 16366 404763 lstrlenA 16367 405b6e 16366->16367 16411 404f9f 16367->16411 16369 405b79 16369->16224 16371 405549 lstrlenA 16379 40548a 16371->16379 16372 404ae6 8 API calls 16372->16379 16374 40558d lstrcpynA 16374->16379 16375 405a9f lstrcpyA 16375->16379 16376 405935 lstrcpynA 16376->16379 16377 405472 13 API calls 16377->16379 16378 4058e7 lstrcpyA 16378->16379 16379->16363 16379->16372 16379->16374 16379->16375 16379->16376 16379->16377 16379->16378 16384 404ae6 16379->16384 16388 40ef7c lstrlenA lstrlenA lstrlenA 16379->16388 16383 40477a 16380->16383 16381 404859 16381->16379 16382 40480d lstrlenA 16382->16383 16383->16381 16383->16382 16385 404af3 16384->16385 16387 404b03 16384->16387 16386 40ebed 8 API calls 16385->16386 16386->16387 16387->16371 16389 40efb4 16388->16389 16389->16379 16416 4045b3 16390->16416 16393 4045b3 7 API calls 16394 4046c6 16393->16394 16395 4045b3 7 API calls 16394->16395 16396 4046d8 16395->16396 16397 4045b3 7 API calls 16396->16397 16398 4046ea 16397->16398 16399 4045b3 7 API calls 16398->16399 16400 4046ff 16399->16400 16401 4045b3 7 API calls 16400->16401 16402 404711 16401->16402 16403 4045b3 7 API calls 16402->16403 16404 404723 16403->16404 16405 40ef7c 3 API calls 16404->16405 16406 404735 16405->16406 16407 40ef7c 3 API calls 16406->16407 16408 40474a 16407->16408 16409 40ef7c 3 API calls 16408->16409 16410 40475c 16409->16410 16410->16366 16412 404fac 16411->16412 16415 404fb0 16411->16415 16412->16369 16413 404ffd 16413->16369 16414 404fd5 IsBadCodePtr 16414->16415 16415->16413 16415->16414 16417 4045c1 16416->16417 16418 4045c8 16416->16418 16419 40ebcc 4 API calls 16417->16419 16420 40ebcc 4 API calls 16418->16420 16422 4045e1 16418->16422 16419->16418 16420->16422 16421 404691 16421->16393 16422->16421 16423 40ef7c 3 API calls 16422->16423 16423->16422 16439 402d21 GetModuleHandleA 16424->16439 16427 402fcf GetProcessHeap HeapFree 16431 402f44 16427->16431 16428 402f4f 16430 402f6b GetProcessHeap HeapFree 16428->16430 16429 402f85 16429->16427 16429->16429 16430->16431 16431->16269 16433 403900 16432->16433 16437 403980 16432->16437 16434 4030fa 4 API calls 16433->16434 16438 40390a 16434->16438 16435 40391b GetCurrentThreadId 16435->16438 16436 403939 GetCurrentThreadId 16436->16438 16437->16267 16438->16435 16438->16436 16438->16437 16440 402d46 LoadLibraryA 16439->16440 16441 402d5b GetProcAddress 16439->16441 16440->16441 16444 402d54 16440->16444 16442 402d6b 16441->16442 16441->16444 16443 402d97 GetProcessHeap HeapAlloc 16442->16443 16442->16444 16445 402db5 lstrcpynA 16442->16445 16443->16442 16443->16444 16444->16428 16444->16429 16444->16431 16445->16442 16447 40adbf 16446->16447 16471 40ad08 gethostname 16447->16471 16450 4030b5 2 API calls 16451 40add3 16450->16451 16452 40a7a3 inet_ntoa 16451->16452 16460 40ade4 16451->16460 16452->16460 16453 40ae85 wsprintfA 16454 40ef7c 3 API calls 16453->16454 16456 40aebb 16454->16456 16455 40ae36 wsprintfA wsprintfA 16457 40ef7c 3 API calls 16455->16457 16458 40ef7c 3 API calls 16456->16458 16457->16460 16459 40aed2 16458->16459 16461 40b211 16459->16461 16460->16453 16460->16455 16462 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16461->16462 16463 40b2af GetLocalTime 16461->16463 16464 40b2d2 16462->16464 16463->16464 16465 40b2d9 SystemTimeToFileTime 16464->16465 16466 40b31c GetTimeZoneInformation 16464->16466 16467 40b2ec 16465->16467 16468 40b33a wsprintfA 16466->16468 16469 40b312 FileTimeToSystemTime 16467->16469 16468->16318 16469->16466 16472 40ad71 16471->16472 16473 40ad26 lstrlenA 16471->16473 16474 40ad85 16472->16474 16475 40ad79 lstrcpyA 16472->16475 16473->16472 16477 40ad68 lstrlenA 16473->16477 16474->16450 16475->16474 16477->16472 16479 40f428 14 API calls 16478->16479 16480 40198a 16479->16480 16481 401990 closesocket 16480->16481 16482 401998 16480->16482 16481->16482 16482->16069 16484 402d21 6 API calls 16483->16484 16485 402f01 16484->16485 16488 402f0f 16485->16488 16499 402df2 GetModuleHandleA 16485->16499 16487 402684 2 API calls 16489 402f1d 16487->16489 16488->16487 16490 402f1f 16488->16490 16489->16074 16490->16074 16492 401c80 16491->16492 16493 401cc2 wsprintfA 16492->16493 16495 401d1c 16492->16495 16498 401d79 16492->16498 16494 402684 2 API calls 16493->16494 16494->16492 16496 401d47 wsprintfA 16495->16496 16497 402684 2 API calls 16496->16497 16497->16498 16498->16070 16500 402e10 LoadLibraryA 16499->16500 16501 402e0b 16499->16501 16502 402e17 16500->16502 16501->16500 16501->16502 16503 402ef1 16502->16503 16504 402e28 GetProcAddress 16502->16504 16503->16488 16504->16503 16505 402e3e GetProcessHeap HeapAlloc 16504->16505 16509 402e62 16505->16509 16506 402ede GetProcessHeap HeapFree 16506->16503 16507 402e7f htons inet_addr 16508 402ea5 gethostbyname 16507->16508 16507->16509 16508->16509 16509->16503 16509->16506 16509->16507 16509->16508 16511 402ceb 16509->16511 16513 402cf2 16511->16513 16514 402d1c 16513->16514 16515 402d0e Sleep 16513->16515 16516 402a62 GetProcessHeap HeapAlloc 16513->16516 16514->16509 16515->16513 16515->16514 16517 402a92 16516->16517 16518 402a99 socket 16516->16518 16517->16513 16519 402cd3 GetProcessHeap HeapFree 16518->16519 16520 402ab4 16518->16520 16519->16517 16520->16519 16534 402abd 16520->16534 16521 402adb htons 16536 4026ff 16521->16536 16523 402b04 select 16523->16534 16524 402ca4 16525 402cb3 GetProcessHeap HeapFree closesocket 16524->16525 16525->16517 16526 402b3f recv 16526->16534 16527 402b66 htons 16527->16524 16527->16534 16528 402b87 htons 16528->16524 16528->16534 16531 402bf3 GetProcessHeap HeapAlloc 16531->16534 16532 402c17 htons 16551 402871 16532->16551 16534->16521 16534->16523 16534->16524 16534->16525 16534->16526 16534->16527 16534->16528 16534->16531 16534->16532 16535 402c4d GetProcessHeap HeapFree 16534->16535 16543 402923 16534->16543 16555 402904 16534->16555 16535->16534 16537 40271d 16536->16537 16538 402717 16536->16538 16540 40272b GetTickCount htons 16537->16540 16539 40ebcc 4 API calls 16538->16539 16539->16537 16541 4027cc htons htons sendto 16540->16541 16542 40278a 16540->16542 16541->16534 16542->16541 16544 402944 16543->16544 16546 40293d 16543->16546 16559 402816 htons 16544->16559 16546->16534 16547 402871 htons 16548 402950 16547->16548 16548->16546 16548->16547 16549 4029bd htons htons htons 16548->16549 16549->16546 16550 4029f6 GetProcessHeap HeapAlloc 16549->16550 16550->16546 16550->16548 16552 4028e3 16551->16552 16554 402889 16551->16554 16552->16534 16553 4028c3 htons 16553->16552 16553->16554 16554->16552 16554->16553 16556 402921 16555->16556 16557 402908 16555->16557 16556->16534 16558 402909 GetProcessHeap HeapFree 16557->16558 16558->16556 16558->16558 16560 40286b 16559->16560 16561 402836 16559->16561 16560->16548 16561->16560 16562 40285c htons 16561->16562 16562->16560 16562->16561 16564 406bc0 16563->16564 16565 406bbc 16563->16565 16566 40ebcc 4 API calls 16564->16566 16576 406bd4 16564->16576 16565->16103 16567 406be4 16566->16567 16568 406c07 CreateFileA 16567->16568 16569 406bfc 16567->16569 16567->16576 16570 406c34 WriteFile 16568->16570 16571 406c2a 16568->16571 16572 40ec2e codecvt 4 API calls 16569->16572 16574 406c49 CloseHandle DeleteFileA 16570->16574 16575 406c5a CloseHandle 16570->16575 16573 40ec2e codecvt 4 API calls 16571->16573 16572->16576 16573->16576 16574->16571 16577 40ec2e codecvt 4 API calls 16575->16577 16576->16103 16577->16576 14802 24ecc09 14803 24ecc18 14802->14803 14806 24ed3a9 14803->14806 14808 24ed3c4 14806->14808 14807 24ed3cd CreateToolhelp32Snapshot 14807->14808 14809 24ed3e9 Module32First 14807->14809 14808->14807 14808->14809 14810 24ed3f8 14809->14810 14812 24ecc21 14809->14812 14813 24ed068 14810->14813 14814 24ed093 14813->14814 14815 24ed0a4 VirtualAlloc 14814->14815 14816 24ed0dc 14814->14816 14815->14816 16578 24a0005 16583 24a092b GetPEB 16578->16583 16580 24a0030 16585 24a003c 16580->16585 16584 24a0972 16583->16584 16584->16580 16586 24a0049 16585->16586 16600 24a0e0f SetErrorMode SetErrorMode 16586->16600 16591 24a0265 16592 24a02ce VirtualProtect 16591->16592 16594 24a030b 16592->16594 16593 24a0439 VirtualFree 16598 24a05f4 LoadLibraryA 16593->16598 16599 24a04be 16593->16599 16594->16593 16595 24a04e3 LoadLibraryA 16595->16599 16597 24a08c7 16598->16597 16599->16595 16599->16598 16601 24a0223 16600->16601 16602 24a0d90 16601->16602 16603 24a0dad 16602->16603 16604 24a0dbb GetPEB 16603->16604 16605 24a0238 VirtualAlloc 16603->16605 16604->16605 16605->16591 18889 24ecbf8 18890 24ecc09 18889->18890 18891 24ed3a9 3 API calls 18890->18891 18892 24ecc21 18891->18892
                                                                      APIs
                                                                      • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                      • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                      • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                        • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                        • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                        • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                      • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                      • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                      • ExitProcess.KERNEL32 ref: 00409C06
                                                                      • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                      • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                      • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                      • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                      • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                      • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                      • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                      • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                      • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                      • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                      • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                      • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                      • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                      • wsprintfA.USER32 ref: 0040A0B6
                                                                      • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                      • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                      • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                      • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                      • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                      • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                      • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                        • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                        • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                        • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                      • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                      • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                      • GetLastError.KERNEL32 ref: 0040A3ED
                                                                      • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                      • DeleteFileA.KERNEL32(004133D8), ref: 0040A407
                                                                      • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                      • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                      • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                      • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                      • GetTickCount.KERNEL32 ref: 0040A49F
                                                                      • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                      • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                      • String ID: "$"$"$%X%08X$D$P$PromptOnSecureDesktop$\
                                                                      • API String ID: 2089075347-2824936573
                                                                      • Opcode ID: 99d36be1cb1e2dd281c49b912807f1b416d9660fc9a6289a84b2fe52a19f9b2b
                                                                      • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                      • Opcode Fuzzy Hash: 99d36be1cb1e2dd281c49b912807f1b416d9660fc9a6289a84b2fe52a19f9b2b
                                                                      • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 497 409326-409348 call 401910 GetVersionExA 500 409358-40935c 497->500 501 40934a-409356 497->501 502 409360-40937d GetModuleHandleA GetModuleFileNameA 500->502 501->502 503 409385-4093a2 502->503 504 40937f 502->504 505 4093a4-4093d7 call 402544 wsprintfA 503->505 506 4093d9-409412 call 402544 wsprintfA 503->506 504->503 511 409415-40942c call 40ee2a 505->511 506->511 514 4094a3-4094b3 call 406edd 511->514 515 40942e-409432 511->515 520 4094b9-4094f9 call 402544 RegOpenKeyExA 514->520 521 40962f-409632 514->521 515->514 517 409434-4094a0 call 406cc9 call 40ef00 call 402544 call 40ef1e call 402544 wsprintfA call 40ee2a 515->517 517->514 531 409502-40952e call 402544 RegQueryValueExA 520->531 532 4094fb-409500 520->532 523 409634-409637 521->523 526 409639-40964a call 401820 523->526 527 40967b-409682 523->527 543 40964c-409662 526->543 544 40966d-409679 526->544 534 409683 call 4091eb 527->534 552 409530-409537 531->552 553 409539-409565 call 402544 RegQueryValueExA 531->553 536 40957a-40957f 532->536 540 409688-409690 534->540 541 409581-409584 536->541 542 40958a-40958d 536->542 547 409692 540->547 548 409698-4096a0 540->548 541->523 541->542 542->527 549 409593-40959a 542->549 550 409664-40966b 543->550 551 40962b-40962d 543->551 544->534 547->548 557 4096a2-4096a9 548->557 558 40961a-40961f 549->558 559 40959c-4095a1 549->559 550->551 551->557 560 40956e-409577 RegCloseKey 552->560 553->560 565 409567 553->565 563 409625 558->563 559->558 564 4095a3-4095c0 call 40f0e4 559->564 560->536 563->551 570 4095c2-4095db call 4018e0 564->570 571 40960c-409618 564->571 565->560 570->557 574 4095e1-4095f9 570->574 571->563 574->557 575 4095ff-409607 574->575 575->557
                                                                      APIs
                                                                      • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                      • wsprintfA.USER32 ref: 004093CE
                                                                      • wsprintfA.USER32 ref: 0040940C
                                                                      • wsprintfA.USER32 ref: 0040948D
                                                                      • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                      • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                      • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                      • String ID: PromptOnSecureDesktop$runas
                                                                      • API String ID: 3696105349-2220793183
                                                                      • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                      • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                      • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                      • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 614 406a60-406a89 CreateFileA 615 406b8c-406ba1 GetLastError 614->615 616 406a8f-406ac3 GetDiskFreeSpaceA 614->616 619 406ba3-406ba6 615->619 617 406ac5-406adc call 40eb0e 616->617 618 406b1d-406b34 call 406987 616->618 617->618 626 406ade 617->626 624 406b56-406b63 CloseHandle 618->624 625 406b36-406b54 GetLastError CloseHandle 618->625 628 406b65-406b7d GetLastError CloseHandle 624->628 629 406b86-406b8a 624->629 627 406b7f-406b80 DeleteFileA 625->627 630 406ae0-406ae5 626->630 631 406ae7-406afb call 40eca5 626->631 627->629 628->627 629->619 630->631 632 406afd-406aff 630->632 631->618 632->618 635 406b01 632->635 636 406b03-406b08 635->636 637 406b0a-406b17 call 40eca5 635->637 636->618 636->637 637->618
                                                                      APIs
                                                                      • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,75918A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                      • GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                      • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                      • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 3188212458-2980165447
                                                                      • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                      • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                      • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                      • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                      • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                      • GetTickCount.KERNEL32 ref: 0040EC78
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Time$CountFileInformationSystemTickVolume
                                                                      • String ID:
                                                                      • API String ID: 1209300637-0
                                                                      • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                      • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                      • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                      • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 811 24ed3a9-24ed3c2 812 24ed3c4-24ed3c6 811->812 813 24ed3cd-24ed3d9 CreateToolhelp32Snapshot 812->813 814 24ed3c8 812->814 815 24ed3db-24ed3e1 813->815 816 24ed3e9-24ed3f6 Module32First 813->816 814->813 815->816 821 24ed3e3-24ed3e7 815->821 817 24ed3ff-24ed407 816->817 818 24ed3f8-24ed3f9 call 24ed068 816->818 822 24ed3fe 818->822 821->812 821->816 822->817
                                                                      APIs
                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 024ED3D1
                                                                      • Module32First.KERNEL32(00000000,00000224), ref: 024ED3F1
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105496878.00000000024DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 024DD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24dd000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                      • String ID:
                                                                      • API String ID: 3833638111-0
                                                                      • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                      • Instruction ID: cd21b03b425250b1bce27a6ac30f15a619336a0634bb033de36073d177bd47fb
                                                                      • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                      • Instruction Fuzzy Hash: C0F0C231900714EBEB202BB5A88CB6F72ECAF48626F10152AE643D11C0CBB0E8054A60

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 827 40ebcc-40ebec GetProcessHeap RtlAllocateHeap call 40eb74
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                      • RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                        • Part of subcall function 0040EB74: GetProcessHeap.KERNEL32(00000000,00000000,0040EC28,00000000,?,0040DB55,7FFF0001), ref: 0040EB81
                                                                        • Part of subcall function 0040EB74: HeapSize.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EB88
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocateSize
                                                                      • String ID:
                                                                      • API String ID: 2559512979-0
                                                                      • Opcode ID: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                      • Instruction ID: 42103369b453d960252fa070f8f6fdc0a0ffae9c693debdf4c74a5c852f77059
                                                                      • Opcode Fuzzy Hash: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                      • Instruction Fuzzy Hash: 54C0803210422077C60127A57C0CEDA3E74DF04352F084425F505C1160CB794880879D

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 264 4073ff-407419 265 40741b 264->265 266 40741d-407422 264->266 265->266 267 407424 266->267 268 407426-40742b 266->268 267->268 269 407430-407435 268->269 270 40742d 268->270 271 407437 269->271 272 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 269->272 270->269 271->272 277 407487-40749d call 40ee2a 272->277 278 4077f9-4077fe call 40ee2a 272->278 283 407703-40770e RegEnumKeyA 277->283 284 407801 278->284 285 4074a2-4074b1 call 406cad 283->285 286 407714-40771d RegCloseKey 283->286 287 407804-407808 284->287 290 4074b7-4074cc call 40f1a5 285->290 291 4076ed-407700 285->291 286->284 290->291 294 4074d2-4074f8 RegOpenKeyExA 290->294 291->283 295 407727-40772a 294->295 296 4074fe-407530 call 402544 RegQueryValueExA 294->296 297 407755-407764 call 40ee2a 295->297 298 40772c-407740 call 40ef00 295->298 296->295 304 407536-40753c 296->304 309 4076df-4076e2 297->309 306 407742-407745 RegCloseKey 298->306 307 40774b-40774e 298->307 308 40753f-407544 304->308 306->307 311 4077ec-4077f7 RegCloseKey 307->311 308->308 310 407546-40754b 308->310 309->291 312 4076e4-4076e7 RegCloseKey 309->312 310->297 313 407551-40756b call 40ee95 310->313 311->287 312->291 313->297 316 407571-407593 call 402544 call 40ee95 313->316 321 407753 316->321 322 407599-4075a0 316->322 321->297 323 4075a2-4075c6 call 40ef00 call 40ed03 322->323 324 4075c8-4075d7 call 40ed03 322->324 329 4075d8-4075da 323->329 324->329 332 4075dc 329->332 333 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 329->333 332->333 342 407626-40762b 333->342 342->342 343 40762d-407634 342->343 344 407637-40763c 343->344 344->344 345 40763e-407642 344->345 346 407644-407656 call 40ed77 345->346 347 40765c-407673 call 40ed23 345->347 346->347 352 407769-40777c call 40ef00 346->352 353 407680 347->353 354 407675-40767e 347->354 359 4077e3-4077e6 RegCloseKey 352->359 356 407683-40768e call 406cad 353->356 354->356 361 407722-407725 356->361 362 407694-4076bf call 40f1a5 call 406c96 356->362 359->311 363 4076dd 361->363 368 4076c1-4076c7 362->368 369 4076d8 362->369 363->309 368->369 370 4076c9-4076d2 368->370 369->363 370->369 371 40777e-407797 GetFileAttributesExA 370->371 372 407799 371->372 373 40779a-40779f 371->373 372->373 374 4077a1 373->374 375 4077a3-4077a8 373->375 374->375 376 4077c4-4077c8 375->376 377 4077aa-4077c0 call 40ee08 375->377 379 4077d7-4077dc 376->379 380 4077ca-4077d6 call 40ef00 376->380 377->376 383 4077e0-4077e2 379->383 384 4077de 379->384 380->379 383->359 384->383
                                                                      APIs
                                                                      • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,75920F10,00000000), ref: 00407472
                                                                      • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00000101,?,?,?,?,?,?,?,75920F10,00000000), ref: 004074F0
                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,75920F10,00000000), ref: 00407528
                                                                      • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,75920F10,00000000), ref: 004076E7
                                                                      • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                      • RegCloseKey.KERNELBASE(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 00407717
                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,75920F10,00000000), ref: 00407745
                                                                      • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 004077EF
                                                                        • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                      • RegCloseKey.ADVAPI32(?), ref: 004077E6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                      • String ID: "$PromptOnSecureDesktop
                                                                      • API String ID: 3433985886-3108538426
                                                                      • Opcode ID: 0e14b8839bf1cc749044a03d1cbc6966cac7291dd898e36f645a3e61cb73cdcc
                                                                      • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                      • Opcode Fuzzy Hash: 0e14b8839bf1cc749044a03d1cbc6966cac7291dd898e36f645a3e61cb73cdcc
                                                                      • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 386 40704c-407071 387 407073 386->387 388 407075-40707a 386->388 387->388 389 40707c 388->389 390 40707e-407083 388->390 389->390 391 407085 390->391 392 407087-40708c 390->392 391->392 393 407090-4070ca call 402544 RegOpenKeyExA 392->393 394 40708e 392->394 397 4070d0-4070f6 call 406dc2 393->397 398 4071b8-4071c8 call 40ee2a 393->398 394->393 404 40719b-4071a9 RegEnumValueA 397->404 403 4071cb-4071cf 398->403 405 4070fb-4070fd 404->405 406 4071af-4071b2 RegCloseKey 404->406 407 40716e-407194 405->407 408 4070ff-407102 405->408 406->398 407->404 408->407 409 407104-407107 408->409 409->407 410 407109-40710d 409->410 410->407 411 40710f-407133 call 402544 call 40eed1 410->411 416 4071d0-407203 call 402544 call 40ee95 call 40ee2a 411->416 417 407139-407145 call 406cad 411->417 432 407205-407212 RegCloseKey 416->432 433 407227-40722e 416->433 423 407147-40715c call 40f1a5 417->423 424 40715e-40716b call 40ee2a 417->424 423->416 423->424 424->407 434 407222-407225 432->434 435 407214-407221 call 40ef00 432->435 436 407230-407256 call 40ef00 call 40ed23 433->436 437 40725b-40728c call 402544 call 40ee95 call 40ee2a 433->437 434->403 435->434 436->437 449 407258 436->449 451 4072b8-4072cb call 40ed77 437->451 452 40728e-40729a RegCloseKey 437->452 449->437 459 4072dd-4072f4 call 40ed23 451->459 460 4072cd-4072d8 RegCloseKey 451->460 453 4072aa-4072b3 452->453 454 40729c-4072a9 call 40ef00 452->454 453->403 454->453 463 407301 459->463 464 4072f6-4072ff 459->464 460->403 465 407304-40730f call 406cad 463->465 464->465 468 407311-40731d RegCloseKey 465->468 469 407335-40735d call 406c96 465->469 470 40732d-407330 468->470 471 40731f-40732c call 40ef00 468->471 476 4073d5-4073e2 RegCloseKey 469->476 477 40735f-407365 469->477 470->453 471->470 479 4073f2-4073f7 476->479 480 4073e4-4073f1 call 40ef00 476->480 477->476 478 407367-407370 477->478 478->476 481 407372-40737c 478->481 480->479 483 40739d-4073a2 481->483 484 40737e-407395 GetFileAttributesExA 481->484 486 4073a4 483->486 487 4073a6-4073a9 483->487 484->483 488 407397 484->488 486->487 489 4073b9-4073bc 487->489 490 4073ab-4073b8 call 40ef00 487->490 488->483 492 4073cb-4073cd 489->492 493 4073be-4073ca call 40ef00 489->493 490->489 492->476 493->492
                                                                      APIs
                                                                      • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000101,75920F10,?,75920F10,00000000), ref: 004070C2
                                                                      • RegEnumValueA.KERNELBASE(75920F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,75920F10,00000000), ref: 0040719E
                                                                      • RegCloseKey.KERNELBASE(75920F10,?,75920F10,00000000), ref: 004071B2
                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 00407208
                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 00407291
                                                                      • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 004072D0
                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 00407314
                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 004073D8
                                                                        • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                      • String ID: $"$PromptOnSecureDesktop
                                                                      • API String ID: 4293430545-98143240
                                                                      • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                      • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                      • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                      • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 576 40675c-406778 577 406784-4067a2 CreateFileA 576->577 578 40677a-40677e SetFileAttributesA 576->578 579 4067a4-4067b2 CreateFileA 577->579 580 4067b5-4067b8 577->580 578->577 579->580 581 4067c5-4067c9 580->581 582 4067ba-4067bf SetFileAttributesA 580->582 583 406977-406986 581->583 584 4067cf-4067df GetFileSize 581->584 582->581 585 4067e5-4067e7 584->585 586 40696b 584->586 585->586 587 4067ed-40680b ReadFile 585->587 588 40696e-406971 CloseHandle 586->588 587->586 589 406811-406824 SetFilePointer 587->589 588->583 589->586 590 40682a-406842 ReadFile 589->590 590->586 591 406848-406861 SetFilePointer 590->591 591->586 592 406867-406876 591->592 593 4068d5-4068df 592->593 594 406878-40688f ReadFile 592->594 593->588 595 4068e5-4068eb 593->595 596 406891-40689e 594->596 597 4068d2 594->597 598 4068f0-4068fe call 40ebcc 595->598 599 4068ed 595->599 600 4068a0-4068b5 596->600 601 4068b7-4068ba 596->601 597->593 598->586 607 406900-40690b SetFilePointer 598->607 599->598 603 4068bd-4068c3 600->603 601->603 605 4068c5 603->605 606 4068c8-4068ce 603->606 605->606 606->594 608 4068d0 606->608 609 40695a-406969 call 40ec2e 607->609 610 40690d-406920 ReadFile 607->610 608->593 609->588 610->609 611 406922-406958 610->611 611->588
                                                                      APIs
                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0040677E
                                                                      • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0040679A
                                                                      • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 004067B0
                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 004067BF
                                                                      • GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 004067D3
                                                                      • ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,75920F10,00000000), ref: 00406807
                                                                      • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040681F
                                                                      • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0040683E
                                                                      • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040685C
                                                                      • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,75920F10,00000000), ref: 0040688B
                                                                      • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,75920F10,00000000), ref: 00406906
                                                                      • ReadFile.KERNEL32(000000FF,004121A8,00000000,00408244,00000000,?,75920F10,00000000), ref: 0040691C
                                                                      • CloseHandle.KERNELBASE(000000FF,?,75920F10,00000000), ref: 00406971
                                                                        • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                        • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                      • String ID:
                                                                      • API String ID: 2622201749-0
                                                                      • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                      • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                      • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                      • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 640 24a003c-24a0047 641 24a0049 640->641 642 24a004c-24a0263 call 24a0a3f call 24a0e0f call 24a0d90 VirtualAlloc 640->642 641->642 657 24a028b-24a0292 642->657 658 24a0265-24a0289 call 24a0a69 642->658 660 24a02a1-24a02b0 657->660 662 24a02ce-24a03c2 VirtualProtect call 24a0cce call 24a0ce7 658->662 660->662 663 24a02b2-24a02cc 660->663 669 24a03d1-24a03e0 662->669 663->660 670 24a0439-24a04b8 VirtualFree 669->670 671 24a03e2-24a0437 call 24a0ce7 669->671 673 24a04be-24a04cd 670->673 674 24a05f4-24a05fe 670->674 671->669 676 24a04d3-24a04dd 673->676 677 24a077f-24a0789 674->677 678 24a0604-24a060d 674->678 676->674 682 24a04e3-24a0505 LoadLibraryA 676->682 680 24a078b-24a07a3 677->680 681 24a07a6-24a07b0 677->681 678->677 683 24a0613-24a0637 678->683 680->681 684 24a086e-24a08be LoadLibraryA 681->684 685 24a07b6-24a07cb 681->685 686 24a0517-24a0520 682->686 687 24a0507-24a0515 682->687 688 24a063e-24a0648 683->688 692 24a08c7-24a08f9 684->692 689 24a07d2-24a07d5 685->689 690 24a0526-24a0547 686->690 687->690 688->677 691 24a064e-24a065a 688->691 693 24a07d7-24a07e0 689->693 694 24a0824-24a0833 689->694 695 24a054d-24a0550 690->695 691->677 696 24a0660-24a066a 691->696 697 24a08fb-24a0901 692->697 698 24a0902-24a091d 692->698 699 24a07e2 693->699 700 24a07e4-24a0822 693->700 704 24a0839-24a083c 694->704 701 24a05e0-24a05ef 695->701 702 24a0556-24a056b 695->702 703 24a067a-24a0689 696->703 697->698 699->694 700->689 701->676 705 24a056f-24a057a 702->705 706 24a056d 702->706 707 24a068f-24a06b2 703->707 708 24a0750-24a077a 703->708 704->684 709 24a083e-24a0847 704->709 711 24a059b-24a05bb 705->711 712 24a057c-24a0599 705->712 706->701 713 24a06ef-24a06fc 707->713 714 24a06b4-24a06ed 707->714 708->688 715 24a084b-24a086c 709->715 716 24a0849 709->716 723 24a05bd-24a05db 711->723 712->723 717 24a074b 713->717 718 24a06fe-24a0748 713->718 714->713 715->704 716->684 717->703 718->717 723->695
                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 024A024D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID: cess$kernel32.dll
                                                                      • API String ID: 4275171209-1230238691
                                                                      • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                      • Instruction ID: 47db5edc071913791deb89cbc8230648d4aa3d877f6c379e8469fc357dd10e18
                                                                      • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                      • Instruction Fuzzy Hash: 3C526974A01229DFDB64CF58C994BADBBB1BF09304F1480DAE94DAB351DB30AA95CF14

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                      • lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                      • lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                        • Part of subcall function 00406A60: CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,75918A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                        • Part of subcall function 00406A60: GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                        • Part of subcall function 00406A60: GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                        • Part of subcall function 00406A60: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                        • Part of subcall function 00406A60: DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Filelstrcat$CloseCreateDeleteDiskErrorFreeHandleLastSpacelstrcpy
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 4131120076-2980165447
                                                                      • Opcode ID: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                      • Instruction ID: c4e01e0c9c22f42140b45f86cbdbc152d24ce0e59ed2090f1037bb69612005af
                                                                      • Opcode Fuzzy Hash: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                      • Instruction Fuzzy Hash: 0501A27294020877EA103F62EC47F9F3F1DEB44728F00483AF619790D2D9BA95709AAC

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 739 404000-404008 740 40400b-40402a CreateFileA 739->740 741 404057 740->741 742 40402c-404035 GetLastError 740->742 745 404059-40405c 741->745 743 404052 742->743 744 404037-40403a 742->744 747 404054-404056 743->747 744->743 746 40403c-40403f 744->746 745->747 746->745 748 404041-404050 Sleep 746->748 748->740 748->743
                                                                      APIs
                                                                      • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,PromptOnSecureDesktop,004042B6,00000000,00000001,PromptOnSecureDesktop,00000000,?,004098FD), ref: 00404021
                                                                      • GetLastError.KERNEL32(?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 0040402C
                                                                      • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404046
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateErrorFileLastSleep
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 408151869-2980165447
                                                                      • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                      • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                      • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                      • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 749 406987-4069b7 750 4069e0 749->750 751 4069b9-4069be 749->751 753 4069e4-4069fd WriteFile 750->753 751->750 752 4069c0-4069d0 751->752 754 4069d2 752->754 755 4069d5-4069de 752->755 756 406a4d-406a51 753->756 757 4069ff-406a02 753->757 754->755 755->753 758 406a53-406a56 756->758 759 406a59 756->759 757->756 760 406a04-406a08 757->760 758->759 761 406a5b-406a5f 759->761 762 406a0a-406a0d 760->762 763 406a3c-406a3e 760->763 764 406a10-406a2e WriteFile 762->764 763->761 765 406a40-406a4b 764->765 766 406a30-406a33 764->766 765->761 766->765 767 406a35-406a3a 766->767 767->763 767->764
                                                                      APIs
                                                                      • WriteFile.KERNELBASE(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                      • WriteFile.KERNELBASE(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FileWrite
                                                                      • String ID: ,k@
                                                                      • API String ID: 3934441357-1053005162
                                                                      • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                      • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                      • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                      • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 769 4091eb-409208 770 409308 769->770 771 40920e-40921c call 40ed03 769->771 773 40930b-40930f 770->773 775 40921e-40922c call 40ed03 771->775 776 40923f-409249 771->776 775->776 782 40922e-409230 775->782 778 409250-409270 call 40ee08 776->778 779 40924b 776->779 785 409272-40927f 778->785 786 4092dd-4092e1 778->786 779->778 784 409233-409238 782->784 784->784 789 40923a-40923c 784->789 790 409281-409285 785->790 791 40929b-40929e 785->791 787 4092e3-4092e5 786->787 788 4092e7-4092e8 786->788 787->788 793 4092ea-4092ef 787->793 788->786 789->776 790->790 792 409287 790->792 794 4092a0 791->794 795 40928e-409293 791->795 792->791 798 4092f1-4092f6 Sleep 793->798 799 4092fc-409302 793->799 800 4092a8-4092ab 794->800 796 409295-409298 795->796 797 409289-40928c 795->797 796->800 801 40929a 796->801 797->795 797->801 798->799 799->770 799->771 802 4092a2-4092a5 800->802 803 4092ad-4092b0 800->803 801->791 804 4092b2 802->804 805 4092a7 802->805 803->804 806 4092bd 803->806 807 4092b5-4092b9 804->807 805->800 808 4092bf-4092db ShellExecuteA 806->808 807->807 810 4092bb 807->810 808->786 809 409310-409324 808->809 809->773 810->808
                                                                      APIs
                                                                      • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000023,00000000,00000000), ref: 004092CF
                                                                      • Sleep.KERNELBASE(000001F4,00000000,00000000,000000C8), ref: 004092F6
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExecuteShellSleep
                                                                      • String ID:
                                                                      • API String ID: 4194306370-0
                                                                      • Opcode ID: ca0b5bb621994acda530d45d726ba1ad5c17bddbc5e981c8316112ba5a721b51
                                                                      • Instruction ID: 2238cefa34e52eac0eed51a1b9fc18e9663c37cde2c16e9a3df151323357230f
                                                                      • Opcode Fuzzy Hash: ca0b5bb621994acda530d45d726ba1ad5c17bddbc5e981c8316112ba5a721b51
                                                                      • Instruction Fuzzy Hash: E941EE718083497EEB269664988C7E73BA49B52300F2809FFD492B72D3D7BC4D818759

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 824 24a0e0f-24a0e24 SetErrorMode * 2 825 24a0e2b-24a0e2c 824->825 826 24a0e26 824->826 826->825
                                                                      APIs
                                                                      • SetErrorMode.KERNELBASE(00000400,?,?,024A0223,?,?), ref: 024A0E19
                                                                      • SetErrorMode.KERNELBASE(00000000,?,?,024A0223,?,?), ref: 024A0E1E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorMode
                                                                      • String ID:
                                                                      • API String ID: 2340568224-0
                                                                      • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                      • Instruction ID: 8cb0d109644ce714bdc84d03a3357bbc544987171c927014f260ece32c00e347
                                                                      • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                      • Instruction Fuzzy Hash: 26D0123114512877DB002A94DC09BCE7B1CDF09B66F008011FB0DDD180C770954046E5

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 830 406dc2-406dd5 831 406e33-406e35 830->831 832 406dd7-406df1 call 406cc9 call 40ef00 830->832 837 406df4-406df9 832->837 837->837 838 406dfb-406e00 837->838 839 406e02-406e22 GetVolumeInformationA 838->839 840 406e24 838->840 839->840 841 406e2e 839->841 840->841 841->831
                                                                      APIs
                                                                        • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                        • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                        • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                        • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                      • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                      • String ID:
                                                                      • API String ID: 1823874839-0
                                                                      • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                      • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                      • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                      • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C
                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 024ED0B9
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105496878.00000000024DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 024DD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24dd000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID:
                                                                      • API String ID: 4275171209-0
                                                                      • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                      • Instruction ID: 581e804555ee1f1edfc3e5f20f34d3a9f09f992aef3474c4cbfaa2fe4c582c21
                                                                      • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                      • Instruction Fuzzy Hash: 2E113979A00208EFDB01DF98C985E99BBF5AF08751F1980A5F9489B361D771EA90DF80
                                                                      APIs
                                                                      • closesocket.WS2_32(?), ref: 0040CA4E
                                                                      • closesocket.WS2_32(?), ref: 0040CB63
                                                                      • GetTempPathA.KERNEL32(00000120,?), ref: 0040CC28
                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040CCB4
                                                                      • WriteFile.KERNEL32(0040A4B3,?,-000000E8,?,00000000), ref: 0040CCDC
                                                                      • CloseHandle.KERNEL32(0040A4B3), ref: 0040CCED
                                                                      • wsprintfA.USER32 ref: 0040CD21
                                                                      • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040CD77
                                                                      • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0040CD89
                                                                      • CloseHandle.KERNEL32(?), ref: 0040CD98
                                                                      • CloseHandle.KERNEL32(?), ref: 0040CD9D
                                                                      • DeleteFileA.KERNEL32(?), ref: 0040CDC4
                                                                      • CloseHandle.KERNEL32(0040A4B3), ref: 0040CDCC
                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040CFB1
                                                                      • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040CFEF
                                                                      • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040D033
                                                                      • lstrcatA.KERNEL32(?,?), ref: 0040D10C
                                                                      • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040D155
                                                                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0040D171
                                                                      • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040D195
                                                                      • CloseHandle.KERNEL32(00000000), ref: 0040D19C
                                                                      • SetFileAttributesA.KERNEL32(?,00000002), ref: 0040D1C8
                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D231
                                                                      • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D27C
                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D2AB
                                                                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2C7
                                                                      • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2EB
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2F2
                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D326
                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D372
                                                                      • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D3BD
                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D3EC
                                                                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D408
                                                                      • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D428
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D42F
                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D45B
                                                                      • CreateProcessA.KERNEL32(?,00410264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040D4DE
                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4F4
                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4FC
                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D513
                                                                      • closesocket.WS2_32(?), ref: 0040D56C
                                                                      • Sleep.KERNEL32(000003E8), ref: 0040D577
                                                                      • ExitProcess.KERNEL32 ref: 0040D583
                                                                      • wsprintfA.USER32 ref: 0040D81F
                                                                        • Part of subcall function 0040C65C: send.WS2_32(00000000,?,00000000), ref: 0040C74B
                                                                      • closesocket.WS2_32(?), ref: 0040DAD5
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                      • String ID: .dat$.sys$4$@$PromptOnSecureDesktop$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                      • API String ID: 562065436-3791576231
                                                                      • Opcode ID: 46fa9df5c4306c0050bb7a85a3b5eefaefcafc26c9c293650c17aef5077f26c5
                                                                      • Instruction ID: 1bec03d5b3261cfbda03ea9d0ba23ae7472bbf6119f1c93de8fbd0284471d070
                                                                      • Opcode Fuzzy Hash: 46fa9df5c4306c0050bb7a85a3b5eefaefcafc26c9c293650c17aef5077f26c5
                                                                      • Instruction Fuzzy Hash: 1BB2B471D00209BBEB209FA4DD85FEA7BB9EB08304F14457BF505B22D1D7789A898B5C
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                      • GetProcAddress.KERNEL32(?,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                      • GetProcAddress.KERNEL32(?,RtlSetLastWin32Error), ref: 004010E1
                                                                      • GetProcAddress.KERNEL32(?,NtTerminateProcess), ref: 00401101
                                                                      • GetProcAddress.KERNEL32(?,RtlFreeSid), ref: 00401121
                                                                      • GetProcAddress.KERNEL32(?,RtlInitUnicodeString), ref: 00401140
                                                                      • GetProcAddress.KERNEL32(?,NtSetInformationThread), ref: 00401160
                                                                      • GetProcAddress.KERNEL32(?,NtSetInformationToken), ref: 00401180
                                                                      • GetProcAddress.KERNEL32(?,RtlNtStatusToDosError), ref: 0040119F
                                                                      • GetProcAddress.KERNEL32(?,NtClose), ref: 004011BF
                                                                      • GetProcAddress.KERNEL32(?,NtOpenProcessToken), ref: 004011DF
                                                                      • GetProcAddress.KERNEL32(?,NtDuplicateToken), ref: 004011FE
                                                                      • GetProcAddress.KERNEL32(?,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressProc$LibraryLoad
                                                                      • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                      • API String ID: 2238633743-3228201535
                                                                      • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                      • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                      • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                      • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                      APIs
                                                                      • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                      • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                      • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                      • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                      • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                      • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                      • wsprintfA.USER32 ref: 0040B3B7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                      • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                      • API String ID: 766114626-2976066047
                                                                      • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                      • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                      • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                      • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                      APIs
                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                      • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                      • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                      • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                      • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                      • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                      • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                      • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                      • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                      • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                      • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                      • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                      • String ID: D
                                                                      • API String ID: 3722657555-2746444292
                                                                      • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                      • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                      • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                      • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                      APIs
                                                                      • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                      • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExecuteShelllstrlen
                                                                      • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDGu$uac$useless$wusa.exe
                                                                      • API String ID: 1628651668-3716895483
                                                                      • Opcode ID: aad480b6e0e58a6918efc610d136f9871add2120a421913cbbbf5b4a59ea4240
                                                                      • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                      • Opcode Fuzzy Hash: aad480b6e0e58a6918efc610d136f9871add2120a421913cbbbf5b4a59ea4240
                                                                      • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                      APIs
                                                                      • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                      • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                      • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                      • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                      • GetTickCount.KERNEL32 ref: 00401FC9
                                                                        • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                      • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                      • API String ID: 4207808166-1381319158
                                                                      • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                      • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                      • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                      • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7591F380), ref: 00402A83
                                                                      • HeapAlloc.KERNEL32(00000000,?,7591F380), ref: 00402A86
                                                                      • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                      • htons.WS2_32(00000000), ref: 00402ADB
                                                                      • select.WS2_32 ref: 00402B28
                                                                      • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                      • htons.WS2_32(?), ref: 00402B71
                                                                      • htons.WS2_32(?), ref: 00402B8C
                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                      • String ID:
                                                                      • API String ID: 1639031587-0
                                                                      • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                      • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                      • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                      • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                      APIs
                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                      • ExitProcess.KERNEL32 ref: 00404121
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateEventExitProcess
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 2404124870-2980165447
                                                                      • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                      • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                      • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                      • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                      APIs
                                                                      • IsBadReadPtr.KERNEL32(?,00000014), ref: 0040609C
                                                                      • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                      • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                      • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Read$AddressLibraryLoadProc
                                                                      • String ID:
                                                                      • API String ID: 2438460464-0
                                                                      • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                      • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                      • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                      • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                      APIs
                                                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                      • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                      • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                      • String ID: *p@
                                                                      • API String ID: 3429775523-2474123842
                                                                      • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                      • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                      • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                      • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00000000), ref: 024A65F6
                                                                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 024A6610
                                                                      • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 024A6631
                                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 024A6652
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                      • String ID:
                                                                      • API String ID: 1965334864-0
                                                                      • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                      • Instruction ID: cb1d8f5c56ce9c3b879c360ab8cb7279d7d45626068771758ccf8bbfa494f620
                                                                      • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                      • Instruction Fuzzy Hash: F1117771600218BFDB115F79DC55F9B3FACEB05BA5F154025FA04E7250D7B1DD408AA4
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                      • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                      • String ID:
                                                                      • API String ID: 1965334864-0
                                                                      • Opcode ID: cfcaefece596f69424170c8c4d4841579e71e1bfc642e2c0992e76636a24e9ad
                                                                      • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                      • Opcode Fuzzy Hash: cfcaefece596f69424170c8c4d4841579e71e1bfc642e2c0992e76636a24e9ad
                                                                      • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8
                                                                      APIs
                                                                      • CreateFileW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000100), ref: 00408E5F
                                                                      • DeviceIoControl.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00408EAB
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408EB4
                                                                        • Part of subcall function 00408DF1: GetSystemTime.KERNEL32(?,004129F8,?,?,00408E8B,?), ref: 00408DFC
                                                                        • Part of subcall function 00408DF1: SystemTimeToFileTime.KERNEL32(?,00408E8B,?,?,00408E8B,?), ref: 00408E0A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Time$FileSystem$CloseControlCreateDeviceHandle
                                                                      • String ID:
                                                                      • API String ID: 3754425949-0
                                                                      • Opcode ID: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                      • Instruction ID: 6158522553dbc768b3fa764069f531a078bfca64040c8912efb0c234455cb59d
                                                                      • Opcode Fuzzy Hash: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                      • Instruction Fuzzy Hash: CD11C8726402047BEB115F95CD4EEDB3F6DEB85714F00452AF611B62C1DAB9985087A8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: .$GetProcAddress.$l
                                                                      • API String ID: 0-2784972518
                                                                      • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                      • Instruction ID: 83b1f6a1e96997a5a0f1650ef269b331ccf1d5237051adc979373b0a2e30b189
                                                                      • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                      • Instruction Fuzzy Hash: 733127B6900609DFEB10CF99C884BAEBBF9FF58324F15504AD841A7310D771EA45CBA4
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                      • Instruction ID: 64893a5cec851924fefc00027ac9d8258265f32e823952a4835c6918c3f2ac29
                                                                      • Opcode Fuzzy Hash: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                      • Instruction Fuzzy Hash: 59714BB4501B41CFD360CF66D548782BBE0BB54308F10CD6ED5AAAB790DBB86588DF98
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105496878.00000000024DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 024DD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24dd000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                      • Instruction ID: d48f909bb3a4a4f2dc5b6bf3a3e7823c8972401d9bc2e1953a6500aeae8acb8a
                                                                      • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                      • Instruction Fuzzy Hash: 32118E72340100AFEB54DF59DCC1EA677EAEB88321B19806AED06CB311D676E842CB60
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                      • Instruction ID: d2f4d3bb4b2cbe01b0d25eaf4a28ec74c27e07ab8f56957cf8c9ab6a2dcf7ba0
                                                                      • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                      • Instruction Fuzzy Hash: EB012673A106008FDF21CF20C914BAB33F5FB96206F0550BAD90AD7381E370A941CB80
                                                                      APIs
                                                                      • ExitProcess.KERNEL32 ref: 024A9E6D
                                                                      • lstrcpy.KERNEL32(?,00000000), ref: 024A9FE1
                                                                      • lstrcat.KERNEL32(?,?), ref: 024A9FF2
                                                                      • lstrcat.KERNEL32(?,0041070C), ref: 024AA004
                                                                      • GetFileAttributesExA.KERNEL32(?,?,?), ref: 024AA054
                                                                      • DeleteFileA.KERNEL32(?), ref: 024AA09F
                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 024AA0D6
                                                                      • lstrcpy.KERNEL32 ref: 024AA12F
                                                                      • lstrlen.KERNEL32(00000022), ref: 024AA13C
                                                                      • GetTempPathA.KERNEL32(000001F4,?), ref: 024A9F13
                                                                        • Part of subcall function 024A7029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 024A7081
                                                                        • Part of subcall function 024A6F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\ihgdldig,024A7043), ref: 024A6F4E
                                                                        • Part of subcall function 024A6F30: GetProcAddress.KERNEL32(00000000), ref: 024A6F55
                                                                        • Part of subcall function 024A6F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 024A6F7B
                                                                        • Part of subcall function 024A6F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 024A6F92
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 024AA1A2
                                                                      • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 024AA1C5
                                                                      • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 024AA214
                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 024AA21B
                                                                      • GetDriveTypeA.KERNEL32(?), ref: 024AA265
                                                                      • lstrcat.KERNEL32(?,00000000), ref: 024AA29F
                                                                      • lstrcat.KERNEL32(?,00410A34), ref: 024AA2C5
                                                                      • lstrcat.KERNEL32(?,00000022), ref: 024AA2D9
                                                                      • lstrcat.KERNEL32(?,00410A34), ref: 024AA2F4
                                                                      • wsprintfA.USER32 ref: 024AA31D
                                                                      • lstrcat.KERNEL32(?,00000000), ref: 024AA345
                                                                      • lstrcat.KERNEL32(?,?), ref: 024AA364
                                                                      • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 024AA387
                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 024AA398
                                                                      • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 024AA1D1
                                                                        • Part of subcall function 024A9966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 024A999D
                                                                        • Part of subcall function 024A9966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 024A99BD
                                                                        • Part of subcall function 024A9966: RegCloseKey.ADVAPI32(?), ref: 024A99C6
                                                                      • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 024AA3DB
                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 024AA3E2
                                                                      • GetDriveTypeA.KERNEL32(00000022), ref: 024AA41D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                      • String ID: "$"$"$D$P$\
                                                                      • API String ID: 1653845638-2605685093
                                                                      • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                      • Instruction ID: 380615dd516ee1c4454639c524a757bf546e36cd55fe21a3e67eef2bcefaff17
                                                                      • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                      • Instruction Fuzzy Hash: EEF151B1C40259AFDF21DFA18C59FEF7BBCAB18304F4444AAE605E2141E7B58689CF64
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 024A7D21
                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 024A7D46
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 024A7D7D
                                                                      • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 024A7DA2
                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 024A7DC0
                                                                      • EqualSid.ADVAPI32(?,?), ref: 024A7DD1
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 024A7DE5
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 024A7DF3
                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 024A7E03
                                                                      • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 024A7E12
                                                                      • LocalFree.KERNEL32(00000000), ref: 024A7E19
                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 024A7E35
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                      • String ID: D$PromptOnSecureDesktop
                                                                      • API String ID: 2976863881-1403908072
                                                                      • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                      • Instruction ID: d35ff5149e41532f3992582bacfff82785a5a6d9ca7b4c8d3f090fc4ae4fc1c5
                                                                      • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                      • Instruction Fuzzy Hash: CDA15C71900209AFDB218FA0DD98BEFBFB9FB18304F04816AF506E6250D7758A85CB64
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,004133B0,?), ref: 00407B16
                                                                      • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                      • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                      • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                      • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                      • String ID: D$PromptOnSecureDesktop
                                                                      • API String ID: 2976863881-1403908072
                                                                      • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                      • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                      • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                      • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                      • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                      • API String ID: 2400214276-165278494
                                                                      • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                      • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                      • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                      • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                      APIs
                                                                      • wsprintfA.USER32 ref: 0040A7FB
                                                                      • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                      • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                      • wsprintfA.USER32 ref: 0040A8AF
                                                                      • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                      • wsprintfA.USER32 ref: 0040A8E2
                                                                      • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                      • wsprintfA.USER32 ref: 0040A9B9
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: wsprintf$send$lstrlenrecv
                                                                      • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                      • API String ID: 3650048968-2394369944
                                                                      • Opcode ID: 59680a716c84fab098cc04c228647f95a811d0d2f75c561d0d852e03931200d7
                                                                      • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                      • Opcode Fuzzy Hash: 59680a716c84fab098cc04c228647f95a811d0d2f75c561d0d852e03931200d7
                                                                      • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                      APIs
                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 024A7A96
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 024A7ACD
                                                                      • GetLengthSid.ADVAPI32(?), ref: 024A7ADF
                                                                      • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 024A7B01
                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 024A7B1F
                                                                      • EqualSid.ADVAPI32(?,?), ref: 024A7B39
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 024A7B4A
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 024A7B58
                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 024A7B68
                                                                      • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 024A7B77
                                                                      • LocalFree.KERNEL32(00000000), ref: 024A7B7E
                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 024A7B9A
                                                                      • GetAce.ADVAPI32(?,?,?), ref: 024A7BCA
                                                                      • EqualSid.ADVAPI32(?,?), ref: 024A7BF1
                                                                      • DeleteAce.ADVAPI32(?,?), ref: 024A7C0A
                                                                      • EqualSid.ADVAPI32(?,?), ref: 024A7C2C
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 024A7CB1
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 024A7CBF
                                                                      • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 024A7CD0
                                                                      • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 024A7CE0
                                                                      • LocalFree.KERNEL32(00000000), ref: 024A7CEE
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                      • String ID: D
                                                                      • API String ID: 3722657555-2746444292
                                                                      • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                      • Instruction ID: eff90ccc0fa2f46189eec5eece767dc35345841f3761dba582bf97e237accd7f
                                                                      • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                      • Instruction Fuzzy Hash: 0B814E71901219AFEB21CFA5DD94FEFBBB8AF18304F04807AE505E6250D7759641CBA4
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                      • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                      • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                      • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Value$CloseOpenQuery
                                                                      • String ID: PromptOnSecureDesktop$localcfg
                                                                      • API String ID: 237177642-1678164370
                                                                      • Opcode ID: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                      • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                      • Opcode Fuzzy Hash: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                      • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                      APIs
                                                                      • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                      • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                      • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                      • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                      • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                      • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                      • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                      • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                      • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                      • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                      • API String ID: 835516345-270533642
                                                                      • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                      • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                      • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                      • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 024A865A
                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 024A867B
                                                                      • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 024A86A8
                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 024A86B1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Value$CloseOpenQuery
                                                                      • String ID: "$PromptOnSecureDesktop
                                                                      • API String ID: 237177642-3108538426
                                                                      • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                      • Instruction ID: dcf0a04c7ba71f28f854aeefcd469f191568090f7039d88218456c2ae3593488
                                                                      • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                      • Instruction Fuzzy Hash: BDC1A1B1940208BEEB11EBA4DD95EEF7BBDEB24304F14407BF604E6150EBB14A948F65
                                                                      APIs
                                                                      • ShellExecuteExW.SHELL32(?), ref: 024A1601
                                                                      • lstrlenW.KERNEL32(-00000003), ref: 024A17D8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExecuteShelllstrlen
                                                                      • String ID: $<$@$D
                                                                      • API String ID: 1628651668-1974347203
                                                                      • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                      • Instruction ID: 1af3ef97217771ef43454e34bcb335c024a09d20611aaf443e0bccffb93b439a
                                                                      • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                      • Instruction Fuzzy Hash: 27F17CB55083419FD720CF64C898BABB7E9FB98304F00892EF59A973A0D7B4D944CB56
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 024A76D9
                                                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 024A7757
                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 024A778F
                                                                      • ___ascii_stricmp.LIBCMT ref: 024A78B4
                                                                      • RegCloseKey.ADVAPI32(?), ref: 024A794E
                                                                      • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 024A796D
                                                                      • RegCloseKey.ADVAPI32(?), ref: 024A797E
                                                                      • RegCloseKey.ADVAPI32(?), ref: 024A79AC
                                                                      • RegCloseKey.ADVAPI32(?), ref: 024A7A56
                                                                        • Part of subcall function 024AF40C: lstrlen.KERNEL32(000000E4,00000000,PromptOnSecureDesktop,000000E4,024A772A,?), ref: 024AF414
                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 024A79F6
                                                                      • RegCloseKey.ADVAPI32(?), ref: 024A7A4D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                      • String ID: "$PromptOnSecureDesktop
                                                                      • API String ID: 3433985886-3108538426
                                                                      • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                      • Instruction ID: 1ffffd282f3921c36e447d301ef497ad4b8365f68347931842ae0887c7d5e3bb
                                                                      • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                      • Instruction Fuzzy Hash: 47C1A272900109BBEB219BA5DC54FEFBBBDEF68310F1040A7E504E6190EB719A84CF60
                                                                      APIs
                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 024A2CED
                                                                      • socket.WS2_32(00000002,00000002,00000011), ref: 024A2D07
                                                                      • htons.WS2_32(00000000), ref: 024A2D42
                                                                      • select.WS2_32 ref: 024A2D8F
                                                                      • recv.WS2_32(?,00000000,00001000,00000000), ref: 024A2DB1
                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 024A2E62
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                      • String ID:
                                                                      • API String ID: 127016686-0
                                                                      • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                      • Instruction ID: 4c15de73a0143255bb13f0ba8300c4f3e80e0ce3663d3364fb54eeac172bc6e6
                                                                      • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                      • Instruction Fuzzy Hash: D861DE71504305ABC320DF61DC08BABBBE8FB68745F04481AFD8596290D7F5D8C0EBA6
                                                                      APIs
                                                                      • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                        • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                        • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                        • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                        • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                        • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                        • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                      • wsprintfA.USER32 ref: 0040AEA5
                                                                        • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                      • wsprintfA.USER32 ref: 0040AE4F
                                                                      • wsprintfA.USER32 ref: 0040AE5E
                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                      • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                      • API String ID: 3631595830-1816598006
                                                                      • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                      • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                      • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                      • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(iphlpapi.dll,759223A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                      • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                      • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                      • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                      • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                      • htons.WS2_32(00000035), ref: 00402E88
                                                                      • inet_addr.WS2_32(?), ref: 00402E93
                                                                      • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                      • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                      • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                      • String ID: GetNetworkParams$iphlpapi.dll
                                                                      • API String ID: 929413710-2099955842
                                                                      • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                      • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                      • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                      • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                      APIs
                                                                      • GetVersionExA.KERNEL32(?), ref: 024A95A7
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 024A95D5
                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 024A95DC
                                                                      • wsprintfA.USER32 ref: 024A9635
                                                                      • wsprintfA.USER32 ref: 024A9673
                                                                      • wsprintfA.USER32 ref: 024A96F4
                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 024A9758
                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 024A978D
                                                                      • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 024A97D8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 3696105349-2980165447
                                                                      • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                      • Instruction ID: d49333b511937cd5509594b47140042ba404196508b629281b8d12207ad6a767
                                                                      • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                      • Instruction Fuzzy Hash: FAA16CB2900608FBEB21DFA1CC95FDA3BADAB14741F10402BFA1596251E7B5D984CFA4
                                                                      APIs
                                                                      • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                      • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                      • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                      • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                      • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                      • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcmpi
                                                                      • String ID: 06A$46A$86A$smtp_ban$smtp_herr$smtp_retr
                                                                      • API String ID: 1586166983-142018493
                                                                      • Opcode ID: b0a2ae875f58e383b947a4d61bc12981f29674b2f93b28c56df9bb17aab017a1
                                                                      • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                      • Opcode Fuzzy Hash: b0a2ae875f58e383b947a4d61bc12981f29674b2f93b28c56df9bb17aab017a1
                                                                      • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                      APIs
                                                                      • wsprintfA.USER32 ref: 0040B467
                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$wsprintf
                                                                      • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                      • API String ID: 1220175532-2340906255
                                                                      • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                      • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                      • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                      • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                      APIs
                                                                      • GetVersionExA.KERNEL32 ref: 024A202D
                                                                      • GetSystemInfo.KERNEL32(?), ref: 024A204F
                                                                      • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 024A206A
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 024A2071
                                                                      • GetCurrentProcess.KERNEL32(?), ref: 024A2082
                                                                      • GetTickCount.KERNEL32 ref: 024A2230
                                                                        • Part of subcall function 024A1E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 024A1E7C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                      • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                      • API String ID: 4207808166-1391650218
                                                                      • Opcode ID: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                      • Instruction ID: 4c9cba2d561f697feac13ea6a8c87b74c877d4c8ea22612b02fb0070cdfb72f7
                                                                      • Opcode Fuzzy Hash: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                      • Instruction Fuzzy Hash: 7E5109B06043446FE330AF768C95F67BAECEF64704F00492FF99686242D7B9A584CB65
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 00402078
                                                                      • GetTickCount.KERNEL32 ref: 004020D4
                                                                      • GetTickCount.KERNEL32 ref: 004020DB
                                                                      • GetTickCount.KERNEL32 ref: 0040212B
                                                                      • GetTickCount.KERNEL32 ref: 00402132
                                                                      • GetTickCount.KERNEL32 ref: 00402142
                                                                        • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,7508EA50,80000001,00000000,0040E513,?,?,?,?,000000E4), ref: 0040F089
                                                                        • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,7508EA50,80000001,00000000,0040E513,?,?,?,?,000000E4,000000C8), ref: 0040F093
                                                                        • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                        • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                        • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                      • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                      • API String ID: 3976553417-1522128867
                                                                      • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                      • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                      • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                      • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                      APIs
                                                                      • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                      • closesocket.WS2_32(00000000), ref: 0040F375
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: closesockethtonssocket
                                                                      • String ID: time_cfg
                                                                      • API String ID: 311057483-2401304539
                                                                      • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                      • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                      • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                      • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                      APIs
                                                                        • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                        • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                      • GetTickCount.KERNEL32 ref: 0040C31F
                                                                      • GetTickCount.KERNEL32 ref: 0040C32B
                                                                      • GetTickCount.KERNEL32 ref: 0040C363
                                                                      • GetTickCount.KERNEL32 ref: 0040C378
                                                                      • GetTickCount.KERNEL32 ref: 0040C44D
                                                                      • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                      • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                      • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                      • String ID: localcfg
                                                                      • API String ID: 1553760989-1857712256
                                                                      • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                      • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                      • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                      • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 024A3068
                                                                      • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 024A3078
                                                                      • GetProcAddress.KERNEL32(00000000,00410408), ref: 024A3095
                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 024A30B6
                                                                      • htons.WS2_32(00000035), ref: 024A30EF
                                                                      • inet_addr.WS2_32(?), ref: 024A30FA
                                                                      • gethostbyname.WS2_32(?), ref: 024A310D
                                                                      • HeapFree.KERNEL32(00000000), ref: 024A314D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                      • String ID: iphlpapi.dll
                                                                      • API String ID: 2869546040-3565520932
                                                                      • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                      • Instruction ID: 9c7b5df0936da859f79dbc212649e05ebee40c57e6b1faa0e304412478429acb
                                                                      • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                      • Instruction Fuzzy Hash: DC31C431A00606ABDB129FB89C58BAF7FB8EF14364F1441A7E518E7390EB74D5818B58
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                      • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                      • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                      • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                      • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                      • String ID: DnsQuery_A$dnsapi.dll
                                                                      • API String ID: 3560063639-3847274415
                                                                      • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                      • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                      • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                      • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                      • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                      • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                      • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$PromptOnSecureDesktop$kernel32
                                                                      • API String ID: 1082366364-2834986871
                                                                      • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                      • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                      • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                      • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                      APIs
                                                                      • CreateProcessA.KERNEL32(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,PromptOnSecureDesktop), ref: 004097B1
                                                                      • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097EB
                                                                      • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097F9
                                                                      • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 00409831
                                                                      • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040984E
                                                                      • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040985B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                      • String ID: D$PromptOnSecureDesktop
                                                                      • API String ID: 2981417381-1403908072
                                                                      • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                      • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                      • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                      • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8
                                                                      APIs
                                                                      • IsBadReadPtr.KERNEL32(?,00000008), ref: 024A67C3
                                                                      • htonl.WS2_32(?), ref: 024A67DF
                                                                      • htonl.WS2_32(?), ref: 024A67EE
                                                                      • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 024A68F1
                                                                      • ExitProcess.KERNEL32 ref: 024A69BC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Processhtonl$CurrentExitRead
                                                                      • String ID: except_info$localcfg
                                                                      • API String ID: 1430491713-3605449297
                                                                      • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                      • Instruction ID: 9e5e8821f4d99644f09318874f49a71e9f045b8e30766a977a04da2e4e5c1a9e
                                                                      • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                      • Instruction Fuzzy Hash: 4B615E71A40208AFDF609FB4DC45FEA77E9FB08300F14806AFA6DD2161EB7599948F54
                                                                      APIs
                                                                      • htons.WS2_32(024ACC84), ref: 024AF5B4
                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 024AF5CE
                                                                      • closesocket.WS2_32(00000000), ref: 024AF5DC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: closesockethtonssocket
                                                                      • String ID: time_cfg
                                                                      • API String ID: 311057483-2401304539
                                                                      • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                      • Instruction ID: b6aa57cad34af10768a56683d049e2ffd7dc972373438ad9cedb3d9a71e45cd4
                                                                      • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                      • Instruction Fuzzy Hash: 2A318C72900118ABDB10DFA9DC88DEF7BBCEF98710F11456AF905E3150E7718A868BE4
                                                                      APIs
                                                                      • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                      • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                      • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                      • wsprintfA.USER32 ref: 00407036
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                      • String ID: /%d$|
                                                                      • API String ID: 676856371-4124749705
                                                                      • Opcode ID: cea40b17ff8fa2f601ad1f23a222ab117a5c0c4b809ada7763c407b3c8c52c78
                                                                      • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                      • Opcode Fuzzy Hash: cea40b17ff8fa2f601ad1f23a222ab117a5c0c4b809ada7763c407b3c8c52c78
                                                                      • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(?), ref: 024A2FA1
                                                                      • LoadLibraryA.KERNEL32(?), ref: 024A2FB1
                                                                      • GetProcAddress.KERNEL32(00000000,004103F0), ref: 024A2FC8
                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 024A3000
                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 024A3007
                                                                      • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 024A3032
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                      • String ID: dnsapi.dll
                                                                      • API String ID: 1242400761-3175542204
                                                                      • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                      • Instruction ID: 08168c554423f5453186430667c27110308923e635c76b02fffe914f232ff4e3
                                                                      • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                      • Instruction Fuzzy Hash: 48219271D00225BBCB219F55DC55AAFBFB8EF18B10F008462F902E7240E7B59AC19BD4
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\ihgdldig,024A7043), ref: 024A6F4E
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 024A6F55
                                                                      • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 024A6F7B
                                                                      • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 024A6F92
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                      • String ID: C:\Windows\SysWOW64\$PromptOnSecureDesktop$\\.\pipe\ihgdldig
                                                                      • API String ID: 1082366364-3344593279
                                                                      • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                      • Instruction ID: f7c990e34da69f1ac399eebf1596b28a2c003a88ac9e3a9426fe3f0d3f495df1
                                                                      • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                      • Instruction Fuzzy Hash: 242104217443407DF73253319CA9FFB2E4D8B72714F1D40AAF904D6680DBD984D686AD
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Code
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 3609698214-2980165447
                                                                      • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                      • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                      • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                      • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                      APIs
                                                                      • GetTempPathA.KERNEL32(00000400,?), ref: 024A92E2
                                                                      • wsprintfA.USER32 ref: 024A9350
                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 024A9375
                                                                      • lstrlen.KERNEL32(?,?,00000000), ref: 024A9389
                                                                      • WriteFile.KERNEL32(00000000,?,00000000), ref: 024A9394
                                                                      • CloseHandle.KERNEL32(00000000), ref: 024A939B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 2439722600-2980165447
                                                                      • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                      • Instruction ID: d338e67af5ea1bd880f9eba8693bd893b178c2a2ab521d11c9ca42b69fa44e07
                                                                      • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                      • Instruction Fuzzy Hash: 511184B57401147BE7206732EC0DFEF3A6EDBD8B10F00807ABB1AE5090EAB54A458A64
                                                                      APIs
                                                                      • GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                      • wsprintfA.USER32 ref: 004090E9
                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                      • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                      • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 2439722600-2980165447
                                                                      • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                      • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                      • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                      • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                      APIs
                                                                      • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 024A9A18
                                                                      • GetThreadContext.KERNEL32(?,?), ref: 024A9A52
                                                                      • TerminateProcess.KERNEL32(?,00000000), ref: 024A9A60
                                                                      • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 024A9A98
                                                                      • SetThreadContext.KERNEL32(?,00010002), ref: 024A9AB5
                                                                      • ResumeThread.KERNEL32(?), ref: 024A9AC2
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                      • String ID: D
                                                                      • API String ID: 2981417381-2746444292
                                                                      • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                      • Instruction ID: 41060c1d09c3c0dc54f45c02fae7c8f2e2011ea639d8e6d6aab9e042569cb718
                                                                      • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                      • Instruction Fuzzy Hash: 2C213BB1A01219BBDF119BA1DC49EEF7BBCEF18750F404062BA19E5150E7758A84CBA4
                                                                      APIs
                                                                      • inet_addr.WS2_32(004102D8), ref: 024A1C18
                                                                      • LoadLibraryA.KERNEL32(004102C8), ref: 024A1C26
                                                                      • GetProcessHeap.KERNEL32 ref: 024A1C84
                                                                      • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 024A1C9D
                                                                      • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 024A1CC1
                                                                      • HeapFree.KERNEL32(?,00000000,00000000), ref: 024A1D02
                                                                      • FreeLibrary.KERNEL32(?), ref: 024A1D0B
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                      • String ID:
                                                                      • API String ID: 2324436984-0
                                                                      • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                      • Instruction ID: f2a7a36ffce557fc8b99bc9da7dec8952ca7a1fee3e2a8f79f1d9d112d51ed94
                                                                      • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                      • Instruction Fuzzy Hash: 16317832E00219BFCB119FA4DC989EFBAB9EB55301F24447AE509A7210D7B55E80DB94
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,PromptOnSecureDesktop), ref: 0040E3E6
                                                                      • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                      • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                      • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                      • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: QueryValue$CloseOpen
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 1586453840-2980165447
                                                                      • Opcode ID: 430104cac5c13c71f5437c0750a91fe091c0dcfcbc33bae831f1428fc17f18ae
                                                                      • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                      • Opcode Fuzzy Hash: 430104cac5c13c71f5437c0750a91fe091c0dcfcbc33bae831f1428fc17f18ae
                                                                      • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                      APIs
                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404290
                                                                      • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                      • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseHandle$CreateEvent
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 1371578007-2980165447
                                                                      • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                      • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                      • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                      • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                      APIs
                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 024A6CE4
                                                                      • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 024A6D22
                                                                      • GetLastError.KERNEL32 ref: 024A6DA7
                                                                      • CloseHandle.KERNEL32(?), ref: 024A6DB5
                                                                      • GetLastError.KERNEL32 ref: 024A6DD6
                                                                      • DeleteFileA.KERNEL32(?), ref: 024A6DE7
                                                                      • GetLastError.KERNEL32 ref: 024A6DFD
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                      • String ID:
                                                                      • API String ID: 3873183294-0
                                                                      • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                      • Instruction ID: 5cdba45576c3063da9db8969e08a59dadef51548a73fb84c0794a86658713432
                                                                      • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                      • Instruction Fuzzy Hash: EA3110B2900249BFCF00DFA59D58ADF7F7DEB58340F09807AE211E3250D7708A818B61
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 024A93C6
                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 024A93CD
                                                                      • CharToOemA.USER32(?,?), ref: 024A93DB
                                                                      • wsprintfA.USER32 ref: 024A9410
                                                                        • Part of subcall function 024A92CB: GetTempPathA.KERNEL32(00000400,?), ref: 024A92E2
                                                                        • Part of subcall function 024A92CB: wsprintfA.USER32 ref: 024A9350
                                                                        • Part of subcall function 024A92CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 024A9375
                                                                        • Part of subcall function 024A92CB: lstrlen.KERNEL32(?,?,00000000), ref: 024A9389
                                                                        • Part of subcall function 024A92CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 024A9394
                                                                        • Part of subcall function 024A92CB: CloseHandle.KERNEL32(00000000), ref: 024A939B
                                                                      • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 024A9448
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 3857584221-2980165447
                                                                      • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                      • Instruction ID: 8495267e3d2081662291a5f7189bf1866bca42a5763bbdacd26f39c67f07971a
                                                                      • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                      • Instruction Fuzzy Hash: 0F0152F69001187BD721A7619D89EDF377CDB95701F0040A6BB49E2080DAB497C58F75
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,PromptOnSecureDesktop), ref: 0040915F
                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                      • CharToOemA.USER32(?,?), ref: 00409174
                                                                      • wsprintfA.USER32 ref: 004091A9
                                                                        • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                        • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                        • Part of subcall function 00409064: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                        • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                        • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                        • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                      • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 3857584221-2980165447
                                                                      • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                      • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                      • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                      • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen
                                                                      • String ID: $localcfg
                                                                      • API String ID: 1659193697-2018645984
                                                                      • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                      • Instruction ID: 99e1d28e9a5373cbeb2dccf07408ec960af6a59ffe56af0319b2267b60addfda
                                                                      • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                      • Instruction Fuzzy Hash: 88713B71A04334AAEF318B54DCA5FEF377AAB30309F24402BF945A6190DF6689C8CB55
                                                                      APIs
                                                                        • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                        • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                        • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                        • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                      • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                      • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                      • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                      • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                      • String ID: flags_upd$localcfg
                                                                      • API String ID: 204374128-3505511081
                                                                      • Opcode ID: c9ad8023725aab8d2fa60d869e3a7a47c0dc8c499feb85b8788b54ce06fbb5cf
                                                                      • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                      • Opcode Fuzzy Hash: c9ad8023725aab8d2fa60d869e3a7a47c0dc8c499feb85b8788b54ce06fbb5cf
                                                                      • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                      APIs
                                                                        • Part of subcall function 024ADF6C: GetCurrentThreadId.KERNEL32 ref: 024ADFBA
                                                                      • lstrcmp.KERNEL32(00410178,00000000), ref: 024AE8FA
                                                                      • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,024A6128), ref: 024AE950
                                                                      • lstrcmp.KERNEL32(?,00000008), ref: 024AE989
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                      • String ID: A$ A$ A
                                                                      • API String ID: 2920362961-1846390581
                                                                      • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                      • Instruction ID: 467920a078492b973ececd3febc96d579cc16f82b2edb32562eda4b2efc9d283
                                                                      • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                      • Instruction Fuzzy Hash: 18318C31B00705DBDB718F25C8A4BA77BE8FB25724F00893BE5A687651D370E881CB91
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Code
                                                                      • String ID:
                                                                      • API String ID: 3609698214-0
                                                                      • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                      • Instruction ID: 63e2d5e489377cba9357fb1877035bb17b1b8ca9673ce77f75d6e9b677061571
                                                                      • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                      • Instruction Fuzzy Hash: 4621AF72204219FFDF10ABB1FC58EDF7FADEB48264B158426F502D1090EB70DA409A74
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                      • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                      • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                      • Sleep.KERNEL32(00000000,?,75920F10,?,00000000,0040E538,?,75920F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                      • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                      • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                      • String ID:
                                                                      • API String ID: 3819781495-0
                                                                      • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                      • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                      • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                      • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 024AC6B4
                                                                      • InterlockedIncrement.KERNEL32(024AC74B), ref: 024AC715
                                                                      • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,024AC747), ref: 024AC728
                                                                      • CloseHandle.KERNEL32(00000000,?,024AC747,00413588,024A8A77), ref: 024AC733
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                      • String ID: localcfg
                                                                      • API String ID: 1026198776-1857712256
                                                                      • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                      • Instruction ID: 99e1659a4ddfbc2029d5c59fe13756adc7bba131c8e924c079d9d9b566bac4d5
                                                                      • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                      • Instruction Fuzzy Hash: A35139B1A00B418FD764CF2AC6E462ABBE9FB58704B50593FE18BC7A90D774E840CB50
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 0040815F
                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 00408187
                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 004081BE
                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 00408210
                                                                        • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0040677E
                                                                        • Part of subcall function 0040675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0040679A
                                                                        • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 004067B0
                                                                        • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 004067BF
                                                                        • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 004067D3
                                                                        • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,75920F10,00000000), ref: 00406807
                                                                        • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040681F
                                                                        • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0040683E
                                                                        • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040685C
                                                                        • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                        • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 124786226-2980165447
                                                                      • Opcode ID: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                      • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                      • Opcode Fuzzy Hash: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                      • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                      APIs
                                                                      • RegCreateKeyExA.ADVAPI32(80000001,024AE50A,00000000,00000000,00000000,00020106,00000000,024AE50A,00000000,000000E4), ref: 024AE319
                                                                      • RegSetValueExA.ADVAPI32(024AE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 024AE38E
                                                                      • RegDeleteValueA.ADVAPI32(024AE50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 024AE3BF
                                                                      • RegCloseKey.ADVAPI32(024AE50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,024AE50A), ref: 024AE3C8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Value$CloseCreateDelete
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 2667537340-2980165447
                                                                      • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                      • Instruction ID: 1653e2d35e98b8cf082f643d091443124a6421caa29e2b2dc8b571c2df38af35
                                                                      • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                      • Instruction Fuzzy Hash: 75214971A00219ABDB209FA5EC99EEF7F69EF18750F008076E914E6150E3B19A54DBA0
                                                                      APIs
                                                                      • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                      • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                      • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                      • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Value$CloseCreateDelete
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 2667537340-2980165447
                                                                      • Opcode ID: 97717f860553cace0da6839a14b7da98954d63f37c5a4b4a783214777e1a839d
                                                                      • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                      • Opcode Fuzzy Hash: 97717f860553cace0da6839a14b7da98954d63f37c5a4b4a783214777e1a839d
                                                                      • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                      APIs
                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 024A71E1
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 024A7228
                                                                      • LocalFree.KERNEL32(?,?,?), ref: 024A7286
                                                                      • wsprintfA.USER32 ref: 024A729D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                      • String ID: |
                                                                      • API String ID: 2539190677-2343686810
                                                                      • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                      • Instruction ID: 619b2cbdded64ee6a572edc76710ccb4d8bdfe4398138226f0a164d769592991
                                                                      • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                      • Instruction Fuzzy Hash: E5313872A00208BBDB11DFA8DC55BDE7BACEF04314F14C066F859DB200EB79D6488B94
                                                                      APIs
                                                                      • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                      • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                      • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                      • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$gethostnamelstrcpy
                                                                      • String ID: LocalHost
                                                                      • API String ID: 3695455745-3154191806
                                                                      • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                      • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                      • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                      • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                      APIs
                                                                      • GetLocalTime.KERNEL32(?), ref: 024AB51A
                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 024AB529
                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 024AB548
                                                                      • GetTimeZoneInformation.KERNEL32(?), ref: 024AB590
                                                                      • wsprintfA.USER32 ref: 024AB61E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                      • String ID:
                                                                      • API String ID: 4026320513-0
                                                                      • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                      • Instruction ID: 7d295969a6c5c57dee8efe6c9bb244c9e83db40bdf3797a1242d41e7769e76fe
                                                                      • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                      • Instruction Fuzzy Hash: 9B510FB1D0021CAACF14DFD5D8985EEBBB9FF58308F10856BE505A6150E7B84AC9CF98
                                                                      APIs
                                                                      • IsBadReadPtr.KERNEL32(?,00000014), ref: 024A6303
                                                                      • LoadLibraryA.KERNEL32(?), ref: 024A632A
                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 024A63B1
                                                                      • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 024A6405
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Read$AddressLibraryLoadProc
                                                                      • String ID:
                                                                      • API String ID: 2438460464-0
                                                                      • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                      • Instruction ID: 5cb588ddb60908532d0d28730bee9f48f03ea9190e61077b7c28401217012fd3
                                                                      • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                      • Instruction Fuzzy Hash: 54415D71A00215EBDF14CF58C8A4BAAB7B8EF24358F19816AE925D7390D771E982CB50
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c79c3bb314f3d5ac5fee99c519c64317d163b7d5a05993d84b0a40af9e19cc60
                                                                      • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                      • Opcode Fuzzy Hash: c79c3bb314f3d5ac5fee99c519c64317d163b7d5a05993d84b0a40af9e19cc60
                                                                      • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                      APIs
                                                                        • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                        • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                        • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                      • lstrcmpA.KERNEL32(75920F18,00000000,?,75920F10,00000000,?,00405EC1), ref: 0040E693
                                                                      • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,75920F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                      • lstrcmpA.KERNEL32(?,00000008,?,75920F10,00000000,?,00405EC1), ref: 0040E722
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                      • String ID: A$ A
                                                                      • API String ID: 3343386518-686259309
                                                                      • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                      • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                      • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                      • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 0040272E
                                                                      • htons.WS2_32(00000001), ref: 00402752
                                                                      • htons.WS2_32(0000000F), ref: 004027D5
                                                                      • htons.WS2_32(00000001), ref: 004027E3
                                                                      • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                        • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                        • Part of subcall function 0040EBCC: RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                      • String ID:
                                                                      • API String ID: 1128258776-0
                                                                      • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                      • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                      • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                      • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                      APIs
                                                                      • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                      • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                      • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                      • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                      • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: setsockopt
                                                                      • String ID:
                                                                      • API String ID: 3981526788-0
                                                                      • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                      • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                      • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                      • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                      APIs
                                                                      • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                      • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                      • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                      • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$lstrcmpi
                                                                      • String ID: localcfg
                                                                      • API String ID: 1808961391-1857712256
                                                                      • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                      • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                      • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                      • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                      APIs
                                                                        • Part of subcall function 024ADF6C: GetCurrentThreadId.KERNEL32 ref: 024ADFBA
                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,00410170,?,00000000,?,024AA6AC), ref: 024AE7BF
                                                                      • ReadFile.KERNEL32(00000000,004136C4,00000000,?,00000000,?,00410170,?,00000000,?,024AA6AC), ref: 024AE7EA
                                                                      • CloseHandle.KERNEL32(00000000,?,00410170,?,00000000,?,024AA6AC), ref: 024AE819
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$CloseCurrentHandleReadSizeThread
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 1396056608-2980165447
                                                                      • Opcode ID: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                      • Instruction ID: c8c60535d43afd0536240ee52782ab034bb8f42fcbbc6a21915f7c4b8793076c
                                                                      • Opcode Fuzzy Hash: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                      • Instruction Fuzzy Hash: 552129B1A003007AF221B7329C56FEB3E0DDB75B60F50043EFA19B55D3EA9595508AB5
                                                                      APIs
                                                                        • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                        • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                        • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,75920F10,?,00000000,?,0040A445), ref: 0040E558
                                                                      • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,75920F10,?,00000000,?,0040A445), ref: 0040E583
                                                                      • CloseHandle.KERNEL32(00000000,?,75920F10,?,00000000,?,0040A445), ref: 0040E5B2
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 3683885500-2980165447
                                                                      • Opcode ID: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                      • Instruction ID: 336cca8f28a0ae06816d6806ca3c094c6326420f96deeb8fe64773c8e7208e17
                                                                      • Opcode Fuzzy Hash: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                      • Instruction Fuzzy Hash: F321EAB19402047AE2207B639C0AFAB3D1CDF54758F10093EBA09B11E3E9BDD96082BD
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressLibraryLoadProc
                                                                      • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                      • API String ID: 2574300362-1087626847
                                                                      • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                      • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                      • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                      • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 024A76D9
                                                                      • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 024A796D
                                                                      • RegCloseKey.ADVAPI32(?), ref: 024A797E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseEnumOpen
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 1332880857-2980165447
                                                                      • Opcode ID: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                      • Instruction ID: c7d92763ff62da70b7dc043aec591530da6e4359ed87aa9cea3ee66e16d33d7c
                                                                      • Opcode Fuzzy Hash: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                      • Instruction Fuzzy Hash: 5211B170A00109AFDB218FA9DC85FEFBF79EB65714F140156F515E6290E7B18950CB60
                                                                      APIs
                                                                        • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                        • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                      • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                      • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                      • String ID: hi_id$localcfg
                                                                      • API String ID: 2777991786-2393279970
                                                                      • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                      • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                      • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                      • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 024A999D
                                                                      • RegDeleteValueA.ADVAPI32(?,00000000), ref: 024A99BD
                                                                      • RegCloseKey.ADVAPI32(?), ref: 024A99C6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseDeleteOpenValue
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 849931509-2980165447
                                                                      • Opcode ID: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                      • Instruction ID: 9266b8b5b856ce7591e89d9504094a2c536fb97c84874099d71cae95317e2a9c
                                                                      • Opcode Fuzzy Hash: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                      • Instruction Fuzzy Hash: E5F0F6B6680208BFF7116B51EC06FDB3A2DDBA4B10F500065FA05B5081F6E59B9096B9
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,PromptOnSecureDesktop,00000000,?,?,0040A14A), ref: 00409736
                                                                      • RegDeleteValueA.ADVAPI32(0040A14A,00000000,?,?,?,?,?,?,?,?,?,0040A14A), ref: 00409756
                                                                      • RegCloseKey.ADVAPI32(0040A14A,?,?,?,?,?,?,?,?,?,0040A14A), ref: 0040975F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseDeleteOpenValue
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 849931509-2980165447
                                                                      • Opcode ID: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                      • Instruction ID: 5e38ed9511aa8cc069582274463af9cddeeab7037fd65aad7bdf8be664a95ff7
                                                                      • Opcode Fuzzy Hash: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                      • Instruction Fuzzy Hash: 5AF0C8B2680118BBF3106B51AC0BFDF3A2CDB44704F100075F605B50D2E6E55E9082BD
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: gethostbynameinet_addr
                                                                      • String ID: time_cfg$u6A
                                                                      • API String ID: 1594361348-1940331995
                                                                      • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                      • Instruction ID: a7d7c90861fc3a3fcd25f457fe540b690efc36afc8170fa38c2c81d3d67333d7
                                                                      • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                      • Instruction Fuzzy Hash: 7AE012306055119FDB50DB2CF848AD677E5FF4A230F058696F855D72A0C7B4DCC1A754
                                                                      APIs
                                                                      • SetFileAttributesA.KERNEL32(?,00000080), ref: 024A69E5
                                                                      • SetFileAttributesA.KERNEL32(?,00000002), ref: 024A6A26
                                                                      • GetFileSize.KERNEL32(000000FF,00000000), ref: 024A6A3A
                                                                      • CloseHandle.KERNEL32(000000FF), ref: 024A6BD8
                                                                        • Part of subcall function 024AEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,024A1DCF,?), ref: 024AEEA8
                                                                        • Part of subcall function 024AEE95: HeapFree.KERNEL32(00000000), ref: 024AEEAF
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                      • String ID:
                                                                      • API String ID: 3384756699-0
                                                                      • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                      • Instruction ID: 595d16892dd2b2fbac38c69649fbf2038ed9d81c0e9a411627c4449407d93d2a
                                                                      • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                      • Instruction Fuzzy Hash: 1771277190122DEFDF10DFA4CC90AEEBBB9FB08314F15456AE515A6290D7309E92DB60
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: wsprintf
                                                                      • String ID: %u.%u.%u.%u.%s$localcfg
                                                                      • API String ID: 2111968516-120809033
                                                                      • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                      • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                      • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                      • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                      APIs
                                                                      • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 024A41AB
                                                                      • GetLastError.KERNEL32 ref: 024A41B5
                                                                      • WaitForSingleObject.KERNEL32(?,?), ref: 024A41C6
                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 024A41D9
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                      • String ID:
                                                                      • API String ID: 3373104450-0
                                                                      • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                      • Instruction ID: 897dd8de4e9287ff1c02ca5458046d836bcd4624741343595ae66c9aec2e2813
                                                                      • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                      • Instruction Fuzzy Hash: 5F010C7651110AAFDF02DF90ED89BEF7B6CEB18655F004462F901E2150DBB0DB548BB5
                                                                      APIs
                                                                      • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 024A421F
                                                                      • GetLastError.KERNEL32 ref: 024A4229
                                                                      • WaitForSingleObject.KERNEL32(?,?), ref: 024A423A
                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 024A424D
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                      • String ID:
                                                                      • API String ID: 888215731-0
                                                                      • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                      • Instruction ID: 96b4e42ed606477c31172acca3bf9f581d7b7c55393d4c7fb22971e8b0bee827
                                                                      • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                      • Instruction Fuzzy Hash: 0501C872511109AFDF11DF90EE84BEF7BACEB18395F108462F901E6150D7B0DA548BB6
                                                                      APIs
                                                                      • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                      • GetLastError.KERNEL32 ref: 00403F4E
                                                                      • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                      • String ID:
                                                                      • API String ID: 3373104450-0
                                                                      • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                      • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                      • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                      • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                      APIs
                                                                      • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                      • GetLastError.KERNEL32 ref: 00403FC2
                                                                      • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                      • String ID:
                                                                      • API String ID: 888215731-0
                                                                      • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                      • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                      • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                      • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                      APIs
                                                                      • lstrcmp.KERNEL32(?,80000009), ref: 024AE066
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcmp
                                                                      • String ID: A$ A$ A
                                                                      • API String ID: 1534048567-1846390581
                                                                      • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                      • Instruction ID: 859f4747887d7fa8bab7682d5c2a297de8be8c6550f54d66e61886575e06833e
                                                                      • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                      • Instruction Fuzzy Hash: E5F062713047229BCB20CF25D894A83B7E9FB19325B44863BE564C3260D374A4D9CF51
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                      • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                      • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                      • String ID:
                                                                      • API String ID: 2207858713-0
                                                                      • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                      • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                      • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                      • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 00404E9E
                                                                      • GetTickCount.KERNEL32 ref: 00404EAD
                                                                      • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                      • String ID:
                                                                      • API String ID: 2207858713-0
                                                                      • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                      • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                      • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                      • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 00404BDD
                                                                      • GetTickCount.KERNEL32 ref: 00404BEC
                                                                      • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                      • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                      • String ID:
                                                                      • API String ID: 2207858713-0
                                                                      • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                      • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                      • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                      • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 00403103
                                                                      • GetTickCount.KERNEL32 ref: 0040310F
                                                                      • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                      • String ID:
                                                                      • API String ID: 2207858713-0
                                                                      • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                      • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                      • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                      • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                      APIs
                                                                      • WriteFile.KERNEL32(00000001,024A44E2,00000000,00000000,00000000), ref: 024AE470
                                                                      • CloseHandle.KERNEL32(00000001,00000003), ref: 024AE484
                                                                        • Part of subcall function 024AE2FC: RegCreateKeyExA.ADVAPI32(80000001,024AE50A,00000000,00000000,00000000,00020106,00000000,024AE50A,00000000,000000E4), ref: 024AE319
                                                                        • Part of subcall function 024AE2FC: RegSetValueExA.ADVAPI32(024AE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 024AE38E
                                                                        • Part of subcall function 024AE2FC: RegDeleteValueA.ADVAPI32(024AE50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 024AE3BF
                                                                        • Part of subcall function 024AE2FC: RegCloseKey.ADVAPI32(024AE50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,024AE50A), ref: 024AE3C8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 4151426672-2980165447
                                                                      • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                      • Instruction ID: 4d0b4c69fd86519acae76fe5a8a066781e19d7e7ae61465da24dc1d1e6378d21
                                                                      • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                      • Instruction Fuzzy Hash: 7A410CB6E00204BAEB20AF928C55FDB3B6DDF24724F44803BFE1994191E3B58650DAB4
                                                                      APIs
                                                                      • WriteFile.KERNEL32(00000001,0040DAE0,00000000,00000000,00000000), ref: 0040E209
                                                                      • CloseHandle.KERNEL32(00000001,00000003), ref: 0040E21D
                                                                        • Part of subcall function 0040E095: RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                        • Part of subcall function 0040E095: RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                        • Part of subcall function 0040E095: RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                        • Part of subcall function 0040E095: RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 4151426672-2980165447
                                                                      • Opcode ID: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                      • Instruction ID: b34283ca0245a4d5345772c7626065eb71a791ff6ac24fd5689ebe733b27dfc9
                                                                      • Opcode Fuzzy Hash: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                      • Instruction Fuzzy Hash: 5D41DB71940214BADB205E938C06FDB3F6CEB44754F1084BEFA09B41D2E6B99A60D6BD
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 024A83C6
                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 024A8477
                                                                        • Part of subcall function 024A69C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 024A69E5
                                                                        • Part of subcall function 024A69C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 024A6A26
                                                                        • Part of subcall function 024A69C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 024A6A3A
                                                                        • Part of subcall function 024AEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,024A1DCF,?), ref: 024AEEA8
                                                                        • Part of subcall function 024AEE95: HeapFree.KERNEL32(00000000), ref: 024AEEAF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 359188348-2980165447
                                                                      • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                      • Instruction ID: 33f98a5c044544ea4c2bb1c8cfcc702b0bd9c456dc9a4c63009facac9d26b3a2
                                                                      • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                      • Instruction Fuzzy Hash: 174161B2900109BFEB21EBA19D90EFF777DEB24344F1444BBE504E6110F7B15A948B64
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,024AE859,00000000,00020119,024AE859,PromptOnSecureDesktop), ref: 024AE64D
                                                                      • RegCloseKey.ADVAPI32(024AE859,?,?,?,?,000000C8,000000E4), ref: 024AE787
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseOpen
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 47109696-2980165447
                                                                      • Opcode ID: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                      • Instruction ID: d68dfb6af512eab9a09438e2b1772a1330ae1acf8f098fe6c3e453b17ab2d0ba
                                                                      • Opcode Fuzzy Hash: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                      • Instruction Fuzzy Hash: B04129B6E0011DBFDF11EFA4DC90EEEBB79FB18304F144476EA10A6250E3719A558B60
                                                                      APIs
                                                                      • GetLocalTime.KERNEL32(?), ref: 024AAFFF
                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 024AB00D
                                                                        • Part of subcall function 024AAF6F: gethostname.WS2_32(?,00000080), ref: 024AAF83
                                                                        • Part of subcall function 024AAF6F: lstrcpy.KERNEL32(?,00410B90), ref: 024AAFE6
                                                                        • Part of subcall function 024A331C: gethostname.WS2_32(?,00000080), ref: 024A333F
                                                                        • Part of subcall function 024A331C: gethostbyname.WS2_32(?), ref: 024A3349
                                                                        • Part of subcall function 024AAA0A: inet_ntoa.WS2_32(00000000), ref: 024AAA10
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                      • String ID: %OUTLOOK_BND_
                                                                      • API String ID: 1981676241-3684217054
                                                                      • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                      • Instruction ID: c86b3f7b43f7f9117b9586f87de5b947840018ea39af6ca6160a37a3387911e4
                                                                      • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                      • Instruction Fuzzy Hash: 6D418F7290420CABDB21EFA1DC45EEE3BADFF18304F14442BFA2592151EA75DA84CF54
                                                                      APIs
                                                                      • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 024A9536
                                                                      • Sleep.KERNEL32(000001F4), ref: 024A955D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExecuteShellSleep
                                                                      • String ID:
                                                                      • API String ID: 4194306370-3916222277
                                                                      • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                      • Instruction ID: d83862207f05f2b87badda3cce4fef677f246363d92b7ce9ae846424a462943f
                                                                      • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                      • Instruction Fuzzy Hash: BE4127B28083947FFB368B68D8BE7A73FA59B22314F1800A7D08297292D7B44981C711
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 024AB9D9
                                                                      • InterlockedIncrement.KERNEL32(00413648), ref: 024ABA3A
                                                                      • InterlockedIncrement.KERNEL32(?), ref: 024ABA94
                                                                      • GetTickCount.KERNEL32 ref: 024ABB79
                                                                      • GetTickCount.KERNEL32 ref: 024ABB99
                                                                      • InterlockedIncrement.KERNEL32(?), ref: 024ABE15
                                                                      • closesocket.WS2_32(00000000), ref: 024ABEB4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountIncrementInterlockedTick$closesocket
                                                                      • String ID: %FROM_EMAIL
                                                                      • API String ID: 1869671989-2903620461
                                                                      • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                      • Instruction ID: 4634ee89bbf5349b292d425c3c2457c21bacd6eb13b51563dab9a3c683ab5067
                                                                      • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                      • Instruction Fuzzy Hash: 71317C71500248DFDF25DFA5DCA4AEAB7B9EB68704F20405BFA2592160DB35DA85CF10
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick
                                                                      • String ID: localcfg
                                                                      • API String ID: 536389180-1857712256
                                                                      • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                      • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                      • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                      • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                      APIs
                                                                      Strings
                                                                      • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTickwsprintf
                                                                      • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                      • API String ID: 2424974917-1012700906
                                                                      • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                      • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                      • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                      • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                      APIs
                                                                        • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                        • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                      • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                      • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                      • String ID: %FROM_EMAIL
                                                                      • API String ID: 3716169038-2903620461
                                                                      • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                      • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                      • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                      • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                      APIs
                                                                      • GetUserNameW.ADVAPI32(?,?), ref: 024A70BC
                                                                      • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 024A70F4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Name$AccountLookupUser
                                                                      • String ID: |
                                                                      • API String ID: 2370142434-2343686810
                                                                      • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                      • Instruction ID: dd6d1424262e60bb28c0e6f0fe6234be747920d498fda65566febece19ad9aa7
                                                                      • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                      • Instruction Fuzzy Hash: 8011FA72900118EBDB22CBD4DC84ADFB7FDAB04715F1441B6E601EA294D7749B88CBA4
                                                                      APIs
                                                                        • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                        • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                      • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                      • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                      • String ID: localcfg
                                                                      • API String ID: 2777991786-1857712256
                                                                      • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                      • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                      • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                      • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                      APIs
                                                                      • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                      • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: IncrementInterlockedlstrcpyn
                                                                      • String ID: %FROM_EMAIL
                                                                      • API String ID: 224340156-2903620461
                                                                      • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                      • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                      • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                      • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                      APIs
                                                                      • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                      • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: gethostbyaddrinet_ntoa
                                                                      • String ID: localcfg
                                                                      • API String ID: 2112563974-1857712256
                                                                      • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                      • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                      • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                      • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: gethostbynameinet_addr
                                                                      • String ID: time_cfg
                                                                      • API String ID: 1594361348-2401304539
                                                                      • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                      • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                      • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                      • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,7508EA50,80000001,00000000), ref: 0040EAF2
                                                                      • GetProcAddress.KERNEL32(?,00000000), ref: 0040EB07
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressLibraryLoadProc
                                                                      • String ID: ntdll.dll
                                                                      • API String ID: 2574300362-2227199552
                                                                      • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                      • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                      • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                      • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                      APIs
                                                                        • Part of subcall function 024A2F88: GetModuleHandleA.KERNEL32(?), ref: 024A2FA1
                                                                        • Part of subcall function 024A2F88: LoadLibraryA.KERNEL32(?), ref: 024A2FB1
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 024A31DA
                                                                      • HeapFree.KERNEL32(00000000), ref: 024A31E1
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2105352533.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_24a0000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                      • String ID:
                                                                      • API String ID: 1017166417-0
                                                                      • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                      • Instruction ID: 21fa0731ce8447611422fe65e65a4de6535e0f71cd0a3ce068d7dd26508215db
                                                                      • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                      • Instruction Fuzzy Hash: 6051BD3190424AAFCF019F64D894AFABB75FF25304B1445AAEC9697210F7729A19CB90
                                                                      APIs
                                                                        • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                        • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                      • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2103604609.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2103604609.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_H3nfKrgQbi.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                      • String ID:
                                                                      • API String ID: 1017166417-0
                                                                      • Opcode ID: 62cf705a705524b5481c3e56b905c2216abe02b2d19e69cd26a80eb50737c7aa
                                                                      • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                      • Opcode Fuzzy Hash: 62cf705a705524b5481c3e56b905c2216abe02b2d19e69cd26a80eb50737c7aa
                                                                      • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88

                                                                      Execution Graph

                                                                      Execution Coverage:2.9%
                                                                      Dynamic/Decrypted Code Coverage:30.5%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:1577
                                                                      Total number of Limit Nodes:13
                                                                      execution_graph 14794 409961 RegisterServiceCtrlHandlerA 14795 40997d 14794->14795 14802 4099cb 14794->14802 14804 409892 14795->14804 14797 40999a 14798 4099ba 14797->14798 14799 409892 SetServiceStatus 14797->14799 14800 409892 SetServiceStatus 14798->14800 14798->14802 14801 4099aa 14799->14801 14800->14802 14801->14798 14807 4098f2 14801->14807 14805 4098c2 SetServiceStatus 14804->14805 14805->14797 14809 4098f6 14807->14809 14810 409904 Sleep 14809->14810 14812 409917 14809->14812 14815 404280 CreateEventA 14809->14815 14810->14809 14811 409915 14810->14811 14811->14812 14814 409947 14812->14814 14842 40977c 14812->14842 14814->14798 14816 4042a5 14815->14816 14817 40429d 14815->14817 14856 403ecd 14816->14856 14817->14809 14819 4042b0 14860 404000 14819->14860 14822 4043c1 CloseHandle 14822->14817 14823 4042ce 14866 403f18 WriteFile 14823->14866 14828 4043ba CloseHandle 14828->14822 14829 404318 14830 403f18 4 API calls 14829->14830 14831 404331 14830->14831 14832 403f18 4 API calls 14831->14832 14833 40434a 14832->14833 14874 40ebcc GetProcessHeap HeapAlloc 14833->14874 14836 403f18 4 API calls 14837 404389 14836->14837 14877 40ec2e 14837->14877 14840 403f8c 4 API calls 14841 40439f CloseHandle CloseHandle 14840->14841 14841->14817 14906 40ee2a 14842->14906 14845 4097c2 14847 4097d4 Wow64GetThreadContext 14845->14847 14846 4097bb 14846->14814 14848 409801 14847->14848 14849 4097f5 14847->14849 14908 40637c 14848->14908 14850 4097f6 TerminateProcess 14849->14850 14850->14846 14852 409816 14852->14850 14853 40981e WriteProcessMemory 14852->14853 14853->14849 14854 40983b Wow64SetThreadContext 14853->14854 14854->14849 14855 409858 ResumeThread 14854->14855 14855->14846 14857 403ee2 14856->14857 14858 403edc 14856->14858 14857->14819 14882 406dc2 14858->14882 14861 40400b CreateFileA 14860->14861 14862 40402c GetLastError 14861->14862 14864 404052 14861->14864 14863 404037 14862->14863 14862->14864 14863->14864 14865 404041 Sleep 14863->14865 14864->14817 14864->14822 14864->14823 14865->14861 14865->14864 14867 403f7c 14866->14867 14868 403f4e GetLastError 14866->14868 14870 403f8c ReadFile 14867->14870 14868->14867 14869 403f5b WaitForSingleObject GetOverlappedResult 14868->14869 14869->14867 14871 403ff0 14870->14871 14872 403fc2 GetLastError 14870->14872 14871->14828 14871->14829 14872->14871 14873 403fcf WaitForSingleObject GetOverlappedResult 14872->14873 14873->14871 14900 40eb74 14874->14900 14878 40ec37 14877->14878 14879 40438f 14877->14879 14903 40eba0 14878->14903 14879->14840 14883 406e24 14882->14883 14884 406dd7 14882->14884 14883->14857 14888 406cc9 14884->14888 14886 406ddc 14886->14883 14886->14886 14887 406e02 GetVolumeInformationA 14886->14887 14887->14883 14889 406cdc GetModuleHandleA GetProcAddress 14888->14889 14890 406dbe 14888->14890 14891 406d12 GetSystemDirectoryA 14889->14891 14892 406cfd 14889->14892 14890->14886 14893 406d27 GetWindowsDirectoryA 14891->14893 14894 406d1e 14891->14894 14892->14891 14895 406d8b 14892->14895 14896 406d42 14893->14896 14894->14893 14894->14895 14895->14890 14895->14895 14898 40ef1e lstrlenA 14896->14898 14899 40ef32 14898->14899 14899->14895 14901 40eb7b GetProcessHeap HeapSize 14900->14901 14902 404350 14900->14902 14901->14902 14902->14836 14904 40eba7 GetProcessHeap HeapSize 14903->14904 14905 40ebbf GetProcessHeap HeapFree 14903->14905 14904->14905 14905->14879 14907 409794 CreateProcessA 14906->14907 14907->14845 14907->14846 14909 406386 14908->14909 14910 40638a GetModuleHandleA VirtualAlloc 14908->14910 14909->14852 14911 4063f5 14910->14911 14912 4063b6 14910->14912 14911->14852 14913 4063be VirtualAllocEx 14912->14913 14913->14911 14914 4063d6 14913->14914 14915 4063df WriteProcessMemory 14914->14915 14915->14911 14959 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 15076 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14959->15076 14961 409a95 14962 409aa3 GetModuleHandleA GetModuleFileNameA 14961->14962 14968 40a3c7 14961->14968 14975 409ac4 14962->14975 14963 40a41c CreateThread WSAStartup 15187 40e52e 14963->15187 16014 40405e CreateEventA 14963->16014 14964 409afd GetCommandLineA 14976 409b22 14964->14976 14965 40a406 DeleteFileA 14965->14968 14969 40a40d 14965->14969 14967 40a445 15206 40eaaf 14967->15206 14968->14963 14968->14965 14968->14969 14971 40a3ed GetLastError 14968->14971 14969->14963 14971->14969 14973 40a3f8 Sleep 14971->14973 14972 40a44d 15210 401d96 14972->15210 14973->14965 14975->14964 14979 409c0c 14976->14979 14986 409b47 14976->14986 14977 40a457 15258 4080c9 14977->15258 15077 4096aa 14979->15077 14990 409b96 lstrlenA 14986->14990 14993 409b58 14986->14993 14987 40a1d2 14994 40a1e3 GetCommandLineA 14987->14994 14988 409c39 14991 40a167 GetModuleHandleA GetModuleFileNameA 14988->14991 14996 409c4b 14988->14996 14990->14993 14992 409c05 ExitProcess 14991->14992 15000 40a189 14991->15000 14993->14992 14998 409bd2 14993->14998 15021 40a205 14994->15021 14996->14991 14997 404280 30 API calls 14996->14997 15001 409c5b 14997->15001 15089 40675c 14998->15089 15000->14992 15004 40a1b2 GetDriveTypeA 15000->15004 15001->14991 15008 40675c 21 API calls 15001->15008 15004->14992 15007 40a1c5 15004->15007 15179 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 15007->15179 15010 409c79 15008->15010 15010->14991 15017 409ca0 GetTempPathA 15010->15017 15018 409e3e 15010->15018 15011 409bff 15011->14992 15013 40a491 15014 40a49f GetTickCount 15013->15014 15015 40a4be Sleep 15013->15015 15020 40a4b7 GetTickCount 15013->15020 15304 40c913 15013->15304 15014->15013 15014->15015 15015->15013 15017->15018 15019 409cba 15017->15019 15024 409e6b GetEnvironmentVariableA 15018->15024 15028 409e04 15018->15028 15127 4099d2 lstrcpyA 15019->15127 15020->15015 15025 40a285 lstrlenA 15021->15025 15037 40a239 15021->15037 15022 40ec2e codecvt 4 API calls 15026 40a15d 15022->15026 15024->15028 15029 409e7d 15024->15029 15025->15037 15026->14991 15026->14992 15028->15022 15030 4099d2 16 API calls 15029->15030 15031 409e9d 15030->15031 15031->15028 15036 409eb0 lstrcpyA lstrlenA 15031->15036 15032 406dc2 6 API calls 15034 409d5f 15032->15034 15040 406cc9 5 API calls 15034->15040 15035 40a3c2 15038 4098f2 41 API calls 15035->15038 15039 409ef4 15036->15039 15085 406ec3 15037->15085 15038->14968 15042 406dc2 6 API calls 15039->15042 15045 409f03 15039->15045 15041 409d72 lstrcpyA lstrcatA lstrcatA 15040->15041 15044 409cf6 15041->15044 15042->15045 15043 40a39d StartServiceCtrlDispatcherA 15043->15035 15134 409326 15044->15134 15046 409f32 RegOpenKeyExA 15045->15046 15047 409f48 RegSetValueExA RegCloseKey 15046->15047 15051 409f70 15046->15051 15047->15051 15048 40a35f 15048->15035 15048->15043 15056 409f9d GetModuleHandleA GetModuleFileNameA 15051->15056 15052 409e0c DeleteFileA 15052->15018 15053 409dde GetFileAttributesExA 15053->15052 15054 409df7 15053->15054 15054->15028 15171 4096ff 15054->15171 15058 409fc2 15056->15058 15059 40a093 15056->15059 15058->15059 15065 409ff1 GetDriveTypeA 15058->15065 15060 40a103 CreateProcessA 15059->15060 15063 40a0a4 wsprintfA 15059->15063 15061 40a13a 15060->15061 15062 40a12a DeleteFileA 15060->15062 15061->15028 15068 4096ff 3 API calls 15061->15068 15062->15061 15177 402544 15063->15177 15065->15059 15066 40a00d 15065->15066 15070 40a02d lstrcatA 15066->15070 15068->15028 15069 40ee2a 15071 40a0ec lstrcatA 15069->15071 15072 40a046 15070->15072 15071->15060 15073 40a052 lstrcatA 15072->15073 15074 40a064 lstrcatA 15072->15074 15073->15074 15074->15059 15075 40a081 lstrcatA 15074->15075 15075->15059 15076->14961 15078 4096b9 15077->15078 15407 4073ff 15078->15407 15080 4096e2 15081 4096e9 15080->15081 15082 4096fa 15080->15082 15427 40704c 15081->15427 15082->14987 15082->14988 15084 4096f7 15084->15082 15086 406ed5 15085->15086 15087 406ecc 15085->15087 15086->15048 15452 406e36 GetUserNameW 15087->15452 15090 406784 CreateFileA 15089->15090 15091 40677a SetFileAttributesA 15089->15091 15092 4067a4 CreateFileA 15090->15092 15093 4067b5 15090->15093 15091->15090 15092->15093 15094 4067c5 15093->15094 15095 4067ba SetFileAttributesA 15093->15095 15096 406977 15094->15096 15097 4067cf GetFileSize 15094->15097 15095->15094 15096->14992 15114 406a60 CreateFileA 15096->15114 15098 4067e5 15097->15098 15112 406922 15097->15112 15100 4067ed ReadFile 15098->15100 15098->15112 15099 40696e CloseHandle 15099->15096 15101 406811 SetFilePointer 15100->15101 15100->15112 15102 40682a ReadFile 15101->15102 15101->15112 15103 406848 SetFilePointer 15102->15103 15102->15112 15106 406867 15103->15106 15103->15112 15104 4068d0 15104->15099 15107 40ebcc 4 API calls 15104->15107 15105 406878 ReadFile 15105->15104 15105->15106 15106->15104 15106->15105 15108 4068f8 15107->15108 15109 406900 SetFilePointer 15108->15109 15108->15112 15110 40695a 15109->15110 15111 40690d ReadFile 15109->15111 15113 40ec2e codecvt 4 API calls 15110->15113 15111->15110 15111->15112 15112->15099 15113->15112 15115 406b8c GetLastError 15114->15115 15116 406a8f GetDiskFreeSpaceA 15114->15116 15118 406b86 15115->15118 15117 406ac5 15116->15117 15126 406ad7 15116->15126 15455 40eb0e 15117->15455 15118->15011 15122 406b56 CloseHandle 15122->15118 15125 406b65 GetLastError CloseHandle 15122->15125 15123 406b36 GetLastError CloseHandle 15124 406b7f DeleteFileA 15123->15124 15124->15118 15125->15124 15459 406987 15126->15459 15128 4099eb 15127->15128 15129 409a2f lstrcatA 15128->15129 15130 40ee2a 15129->15130 15131 409a4b lstrcatA 15130->15131 15132 406a60 13 API calls 15131->15132 15133 409a60 15132->15133 15133->15018 15133->15032 15133->15044 15469 401910 15134->15469 15137 40934a GetModuleHandleA GetModuleFileNameA 15139 40937f 15137->15139 15140 4093a4 15139->15140 15141 4093d9 15139->15141 15142 4093c3 wsprintfA 15140->15142 15143 409401 wsprintfA 15141->15143 15145 409415 15142->15145 15143->15145 15144 4094a0 15471 406edd 15144->15471 15145->15144 15148 406cc9 5 API calls 15145->15148 15147 4094ac 15149 40962f 15147->15149 15150 4094e8 RegOpenKeyExA 15147->15150 15153 409439 15148->15153 15155 409646 15149->15155 15492 401820 15149->15492 15151 409502 15150->15151 15152 4094fb 15150->15152 15157 40951f RegQueryValueExA 15151->15157 15152->15149 15159 40958a 15152->15159 15158 40ef1e lstrlenA 15153->15158 15165 4095d6 15155->15165 15498 4091eb 15155->15498 15160 409530 15157->15160 15161 409539 15157->15161 15162 409462 15158->15162 15159->15155 15163 409593 15159->15163 15164 40956e RegCloseKey 15160->15164 15166 409556 RegQueryValueExA 15161->15166 15167 40947e wsprintfA 15162->15167 15163->15165 15479 40f0e4 15163->15479 15164->15152 15165->15052 15165->15053 15166->15160 15166->15164 15167->15144 15169 4095bb 15169->15165 15486 4018e0 15169->15486 15172 402544 15171->15172 15173 40972d RegOpenKeyExA 15172->15173 15174 409740 15173->15174 15175 409765 15173->15175 15176 40974f RegDeleteValueA RegCloseKey 15174->15176 15175->15028 15176->15175 15178 402554 lstrcatA 15177->15178 15178->15069 15180 402544 15179->15180 15181 40919e wsprintfA 15180->15181 15182 4091bb 15181->15182 15536 409064 GetTempPathA 15182->15536 15185 4091d5 ShellExecuteA 15186 4091e7 15185->15186 15186->15011 15543 40dd05 GetTickCount 15187->15543 15189 40e538 15550 40dbcf 15189->15550 15191 40e544 15192 40e555 GetFileSize 15191->15192 15196 40e5b8 15191->15196 15193 40e5b1 CloseHandle 15192->15193 15194 40e566 15192->15194 15193->15196 15560 40db2e 15194->15560 15569 40e3ca RegOpenKeyExA 15196->15569 15198 40e576 ReadFile 15198->15193 15200 40e58d 15198->15200 15564 40e332 15200->15564 15202 40e5f2 15204 40e3ca 19 API calls 15202->15204 15205 40e629 15202->15205 15204->15205 15205->14967 15207 40eabe 15206->15207 15209 40eaba 15206->15209 15208 40dd05 6 API calls 15207->15208 15207->15209 15208->15209 15209->14972 15211 40ee2a 15210->15211 15212 401db4 GetVersionExA 15211->15212 15213 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 15212->15213 15215 401e24 15213->15215 15216 401e16 GetCurrentProcess 15213->15216 15622 40e819 15215->15622 15216->15215 15218 401e3d 15219 40e819 11 API calls 15218->15219 15220 401e4e 15219->15220 15221 401e77 15220->15221 15629 40df70 15220->15629 15638 40ea84 15221->15638 15225 401e6c 15227 40df70 12 API calls 15225->15227 15226 40e819 11 API calls 15228 401e93 15226->15228 15227->15221 15642 40199c inet_addr LoadLibraryA 15228->15642 15231 40e819 11 API calls 15232 401eb9 15231->15232 15233 401ed8 15232->15233 15235 40f04e 4 API calls 15232->15235 15234 40e819 11 API calls 15233->15234 15236 401eee 15234->15236 15237 401ec9 15235->15237 15238 401f0a 15236->15238 15655 401b71 15236->15655 15239 40ea84 30 API calls 15237->15239 15241 40e819 11 API calls 15238->15241 15239->15233 15243 401f23 15241->15243 15242 401efd 15244 40ea84 30 API calls 15242->15244 15251 401f3f 15243->15251 15659 401bdf 15243->15659 15244->15238 15245 40e819 11 API calls 15247 401f5e 15245->15247 15249 401f77 15247->15249 15252 40ea84 30 API calls 15247->15252 15666 4030b5 15249->15666 15250 40ea84 30 API calls 15250->15251 15251->15245 15252->15249 15256 406ec3 2 API calls 15257 401f8e GetTickCount 15256->15257 15257->14977 15259 406ec3 2 API calls 15258->15259 15260 4080eb 15259->15260 15261 4080f9 15260->15261 15262 4080ef 15260->15262 15264 40704c 16 API calls 15261->15264 15714 407ee6 15262->15714 15265 408110 15264->15265 15267 408156 RegOpenKeyExA 15265->15267 15268 4080f4 15265->15268 15266 40675c 21 API calls 15271 408244 15266->15271 15267->15268 15269 40816d RegQueryValueExA 15267->15269 15268->15266 15276 408269 CreateThread 15268->15276 15270 4081f7 15269->15270 15275 40818d 15269->15275 15272 40820d RegCloseKey 15270->15272 15274 40ec2e codecvt 4 API calls 15270->15274 15273 40ec2e codecvt 4 API calls 15271->15273 15271->15276 15272->15268 15273->15276 15282 4081dd 15274->15282 15275->15270 15277 40ebcc 4 API calls 15275->15277 15283 405e6c 15276->15283 16043 40877e 15276->16043 15278 4081a0 15277->15278 15278->15272 15279 4081aa RegQueryValueExA 15278->15279 15279->15270 15280 4081c4 15279->15280 15281 40ebcc 4 API calls 15280->15281 15281->15282 15282->15272 15782 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15283->15782 15285 405e71 15783 40e654 15285->15783 15287 405ec1 15288 403132 15287->15288 15289 40df70 12 API calls 15288->15289 15290 40313b 15289->15290 15291 40c125 15290->15291 15794 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15291->15794 15293 40c12d 15294 40e654 13 API calls 15293->15294 15295 40c2bd 15294->15295 15296 40e654 13 API calls 15295->15296 15297 40c2c9 15296->15297 15298 40e654 13 API calls 15297->15298 15299 40a47a 15298->15299 15300 408db1 15299->15300 15301 408dbc 15300->15301 15302 40e654 13 API calls 15301->15302 15303 408dec Sleep 15302->15303 15303->15013 15305 40c92f 15304->15305 15306 40c93c 15305->15306 15795 40c517 15305->15795 15308 40ca2b 15306->15308 15309 40e819 11 API calls 15306->15309 15308->15013 15310 40c96a 15309->15310 15311 40e819 11 API calls 15310->15311 15312 40c97d 15311->15312 15313 40e819 11 API calls 15312->15313 15314 40c990 15313->15314 15315 40c9aa 15314->15315 15316 40ebcc 4 API calls 15314->15316 15315->15308 15812 402684 15315->15812 15316->15315 15321 40ca26 15819 40c8aa 15321->15819 15324 40ca44 15325 40ca4b closesocket 15324->15325 15326 40ca83 15324->15326 15325->15321 15327 40ea84 30 API calls 15326->15327 15328 40caac 15327->15328 15329 40f04e 4 API calls 15328->15329 15330 40cab2 15329->15330 15331 40ea84 30 API calls 15330->15331 15332 40caca 15331->15332 15333 40ea84 30 API calls 15332->15333 15334 40cad9 15333->15334 15827 40c65c 15334->15827 15337 40cb60 closesocket 15337->15308 15339 40dad2 closesocket 15340 40e318 23 API calls 15339->15340 15340->15308 15341 40df4c 20 API calls 15370 40cb70 15341->15370 15346 40e654 13 API calls 15346->15370 15349 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15349->15370 15353 40ea84 30 API calls 15353->15370 15354 40d569 closesocket Sleep 15874 40e318 15354->15874 15355 40d815 wsprintfA 15355->15370 15356 40cc1c GetTempPathA 15356->15370 15357 407ead 6 API calls 15357->15370 15358 40c517 23 API calls 15358->15370 15360 40e8a1 30 API calls 15360->15370 15361 40d582 ExitProcess 15362 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15362->15370 15363 40cfe3 GetSystemDirectoryA 15363->15370 15364 40c65c send GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15364->15370 15365 40cfad GetEnvironmentVariableA 15365->15370 15366 40675c 21 API calls 15366->15370 15367 40d027 GetSystemDirectoryA 15367->15370 15368 40d105 lstrcatA 15368->15370 15369 40ef1e lstrlenA 15369->15370 15370->15339 15370->15341 15370->15346 15370->15349 15370->15353 15370->15354 15370->15355 15370->15356 15370->15357 15370->15358 15370->15360 15370->15362 15370->15363 15370->15364 15370->15365 15370->15366 15370->15367 15370->15368 15370->15369 15371 40cc9f CreateFileA 15370->15371 15373 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15370->15373 15374 40d15b CreateFileA 15370->15374 15379 40d149 SetFileAttributesA 15370->15379 15380 40d36e GetEnvironmentVariableA 15370->15380 15381 40d1bf SetFileAttributesA 15370->15381 15383 40d22d GetEnvironmentVariableA 15370->15383 15384 40d3af lstrcatA 15370->15384 15386 40d3f2 CreateFileA 15370->15386 15388 407fcf 64 API calls 15370->15388 15394 40d4b1 CreateProcessA 15370->15394 15395 40d3e0 SetFileAttributesA 15370->15395 15396 40d26e lstrcatA 15370->15396 15399 40d2b1 CreateFileA 15370->15399 15400 407ee6 64 API calls 15370->15400 15401 40d452 SetFileAttributesA 15370->15401 15404 40d29f SetFileAttributesA 15370->15404 15406 40d31d SetFileAttributesA 15370->15406 15835 40c75d 15370->15835 15847 407e2f 15370->15847 15869 407ead 15370->15869 15879 4031d0 15370->15879 15896 403c09 15370->15896 15906 403a00 15370->15906 15910 40e7b4 15370->15910 15913 40c06c 15370->15913 15919 406f5f GetUserNameA 15370->15919 15930 40e854 15370->15930 15940 407dd6 15370->15940 15371->15370 15372 40ccc6 WriteFile 15371->15372 15376 40cdcc CloseHandle 15372->15376 15377 40cced CloseHandle 15372->15377 15373->15370 15374->15370 15375 40d182 WriteFile CloseHandle 15374->15375 15375->15370 15376->15370 15382 40cd2f 15377->15382 15378 40cd16 wsprintfA 15378->15382 15379->15374 15380->15370 15381->15370 15382->15378 15856 407fcf 15382->15856 15383->15370 15384->15370 15384->15386 15386->15370 15389 40d415 WriteFile CloseHandle 15386->15389 15388->15370 15389->15370 15390 40cd81 WaitForSingleObject CloseHandle CloseHandle 15392 40f04e 4 API calls 15390->15392 15391 40cda5 15393 407ee6 64 API calls 15391->15393 15392->15391 15397 40cdbd DeleteFileA 15393->15397 15394->15370 15398 40d4e8 CloseHandle CloseHandle 15394->15398 15395->15386 15396->15370 15396->15399 15397->15370 15398->15370 15399->15370 15402 40d2d8 WriteFile CloseHandle 15399->15402 15400->15370 15401->15370 15402->15370 15404->15399 15406->15370 15408 40741b 15407->15408 15409 406dc2 6 API calls 15408->15409 15410 40743f 15409->15410 15411 407469 RegOpenKeyExA 15410->15411 15413 4077f9 15411->15413 15423 407487 ___ascii_stricmp 15411->15423 15412 407703 RegEnumKeyA 15414 407714 RegCloseKey 15412->15414 15412->15423 15413->15080 15414->15413 15415 40f1a5 lstrlenA 15415->15423 15416 4074d2 RegOpenKeyExA 15416->15423 15417 40772c 15419 407742 RegCloseKey 15417->15419 15420 40774b 15417->15420 15418 407521 RegQueryValueExA 15418->15423 15419->15420 15421 4077ec RegCloseKey 15420->15421 15421->15413 15422 4076e4 RegCloseKey 15422->15423 15423->15412 15423->15415 15423->15416 15423->15417 15423->15418 15423->15422 15425 40777e GetFileAttributesExA 15423->15425 15426 407769 15423->15426 15424 4077e3 RegCloseKey 15424->15421 15425->15426 15426->15424 15428 407073 15427->15428 15429 4070b9 RegOpenKeyExA 15428->15429 15430 4070d0 15429->15430 15444 4071b8 15429->15444 15431 406dc2 6 API calls 15430->15431 15434 4070d5 15431->15434 15432 40719b RegEnumValueA 15433 4071af RegCloseKey 15432->15433 15432->15434 15433->15444 15434->15432 15436 4071d0 15434->15436 15450 40f1a5 lstrlenA 15434->15450 15437 407205 RegCloseKey 15436->15437 15438 407227 15436->15438 15437->15444 15439 4072b8 ___ascii_stricmp 15438->15439 15440 40728e RegCloseKey 15438->15440 15441 4072cd RegCloseKey 15439->15441 15442 4072dd 15439->15442 15440->15444 15441->15444 15443 407311 RegCloseKey 15442->15443 15446 407335 15442->15446 15443->15444 15444->15084 15445 4073d5 RegCloseKey 15447 4073e4 15445->15447 15446->15445 15448 40737e GetFileAttributesExA 15446->15448 15449 407397 15446->15449 15448->15449 15449->15445 15451 40f1c3 15450->15451 15451->15434 15453 406e5f LookupAccountNameW 15452->15453 15454 406e97 15452->15454 15453->15454 15454->15086 15456 40eb17 15455->15456 15457 40eb21 15455->15457 15465 40eae4 15456->15465 15457->15126 15461 4069b9 WriteFile 15459->15461 15462 406a3c 15461->15462 15464 4069ff 15461->15464 15462->15122 15462->15123 15463 406a10 WriteFile 15463->15462 15463->15464 15464->15462 15464->15463 15466 40eb02 GetProcAddress 15465->15466 15467 40eaed LoadLibraryA 15465->15467 15466->15457 15467->15466 15468 40eb01 15467->15468 15468->15457 15470 401924 GetVersionExA 15469->15470 15470->15137 15472 406f55 15471->15472 15473 406eef AllocateAndInitializeSid 15471->15473 15472->15147 15474 406f44 15473->15474 15475 406f1c CheckTokenMembership 15473->15475 15474->15472 15478 406e36 2 API calls 15474->15478 15476 406f3b FreeSid 15475->15476 15477 406f2e 15475->15477 15476->15474 15477->15476 15478->15472 15480 40f0f1 15479->15480 15481 40f0ed 15479->15481 15482 40f119 15480->15482 15483 40f0fa lstrlenA SysAllocStringByteLen 15480->15483 15481->15169 15484 40f11c MultiByteToWideChar 15482->15484 15483->15484 15485 40f117 15483->15485 15484->15485 15485->15169 15487 401820 17 API calls 15486->15487 15488 4018f2 15487->15488 15489 4018f9 15488->15489 15503 401280 15488->15503 15489->15165 15491 401908 15491->15165 15515 401000 15492->15515 15494 401839 15495 401851 GetCurrentProcess 15494->15495 15496 40183d 15494->15496 15497 401864 15495->15497 15496->15155 15497->15155 15499 40920e 15498->15499 15502 409308 15498->15502 15499->15499 15500 4092f1 Sleep 15499->15500 15501 4092bf ShellExecuteA 15499->15501 15499->15502 15500->15499 15501->15499 15501->15502 15502->15165 15504 4012e1 15503->15504 15505 4016f9 GetLastError 15504->15505 15508 4013a8 15504->15508 15506 401699 15505->15506 15506->15491 15507 401570 lstrlenW 15507->15508 15508->15506 15508->15507 15508->15508 15509 4015be GetStartupInfoW 15508->15509 15510 4015ff CreateProcessWithLogonW 15508->15510 15514 401668 CloseHandle 15508->15514 15509->15508 15511 4016bf GetLastError 15510->15511 15512 40163f WaitForSingleObject 15510->15512 15511->15506 15512->15508 15513 401659 CloseHandle 15512->15513 15513->15508 15514->15508 15516 40100d LoadLibraryA 15515->15516 15522 401023 15515->15522 15517 401021 15516->15517 15516->15522 15517->15494 15518 4010b5 GetProcAddress 15519 4010d1 GetProcAddress 15518->15519 15520 40127b 15518->15520 15519->15520 15521 4010f0 GetProcAddress 15519->15521 15520->15494 15521->15520 15523 401110 GetProcAddress 15521->15523 15522->15518 15535 4010ae 15522->15535 15523->15520 15524 401130 GetProcAddress 15523->15524 15524->15520 15525 40114f GetProcAddress 15524->15525 15525->15520 15526 40116f GetProcAddress 15525->15526 15526->15520 15527 40118f GetProcAddress 15526->15527 15527->15520 15528 4011ae GetProcAddress 15527->15528 15528->15520 15529 4011ce GetProcAddress 15528->15529 15529->15520 15530 4011ee GetProcAddress 15529->15530 15530->15520 15531 401209 GetProcAddress 15530->15531 15531->15520 15532 401225 GetProcAddress 15531->15532 15532->15520 15533 401241 GetProcAddress 15532->15533 15533->15520 15534 40125c GetProcAddress 15533->15534 15534->15520 15535->15494 15537 40908d 15536->15537 15538 4090e2 wsprintfA 15537->15538 15539 40ee2a 15538->15539 15540 4090fd CreateFileA 15539->15540 15541 40911a lstrlenA WriteFile CloseHandle 15540->15541 15542 40913f 15540->15542 15541->15542 15542->15185 15542->15186 15544 40dd41 InterlockedExchange 15543->15544 15545 40dd20 GetCurrentThreadId 15544->15545 15549 40dd4a 15544->15549 15546 40dd53 GetCurrentThreadId 15545->15546 15547 40dd2e GetTickCount 15545->15547 15546->15189 15548 40dd39 Sleep 15547->15548 15547->15549 15548->15544 15549->15546 15551 40dbf0 15550->15551 15583 40db67 GetEnvironmentVariableA 15551->15583 15553 40dc19 15554 40dcda 15553->15554 15555 40db67 3 API calls 15553->15555 15554->15191 15556 40dc5c 15555->15556 15556->15554 15557 40db67 3 API calls 15556->15557 15558 40dc9b 15557->15558 15558->15554 15559 40db67 3 API calls 15558->15559 15559->15554 15561 40db55 15560->15561 15562 40db3a 15560->15562 15561->15193 15561->15198 15587 40ebed 15562->15587 15596 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15564->15596 15566 40e3be 15566->15193 15567 40e342 15567->15566 15599 40de24 15567->15599 15570 40e528 15569->15570 15571 40e3f4 15569->15571 15570->15202 15572 40e434 RegQueryValueExA 15571->15572 15573 40e458 15572->15573 15574 40e51d RegCloseKey 15572->15574 15575 40e46e RegQueryValueExA 15573->15575 15574->15570 15575->15573 15576 40e488 15575->15576 15576->15574 15577 40db2e 8 API calls 15576->15577 15578 40e499 15577->15578 15578->15574 15579 40e4b9 RegQueryValueExA 15578->15579 15580 40e4e8 15578->15580 15579->15578 15579->15580 15580->15574 15581 40e332 14 API calls 15580->15581 15582 40e513 15581->15582 15582->15574 15584 40db89 lstrcpyA CreateFileA 15583->15584 15585 40dbca 15583->15585 15584->15553 15585->15553 15588 40ec01 15587->15588 15589 40ebf6 15587->15589 15591 40eba0 codecvt 2 API calls 15588->15591 15590 40ebcc 4 API calls 15589->15590 15592 40ebfe 15590->15592 15593 40ec0a GetProcessHeap HeapReAlloc 15591->15593 15592->15561 15594 40eb74 2 API calls 15593->15594 15595 40ec28 15594->15595 15595->15561 15610 40eb41 15596->15610 15600 40de3a 15599->15600 15605 40de4e 15600->15605 15614 40dd84 15600->15614 15603 40de9e 15604 40ebed 8 API calls 15603->15604 15603->15605 15608 40def6 15604->15608 15605->15567 15606 40de76 15618 40ddcf 15606->15618 15608->15605 15609 40ddcf lstrcmpA 15608->15609 15609->15605 15611 40eb54 15610->15611 15612 40eb4a 15610->15612 15611->15567 15613 40eae4 2 API calls 15612->15613 15613->15611 15615 40dd96 15614->15615 15616 40ddc5 15614->15616 15615->15616 15617 40ddad lstrcmpiA 15615->15617 15616->15603 15616->15606 15617->15615 15617->15616 15619 40de20 15618->15619 15620 40dddd 15618->15620 15619->15605 15620->15619 15621 40ddfa lstrcmpA 15620->15621 15621->15620 15623 40dd05 6 API calls 15622->15623 15624 40e821 15623->15624 15625 40dd84 lstrcmpiA 15624->15625 15626 40e82c 15625->15626 15627 40e844 15626->15627 15670 402480 15626->15670 15627->15218 15630 40dd05 6 API calls 15629->15630 15631 40df7c 15630->15631 15632 40dd84 lstrcmpiA 15631->15632 15636 40df89 15632->15636 15633 40ddcf lstrcmpA 15633->15636 15634 40ec2e codecvt 4 API calls 15634->15636 15635 40dd84 lstrcmpiA 15635->15636 15636->15633 15636->15634 15636->15635 15637 40dfc4 15636->15637 15637->15225 15639 40ea98 15638->15639 15679 40e8a1 15639->15679 15641 401e84 15641->15226 15643 4019d5 GetProcAddress GetProcAddress GetProcAddress 15642->15643 15646 4019ce 15642->15646 15644 401ab3 FreeLibrary 15643->15644 15645 401a04 15643->15645 15644->15646 15645->15644 15647 401a14 GetProcessHeap 15645->15647 15646->15231 15647->15646 15649 401a2e HeapAlloc 15647->15649 15649->15646 15650 401a42 15649->15650 15651 401a62 15650->15651 15652 401a52 HeapReAlloc 15650->15652 15653 401aa1 FreeLibrary 15651->15653 15654 401a96 HeapFree 15651->15654 15652->15651 15653->15646 15654->15653 15707 401ac3 LoadLibraryA 15655->15707 15658 401bcf 15658->15242 15660 401ac3 12 API calls 15659->15660 15661 401c09 15660->15661 15662 401c41 15661->15662 15663 401c0d GetComputerNameA 15661->15663 15662->15250 15664 401c45 GetVolumeInformationA 15663->15664 15665 401c1f 15663->15665 15664->15662 15665->15662 15665->15664 15667 40ee2a 15666->15667 15668 4030d0 gethostname gethostbyname 15667->15668 15669 401f82 15668->15669 15669->15256 15669->15257 15673 402419 lstrlenA 15670->15673 15672 402491 15672->15627 15674 402474 15673->15674 15675 40243d lstrlenA 15673->15675 15674->15672 15676 402464 lstrlenA 15675->15676 15677 40244e lstrcmpiA 15675->15677 15676->15674 15676->15675 15677->15676 15678 40245c 15677->15678 15678->15674 15678->15676 15680 40dd05 6 API calls 15679->15680 15681 40e8b4 15680->15681 15682 40dd84 lstrcmpiA 15681->15682 15683 40e8c0 15682->15683 15684 40e90a 15683->15684 15685 40e8c8 lstrcpynA 15683->15685 15687 402419 4 API calls 15684->15687 15695 40ea27 15684->15695 15686 40e8f5 15685->15686 15700 40df4c 15686->15700 15688 40e926 lstrlenA lstrlenA 15687->15688 15690 40e96a 15688->15690 15691 40e94c lstrlenA 15688->15691 15694 40ebcc 4 API calls 15690->15694 15690->15695 15691->15690 15692 40e901 15693 40dd84 lstrcmpiA 15692->15693 15693->15684 15696 40e98f 15694->15696 15695->15641 15696->15695 15697 40df4c 20 API calls 15696->15697 15698 40ea1e 15697->15698 15699 40ec2e codecvt 4 API calls 15698->15699 15699->15695 15701 40dd05 6 API calls 15700->15701 15702 40df51 15701->15702 15703 40f04e 4 API calls 15702->15703 15704 40df58 15703->15704 15705 40de24 10 API calls 15704->15705 15706 40df63 15705->15706 15706->15692 15708 401ae2 GetProcAddress 15707->15708 15711 401b68 GetComputerNameA GetVolumeInformationA 15707->15711 15709 401af5 15708->15709 15708->15711 15710 40ebed 8 API calls 15709->15710 15712 401b29 15709->15712 15710->15709 15711->15658 15712->15711 15713 40ec2e codecvt 4 API calls 15712->15713 15713->15711 15715 406ec3 2 API calls 15714->15715 15716 407ef4 15715->15716 15717 4073ff 17 API calls 15716->15717 15726 407fc9 15716->15726 15718 407f16 15717->15718 15718->15726 15727 407809 GetUserNameA 15718->15727 15720 407f63 15721 40ef1e lstrlenA 15720->15721 15720->15726 15722 407fa6 15721->15722 15723 40ef1e lstrlenA 15722->15723 15724 407fb7 15723->15724 15751 407a95 RegOpenKeyExA 15724->15751 15726->15268 15728 40783d LookupAccountNameA 15727->15728 15729 407a8d 15727->15729 15728->15729 15730 407874 GetLengthSid GetFileSecurityA 15728->15730 15729->15720 15730->15729 15731 4078a8 GetSecurityDescriptorOwner 15730->15731 15732 4078c5 EqualSid 15731->15732 15733 40791d GetSecurityDescriptorDacl 15731->15733 15732->15733 15734 4078dc LocalAlloc 15732->15734 15733->15729 15741 407941 15733->15741 15734->15733 15735 4078ef InitializeSecurityDescriptor 15734->15735 15736 407916 LocalFree 15735->15736 15737 4078fb SetSecurityDescriptorOwner 15735->15737 15736->15733 15737->15736 15739 40790b SetFileSecurityA 15737->15739 15738 40795b GetAce 15738->15741 15739->15736 15740 407980 EqualSid 15740->15741 15741->15729 15741->15738 15741->15740 15742 407a3d 15741->15742 15743 4079be EqualSid 15741->15743 15744 40799d DeleteAce 15741->15744 15742->15729 15745 407a43 LocalAlloc 15742->15745 15743->15741 15744->15741 15745->15729 15746 407a56 InitializeSecurityDescriptor 15745->15746 15747 407a62 SetSecurityDescriptorDacl 15746->15747 15748 407a86 LocalFree 15746->15748 15747->15748 15749 407a73 SetFileSecurityA 15747->15749 15748->15729 15749->15748 15750 407a83 15749->15750 15750->15748 15752 407ac4 15751->15752 15753 407acb GetUserNameA 15751->15753 15752->15726 15754 407da7 RegCloseKey 15753->15754 15755 407aed LookupAccountNameA 15753->15755 15754->15752 15755->15754 15756 407b24 RegGetKeySecurity 15755->15756 15756->15754 15757 407b49 GetSecurityDescriptorOwner 15756->15757 15758 407b63 EqualSid 15757->15758 15759 407bb8 GetSecurityDescriptorDacl 15757->15759 15758->15759 15761 407b74 LocalAlloc 15758->15761 15760 407da6 15759->15760 15766 407bdc 15759->15766 15760->15754 15761->15759 15762 407b8a InitializeSecurityDescriptor 15761->15762 15764 407bb1 LocalFree 15762->15764 15765 407b96 SetSecurityDescriptorOwner 15762->15765 15763 407bf8 GetAce 15763->15766 15764->15759 15765->15764 15767 407ba6 RegSetKeySecurity 15765->15767 15766->15760 15766->15763 15768 407c1d EqualSid 15766->15768 15769 407cd9 15766->15769 15770 407c5f EqualSid 15766->15770 15771 407c3a DeleteAce 15766->15771 15767->15764 15768->15766 15769->15760 15772 407d5a LocalAlloc 15769->15772 15774 407cf2 RegOpenKeyExA 15769->15774 15770->15766 15771->15766 15772->15760 15773 407d70 InitializeSecurityDescriptor 15772->15773 15775 407d7c SetSecurityDescriptorDacl 15773->15775 15776 407d9f LocalFree 15773->15776 15774->15772 15779 407d0f 15774->15779 15775->15776 15777 407d8c RegSetKeySecurity 15775->15777 15776->15760 15777->15776 15778 407d9c 15777->15778 15778->15776 15780 407d43 RegSetValueExA 15779->15780 15780->15772 15781 407d54 15780->15781 15781->15772 15782->15285 15784 40dd05 6 API calls 15783->15784 15787 40e65f 15784->15787 15785 40e6a5 15786 40ebcc 4 API calls 15785->15786 15790 40e6f5 15785->15790 15789 40e6b0 15786->15789 15787->15785 15788 40e68c lstrcmpA 15787->15788 15788->15787 15789->15790 15792 40e6b7 15789->15792 15793 40e6e0 lstrcpynA 15789->15793 15791 40e71d lstrcmpA 15790->15791 15790->15792 15791->15790 15792->15287 15793->15790 15794->15293 15796 40c525 15795->15796 15797 40c532 15795->15797 15796->15797 15799 40ec2e codecvt 4 API calls 15796->15799 15798 40c548 15797->15798 15947 40e7ff 15797->15947 15801 40e7ff lstrcmpiA 15798->15801 15809 40c54f 15798->15809 15799->15797 15802 40c615 15801->15802 15805 40ebcc 4 API calls 15802->15805 15802->15809 15803 40c5d1 15807 40ebcc 4 API calls 15803->15807 15805->15809 15806 40e819 11 API calls 15808 40c5b7 15806->15808 15807->15809 15810 40f04e 4 API calls 15808->15810 15809->15306 15811 40c5bf 15810->15811 15811->15798 15811->15803 15813 402692 inet_addr 15812->15813 15814 40268e 15812->15814 15813->15814 15815 40269e gethostbyname 15813->15815 15816 40f428 15814->15816 15815->15814 15950 40f315 15816->15950 15820 40c8d2 15819->15820 15821 40c907 15820->15821 15822 40c517 23 API calls 15820->15822 15821->15308 15822->15821 15823 40f43e 15824 40f473 recv 15823->15824 15825 40f458 15824->15825 15826 40f47c 15824->15826 15825->15824 15825->15826 15826->15324 15828 40c670 15827->15828 15829 40c67d 15827->15829 15830 40ebcc 4 API calls 15828->15830 15831 40ebcc 4 API calls 15829->15831 15832 40c699 15829->15832 15830->15829 15831->15832 15833 40c6f3 15832->15833 15834 40c73c send 15832->15834 15833->15337 15833->15370 15834->15833 15836 40c770 15835->15836 15841 40c77d 15835->15841 15837 40ebcc 4 API calls 15836->15837 15837->15841 15838 40ebcc 4 API calls 15839 40c799 15838->15839 15840 40c7b5 15839->15840 15842 40ebcc 4 API calls 15839->15842 15843 40f43e recv 15840->15843 15841->15838 15841->15839 15842->15840 15844 40c7cb 15843->15844 15845 40f43e recv 15844->15845 15846 40c7d3 15844->15846 15845->15846 15846->15370 15963 407db7 15847->15963 15850 407e70 15852 407e96 15850->15852 15854 40f04e 4 API calls 15850->15854 15851 40f04e 4 API calls 15853 407e4c 15851->15853 15852->15370 15853->15850 15855 40f04e 4 API calls 15853->15855 15854->15852 15855->15850 15857 406ec3 2 API calls 15856->15857 15858 407fdd 15857->15858 15859 4073ff 17 API calls 15858->15859 15868 4080c2 CreateProcessA 15858->15868 15860 407fff 15859->15860 15861 407809 21 API calls 15860->15861 15860->15868 15862 40804d 15861->15862 15863 40ef1e lstrlenA 15862->15863 15862->15868 15864 40809e 15863->15864 15865 40ef1e lstrlenA 15864->15865 15866 4080af 15865->15866 15867 407a95 24 API calls 15866->15867 15867->15868 15868->15390 15868->15391 15870 407db7 2 API calls 15869->15870 15871 407eb8 15870->15871 15872 40f04e 4 API calls 15871->15872 15873 407ece DeleteFileA 15872->15873 15873->15370 15875 40dd05 6 API calls 15874->15875 15876 40e31d 15875->15876 15967 40e177 15876->15967 15878 40e326 15878->15361 15880 4031f3 15879->15880 15881 4031ec 15879->15881 15882 40ebcc 4 API calls 15880->15882 15881->15370 15895 4031fc 15882->15895 15883 40344b 15884 403459 15883->15884 15885 40349d 15883->15885 15887 40f04e 4 API calls 15884->15887 15886 40ec2e codecvt 4 API calls 15885->15886 15886->15881 15888 40345f 15887->15888 15890 4030fa 4 API calls 15888->15890 15889 40ebcc GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15889->15895 15890->15881 15891 40344d 15892 40ec2e codecvt 4 API calls 15891->15892 15892->15883 15894 403141 lstrcmpiA 15894->15895 15895->15881 15895->15883 15895->15889 15895->15891 15895->15894 15993 4030fa GetTickCount 15895->15993 15897 4030fa 4 API calls 15896->15897 15898 403c1a 15897->15898 15899 403ce6 15898->15899 15998 403a72 15898->15998 15899->15370 15902 403a72 9 API calls 15905 403c5e 15902->15905 15903 403a72 9 API calls 15903->15905 15904 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15904->15905 15905->15899 15905->15903 15905->15904 15907 403a10 15906->15907 15908 4030fa 4 API calls 15907->15908 15909 403a1a 15908->15909 15909->15370 15911 40dd05 6 API calls 15910->15911 15912 40e7be 15911->15912 15912->15370 15914 40c07e wsprintfA 15913->15914 15918 40c105 15913->15918 16007 40bfce GetTickCount wsprintfA 15914->16007 15916 40c0ef 16008 40bfce GetTickCount wsprintfA 15916->16008 15918->15370 15920 407047 15919->15920 15921 406f88 LookupAccountNameA 15919->15921 15920->15370 15923 407025 15921->15923 15924 406fcb 15921->15924 15925 406edd 5 API calls 15923->15925 15927 406fdb ConvertSidToStringSidA 15924->15927 15926 40702a wsprintfA 15925->15926 15926->15920 15927->15923 15928 406ff1 15927->15928 15929 407013 LocalFree 15928->15929 15929->15923 15931 40dd05 6 API calls 15930->15931 15932 40e85c 15931->15932 15933 40dd84 lstrcmpiA 15932->15933 15934 40e867 15933->15934 15935 40e885 lstrcpyA 15934->15935 16009 4024a5 15934->16009 16012 40dd69 15935->16012 15941 407db7 2 API calls 15940->15941 15942 407de1 15941->15942 15943 40f04e 4 API calls 15942->15943 15946 407e16 15942->15946 15944 407df2 15943->15944 15945 40f04e 4 API calls 15944->15945 15944->15946 15945->15946 15946->15370 15948 40dd84 lstrcmpiA 15947->15948 15949 40c58e 15948->15949 15949->15798 15949->15803 15949->15806 15951 40ca1d 15950->15951 15952 40f33b 15950->15952 15951->15321 15951->15823 15953 40f347 htons socket 15952->15953 15954 40f382 ioctlsocket 15953->15954 15955 40f374 closesocket 15953->15955 15956 40f3aa connect select 15954->15956 15957 40f39d 15954->15957 15955->15951 15956->15951 15959 40f3f2 __WSAFDIsSet 15956->15959 15958 40f39f closesocket 15957->15958 15958->15951 15959->15958 15960 40f403 ioctlsocket 15959->15960 15962 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 15960->15962 15962->15951 15964 407dc8 InterlockedExchange 15963->15964 15965 407dc0 Sleep 15964->15965 15966 407dd4 15964->15966 15965->15964 15966->15850 15966->15851 15968 40e184 15967->15968 15969 40e2e4 15968->15969 15970 40e223 15968->15970 15983 40dfe2 15968->15983 15969->15878 15970->15969 15972 40dfe2 8 API calls 15970->15972 15976 40e23c 15972->15976 15973 40e1be 15973->15970 15974 40dbcf 3 API calls 15973->15974 15977 40e1d6 15974->15977 15975 40e21a CloseHandle 15975->15970 15976->15969 15987 40e095 RegCreateKeyExA 15976->15987 15977->15970 15977->15975 15978 40e1f9 WriteFile 15977->15978 15978->15975 15980 40e213 15978->15980 15980->15975 15981 40e2a3 15981->15969 15982 40e095 4 API calls 15981->15982 15982->15969 15984 40dffc 15983->15984 15986 40e024 15983->15986 15985 40db2e 8 API calls 15984->15985 15984->15986 15985->15986 15986->15973 15988 40e172 15987->15988 15991 40e0c0 15987->15991 15988->15981 15989 40e13d 15990 40e14e RegDeleteValueA RegCloseKey 15989->15990 15990->15988 15991->15989 15992 40e115 RegSetValueExA 15991->15992 15992->15989 15992->15991 15994 403122 InterlockedExchange 15993->15994 15995 40312e 15994->15995 15996 40310f GetTickCount 15994->15996 15995->15895 15996->15995 15997 40311a Sleep 15996->15997 15997->15994 15999 40f04e 4 API calls 15998->15999 16000 403a83 15999->16000 16003 403bc0 16000->16003 16004 403b66 lstrlenA 16000->16004 16005 403ac1 16000->16005 16001 403be6 16002 40ec2e codecvt 4 API calls 16001->16002 16002->16005 16003->16001 16006 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 16003->16006 16004->16000 16004->16005 16005->15899 16005->15902 16006->16003 16007->15916 16008->15918 16010 402419 4 API calls 16009->16010 16011 4024b6 16010->16011 16011->15935 16013 40dd79 lstrlenA 16012->16013 16013->15370 16015 404084 16014->16015 16016 40407d 16014->16016 16017 403ecd 6 API calls 16015->16017 16018 40408f 16017->16018 16019 404000 3 API calls 16018->16019 16020 404095 16019->16020 16021 404130 16020->16021 16026 403f18 4 API calls 16020->16026 16022 403ecd 6 API calls 16021->16022 16023 404159 CreateNamedPipeA 16022->16023 16024 404167 Sleep 16023->16024 16025 404188 ConnectNamedPipe 16023->16025 16024->16021 16027 404176 CloseHandle 16024->16027 16029 404195 GetLastError 16025->16029 16039 4041ab 16025->16039 16028 4040da 16026->16028 16027->16025 16030 403f8c 4 API calls 16028->16030 16031 40425e DisconnectNamedPipe 16029->16031 16029->16039 16032 4040ec 16030->16032 16031->16025 16033 404127 CloseHandle 16032->16033 16034 404101 16032->16034 16033->16021 16035 403f18 4 API calls 16034->16035 16036 40411c ExitProcess 16035->16036 16037 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 16037->16039 16038 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 16038->16039 16039->16025 16039->16031 16039->16037 16039->16038 16040 40426a CloseHandle CloseHandle 16039->16040 16041 40e318 23 API calls 16040->16041 16042 40427b 16041->16042 16042->16042 16044 408791 16043->16044 16045 40879f 16043->16045 16046 40f04e 4 API calls 16044->16046 16048 40f04e 4 API calls 16045->16048 16050 4087bc 16045->16050 16046->16045 16047 40e819 11 API calls 16049 4087d7 16047->16049 16048->16050 16063 408803 16049->16063 16065 4026b2 gethostbyaddr 16049->16065 16050->16047 16053 4087eb 16055 40e8a1 30 API calls 16053->16055 16053->16063 16055->16063 16058 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 16058->16063 16059 40e819 11 API calls 16059->16063 16060 4088a0 Sleep 16060->16063 16062 4026b2 2 API calls 16062->16063 16063->16058 16063->16059 16063->16060 16063->16062 16064 40e8a1 30 API calls 16063->16064 16070 408cee 16063->16070 16078 40c4d6 16063->16078 16081 40c4e2 16063->16081 16084 402011 16063->16084 16119 408328 16063->16119 16064->16063 16066 4026fb 16065->16066 16067 4026cd 16065->16067 16066->16053 16068 4026e1 inet_ntoa 16067->16068 16069 4026de 16067->16069 16068->16069 16069->16053 16071 408d02 GetTickCount 16070->16071 16072 408dae 16070->16072 16071->16072 16075 408d19 16071->16075 16072->16063 16073 408da1 GetTickCount 16073->16072 16075->16073 16077 408d89 16075->16077 16171 40a677 16075->16171 16174 40a688 16075->16174 16077->16073 16182 40c2dc 16078->16182 16082 40c2dc 141 API calls 16081->16082 16083 40c4ec 16082->16083 16083->16063 16085 402020 16084->16085 16086 40202e 16084->16086 16087 40f04e 4 API calls 16085->16087 16088 40204b 16086->16088 16089 40f04e 4 API calls 16086->16089 16087->16086 16090 40206e GetTickCount 16088->16090 16091 40f04e 4 API calls 16088->16091 16089->16088 16092 402090 16090->16092 16093 4020db GetTickCount 16090->16093 16095 402068 16091->16095 16096 4020d4 GetTickCount 16092->16096 16099 402684 2 API calls 16092->16099 16107 4020ce 16092->16107 16510 401978 16092->16510 16094 402132 GetTickCount GetTickCount 16093->16094 16109 4020e7 16093->16109 16097 40f04e 4 API calls 16094->16097 16095->16090 16096->16093 16100 402159 16097->16100 16098 40212b GetTickCount 16098->16094 16099->16092 16101 4021b4 16100->16101 16104 40e854 13 API calls 16100->16104 16103 40f04e 4 API calls 16101->16103 16106 4021d1 16103->16106 16108 40218e 16104->16108 16111 4021f2 16106->16111 16114 40ea84 30 API calls 16106->16114 16107->16096 16112 40e819 11 API calls 16108->16112 16109->16098 16110 402125 16109->16110 16113 401978 15 API calls 16109->16113 16515 402ef8 16109->16515 16110->16098 16111->16063 16115 40219c 16112->16115 16113->16109 16116 4021ec 16114->16116 16115->16101 16523 401c5f 16115->16523 16117 40f04e 4 API calls 16116->16117 16117->16111 16120 407dd6 6 API calls 16119->16120 16121 40833c 16120->16121 16122 406ec3 2 API calls 16121->16122 16148 408340 16121->16148 16123 40834f 16122->16123 16124 40835c 16123->16124 16130 40846b 16123->16130 16125 4073ff 17 API calls 16124->16125 16149 408373 16125->16149 16126 4085df 16127 408626 GetTempPathA 16126->16127 16128 408638 16126->16128 16138 408762 16126->16138 16127->16128 16595 406ba7 IsBadCodePtr 16128->16595 16129 40675c 21 API calls 16129->16126 16132 4084a7 RegOpenKeyExA 16130->16132 16145 408450 16130->16145 16134 4084c0 RegQueryValueExA 16132->16134 16135 40852f 16132->16135 16133 4086ad 16133->16138 16139 407e2f 6 API calls 16133->16139 16136 408521 RegCloseKey 16134->16136 16137 4084dd 16134->16137 16140 408564 RegOpenKeyExA 16135->16140 16151 4085a5 16135->16151 16136->16135 16137->16136 16142 40ebcc 4 API calls 16137->16142 16144 40ec2e codecvt 4 API calls 16138->16144 16138->16148 16152 4086bb 16139->16152 16141 408573 RegSetValueExA RegCloseKey 16140->16141 16140->16151 16141->16151 16147 4084f0 16142->16147 16143 40875b DeleteFileA 16143->16138 16144->16148 16145->16126 16145->16129 16147->16136 16150 4084f8 RegQueryValueExA 16147->16150 16148->16063 16149->16145 16149->16148 16153 4083ea RegOpenKeyExA 16149->16153 16150->16136 16155 408515 16150->16155 16151->16145 16156 40ec2e codecvt 4 API calls 16151->16156 16152->16143 16160 4086e0 lstrcpyA lstrlenA 16152->16160 16153->16145 16154 4083fd RegQueryValueExA 16153->16154 16157 40842d RegSetValueExA 16154->16157 16158 40841e 16154->16158 16159 40ec2e codecvt 4 API calls 16155->16159 16156->16145 16161 408447 RegCloseKey 16157->16161 16158->16157 16158->16161 16162 40851d 16159->16162 16163 407fcf 64 API calls 16160->16163 16161->16145 16162->16136 16164 408719 CreateProcessA 16163->16164 16165 40873d CloseHandle CloseHandle 16164->16165 16166 40874f 16164->16166 16165->16138 16167 407ee6 64 API calls 16166->16167 16168 408754 16167->16168 16169 407ead 6 API calls 16168->16169 16170 40875a 16169->16170 16170->16143 16177 40a63d 16171->16177 16173 40a685 16173->16075 16175 40a63d GetTickCount 16174->16175 16176 40a696 16175->16176 16176->16075 16178 40a645 16177->16178 16179 40a64d 16177->16179 16178->16173 16180 40a66e 16179->16180 16181 40a65e GetTickCount 16179->16181 16180->16173 16181->16180 16198 40a4c7 GetTickCount 16182->16198 16185 40c45e 16190 40c4d2 16185->16190 16191 40c4ab InterlockedIncrement CreateThread 16185->16191 16186 40c300 GetTickCount 16188 40c337 16186->16188 16187 40c326 16187->16188 16189 40c32b GetTickCount 16187->16189 16188->16185 16193 40c363 GetTickCount 16188->16193 16189->16188 16190->16063 16191->16190 16192 40c4cb CloseHandle 16191->16192 16203 40b535 16191->16203 16192->16190 16193->16185 16194 40c373 16193->16194 16195 40c378 GetTickCount 16194->16195 16196 40c37f 16194->16196 16195->16196 16197 40c43b GetTickCount 16196->16197 16197->16185 16199 40a4f7 InterlockedExchange 16198->16199 16200 40a500 16199->16200 16201 40a4e4 GetTickCount 16199->16201 16200->16185 16200->16186 16200->16187 16201->16200 16202 40a4ef Sleep 16201->16202 16202->16199 16204 40b566 16203->16204 16205 40ebcc 4 API calls 16204->16205 16206 40b587 16205->16206 16207 40ebcc 4 API calls 16206->16207 16257 40b590 16207->16257 16208 40bdcd InterlockedDecrement 16209 40bde2 16208->16209 16211 40ec2e codecvt 4 API calls 16209->16211 16212 40bdea 16211->16212 16213 40ec2e codecvt 4 API calls 16212->16213 16215 40bdf2 16213->16215 16214 40bdb7 Sleep 16214->16257 16216 40be05 16215->16216 16218 40ec2e codecvt 4 API calls 16215->16218 16217 40bdcc 16217->16208 16218->16216 16219 40ebed 8 API calls 16219->16257 16222 40b6b6 lstrlenA 16222->16257 16223 4030b5 2 API calls 16223->16257 16224 40b6ed lstrcpyA 16278 405ce1 16224->16278 16225 40e819 11 API calls 16225->16257 16228 40b731 lstrlenA 16228->16257 16229 40b71f lstrcmpA 16229->16228 16229->16257 16230 40b772 GetTickCount 16230->16257 16231 40bd49 InterlockedIncrement 16372 40a628 16231->16372 16234 40bc5b InterlockedIncrement 16234->16257 16235 40b7ce InterlockedIncrement 16288 40acd7 16235->16288 16238 40b912 GetTickCount 16238->16257 16239 40b826 InterlockedIncrement 16239->16230 16240 40b932 GetTickCount 16242 40bc6d InterlockedIncrement 16240->16242 16240->16257 16241 40bcdc closesocket 16241->16257 16242->16257 16243 4038f0 6 API calls 16243->16257 16245 40ab81 lstrcpynA InterlockedIncrement 16245->16257 16248 40bba6 InterlockedIncrement 16248->16257 16250 40bc4c closesocket 16250->16257 16252 405ce1 22 API calls 16252->16257 16253 40ba71 wsprintfA 16306 40a7c1 16253->16306 16255 40a7c1 22 API calls 16255->16257 16256 40ef1e lstrlenA 16256->16257 16257->16208 16257->16214 16257->16217 16257->16219 16257->16222 16257->16223 16257->16224 16257->16225 16257->16228 16257->16229 16257->16230 16257->16231 16257->16234 16257->16235 16257->16238 16257->16239 16257->16240 16257->16241 16257->16243 16257->16245 16257->16248 16257->16250 16257->16252 16257->16253 16257->16255 16257->16256 16258 405ded 12 API calls 16257->16258 16259 40a688 GetTickCount 16257->16259 16260 403e10 16257->16260 16263 403e4f 16257->16263 16266 40384f 16257->16266 16286 40a7a3 inet_ntoa 16257->16286 16293 40abee 16257->16293 16305 401feb GetTickCount 16257->16305 16326 403cfb 16257->16326 16329 40b3c5 16257->16329 16360 40ab81 16257->16360 16258->16257 16259->16257 16261 4030fa 4 API calls 16260->16261 16262 403e1d 16261->16262 16262->16257 16264 4030fa 4 API calls 16263->16264 16265 403e5c 16264->16265 16265->16257 16267 4030fa 4 API calls 16266->16267 16268 403863 16267->16268 16269 4038b9 16268->16269 16270 403889 16268->16270 16277 4038b2 16268->16277 16381 4035f9 16269->16381 16375 403718 16270->16375 16275 403718 6 API calls 16275->16277 16276 4035f9 6 API calls 16276->16277 16277->16257 16279 405cf4 16278->16279 16280 405cec 16278->16280 16282 404bd1 4 API calls 16279->16282 16387 404bd1 GetTickCount 16280->16387 16283 405d02 16282->16283 16392 405472 16283->16392 16287 40a7b9 16286->16287 16287->16257 16289 40f315 14 API calls 16288->16289 16290 40aceb 16289->16290 16291 40acff 16290->16291 16292 40f315 14 API calls 16290->16292 16291->16257 16292->16291 16294 40abfb 16293->16294 16298 40ac65 16294->16298 16456 402f22 16294->16456 16296 40f315 14 API calls 16296->16298 16297 40ac23 16297->16298 16302 402684 2 API calls 16297->16302 16298->16296 16299 40ac6f 16298->16299 16300 40ac8a 16298->16300 16301 40ab81 2 API calls 16299->16301 16300->16257 16303 40ac81 16301->16303 16302->16297 16464 4038f0 16303->16464 16305->16257 16307 40a87d lstrlenA send 16306->16307 16308 40a7df 16306->16308 16309 40a899 16307->16309 16310 40a8bf 16307->16310 16308->16307 16311 40a8f2 16308->16311 16316 40a7fa wsprintfA 16308->16316 16318 40a80a 16308->16318 16312 40a8a5 wsprintfA 16309->16312 16325 40a89e 16309->16325 16310->16311 16313 40a8c4 send 16310->16313 16314 40a978 recv 16311->16314 16317 40a9b0 wsprintfA 16311->16317 16319 40a982 16311->16319 16312->16325 16313->16311 16315 40a8d8 wsprintfA 16313->16315 16314->16311 16314->16319 16315->16325 16316->16318 16317->16325 16318->16307 16320 4030b5 2 API calls 16319->16320 16319->16325 16321 40ab05 16320->16321 16322 40e819 11 API calls 16321->16322 16323 40ab17 16322->16323 16324 40a7a3 inet_ntoa 16323->16324 16324->16325 16325->16257 16327 4030fa 4 API calls 16326->16327 16328 403d0b 16327->16328 16328->16257 16330 405ce1 22 API calls 16329->16330 16331 40b3e6 16330->16331 16332 405ce1 22 API calls 16331->16332 16334 40b404 16332->16334 16333 40b440 16335 40ef7c 3 API calls 16333->16335 16334->16333 16336 40ef7c 3 API calls 16334->16336 16337 40b458 wsprintfA 16335->16337 16338 40b42b 16336->16338 16340 40ef7c 3 API calls 16337->16340 16339 40ef7c 3 API calls 16338->16339 16339->16333 16341 40b480 16340->16341 16342 40ef7c 3 API calls 16341->16342 16343 40b493 16342->16343 16344 40ef7c 3 API calls 16343->16344 16345 40b4bb 16344->16345 16478 40ad89 GetLocalTime SystemTimeToFileTime 16345->16478 16349 40b4cc 16350 40ef7c 3 API calls 16349->16350 16351 40b4dd 16350->16351 16352 40b211 7 API calls 16351->16352 16353 40b4ec 16352->16353 16354 40ef7c 3 API calls 16353->16354 16355 40b4fd 16354->16355 16356 40b211 7 API calls 16355->16356 16357 40b509 16356->16357 16358 40ef7c 3 API calls 16357->16358 16359 40b51a 16358->16359 16359->16257 16361 40ab8c 16360->16361 16363 40abe9 GetTickCount 16360->16363 16362 40aba8 lstrcpynA 16361->16362 16361->16363 16364 40abe1 InterlockedIncrement 16361->16364 16362->16361 16365 40a51d 16363->16365 16364->16361 16366 40a4c7 4 API calls 16365->16366 16367 40a52c 16366->16367 16368 40a542 GetTickCount 16367->16368 16369 40a539 GetTickCount 16367->16369 16368->16369 16371 40a56c 16369->16371 16371->16257 16373 40a4c7 4 API calls 16372->16373 16374 40a633 16373->16374 16374->16257 16376 40f04e 4 API calls 16375->16376 16378 40372a 16376->16378 16377 403847 16377->16275 16377->16277 16378->16377 16379 4037b3 GetCurrentThreadId 16378->16379 16379->16378 16380 4037c8 GetCurrentThreadId 16379->16380 16380->16378 16382 40f04e 4 API calls 16381->16382 16386 40360c 16382->16386 16383 4036f1 16383->16276 16383->16277 16384 4036da GetCurrentThreadId 16384->16383 16385 4036e5 GetCurrentThreadId 16384->16385 16385->16383 16386->16383 16386->16384 16388 404bff InterlockedExchange 16387->16388 16389 404c08 16388->16389 16390 404bec GetTickCount 16388->16390 16389->16279 16390->16389 16391 404bf7 Sleep 16390->16391 16391->16388 16412 404763 16392->16412 16394 405b58 16422 404699 16394->16422 16397 404763 lstrlenA 16398 405b6e 16397->16398 16443 404f9f 16398->16443 16400 405b79 16400->16257 16402 405549 lstrlenA 16404 40548a 16402->16404 16404->16394 16405 404ae6 8 API calls 16404->16405 16406 40558d lstrcpynA 16404->16406 16408 405a9f lstrcpyA 16404->16408 16409 405935 lstrcpynA 16404->16409 16410 405472 13 API calls 16404->16410 16411 4058e7 lstrcpyA 16404->16411 16416 404ae6 16404->16416 16420 40ef7c lstrlenA lstrlenA lstrlenA 16404->16420 16405->16404 16407 405472 13 API calls 16406->16407 16407->16404 16408->16404 16409->16404 16410->16404 16411->16404 16413 40477a 16412->16413 16414 404859 16413->16414 16415 40480d lstrlenA 16413->16415 16414->16404 16415->16413 16417 404af3 16416->16417 16419 404b03 16416->16419 16418 40ebed 8 API calls 16417->16418 16418->16419 16419->16402 16421 40efb4 16420->16421 16421->16404 16448 4045b3 16422->16448 16425 4045b3 7 API calls 16426 4046c6 16425->16426 16427 4045b3 7 API calls 16426->16427 16428 4046d8 16427->16428 16429 4045b3 7 API calls 16428->16429 16430 4046ea 16429->16430 16431 4045b3 7 API calls 16430->16431 16432 4046ff 16431->16432 16433 4045b3 7 API calls 16432->16433 16434 404711 16433->16434 16435 4045b3 7 API calls 16434->16435 16436 404723 16435->16436 16437 40ef7c 3 API calls 16436->16437 16438 404735 16437->16438 16439 40ef7c 3 API calls 16438->16439 16440 40474a 16439->16440 16441 40ef7c 3 API calls 16440->16441 16442 40475c 16441->16442 16442->16397 16444 404fac 16443->16444 16447 404fb0 16443->16447 16444->16400 16445 404ffd 16445->16400 16446 404fd5 IsBadCodePtr 16446->16447 16447->16445 16447->16446 16449 4045c1 16448->16449 16450 4045c8 16448->16450 16451 40ebcc 4 API calls 16449->16451 16452 4045e1 16450->16452 16453 40ebcc 4 API calls 16450->16453 16451->16450 16454 404691 16452->16454 16455 40ef7c 3 API calls 16452->16455 16453->16452 16454->16425 16455->16452 16471 402d21 GetModuleHandleA 16456->16471 16459 402fcf GetProcessHeap HeapFree 16463 402f44 16459->16463 16460 402f4f 16462 402f6b GetProcessHeap HeapFree 16460->16462 16461 402f85 16461->16459 16461->16461 16462->16463 16463->16297 16465 403900 16464->16465 16469 403980 16464->16469 16466 4030fa 4 API calls 16465->16466 16470 40390a 16466->16470 16467 40391b GetCurrentThreadId 16467->16470 16468 403939 GetCurrentThreadId 16468->16470 16469->16300 16470->16467 16470->16468 16470->16469 16472 402d46 LoadLibraryA 16471->16472 16473 402d5b GetProcAddress 16471->16473 16472->16473 16476 402d54 16472->16476 16474 402d6b 16473->16474 16473->16476 16475 402d97 GetProcessHeap HeapAlloc 16474->16475 16474->16476 16477 402db5 lstrcpynA 16474->16477 16475->16474 16475->16476 16476->16460 16476->16461 16476->16463 16477->16474 16479 40adbf 16478->16479 16503 40ad08 gethostname 16479->16503 16482 4030b5 2 API calls 16483 40add3 16482->16483 16484 40a7a3 inet_ntoa 16483->16484 16491 40ade4 16483->16491 16484->16491 16485 40ae85 wsprintfA 16486 40ef7c 3 API calls 16485->16486 16488 40aebb 16486->16488 16487 40ae36 wsprintfA wsprintfA 16489 40ef7c 3 API calls 16487->16489 16490 40ef7c 3 API calls 16488->16490 16489->16491 16492 40aed2 16490->16492 16491->16485 16491->16487 16493 40b211 16492->16493 16494 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16493->16494 16495 40b2af GetLocalTime 16493->16495 16496 40b2d2 16494->16496 16495->16496 16497 40b2d9 SystemTimeToFileTime 16496->16497 16498 40b31c GetTimeZoneInformation 16496->16498 16500 40b2ec 16497->16500 16499 40b33a wsprintfA 16498->16499 16499->16349 16501 40b312 FileTimeToSystemTime 16500->16501 16501->16498 16504 40ad71 16503->16504 16509 40ad26 lstrlenA 16503->16509 16506 40ad85 16504->16506 16507 40ad79 lstrcpyA 16504->16507 16506->16482 16507->16506 16508 40ad68 lstrlenA 16508->16504 16509->16504 16509->16508 16511 40f428 14 API calls 16510->16511 16512 40198a 16511->16512 16513 401990 closesocket 16512->16513 16514 401998 16512->16514 16513->16514 16514->16092 16516 402d21 6 API calls 16515->16516 16517 402f01 16516->16517 16520 402f0f 16517->16520 16531 402df2 GetModuleHandleA 16517->16531 16519 402684 2 API calls 16521 402f1d 16519->16521 16520->16519 16522 402f1f 16520->16522 16521->16109 16522->16109 16524 401c80 16523->16524 16525 401d1c 16524->16525 16526 401cc2 wsprintfA 16524->16526 16529 401d79 16524->16529 16525->16525 16528 401d47 wsprintfA 16525->16528 16527 402684 2 API calls 16526->16527 16527->16524 16530 402684 2 API calls 16528->16530 16529->16101 16530->16529 16532 402e10 LoadLibraryA 16531->16532 16533 402e0b 16531->16533 16534 402e17 16532->16534 16533->16532 16533->16534 16535 402ef1 16534->16535 16536 402e28 GetProcAddress 16534->16536 16535->16520 16536->16535 16537 402e3e GetProcessHeap HeapAlloc 16536->16537 16538 402e62 16537->16538 16538->16535 16539 402ede GetProcessHeap HeapFree 16538->16539 16540 402e7f htons inet_addr 16538->16540 16541 402ea5 gethostbyname 16538->16541 16543 402ceb 16538->16543 16539->16535 16540->16538 16540->16541 16541->16538 16544 402cf2 16543->16544 16546 402d1c 16544->16546 16547 402d0e Sleep 16544->16547 16548 402a62 GetProcessHeap HeapAlloc 16544->16548 16546->16538 16547->16544 16547->16546 16549 402a92 16548->16549 16550 402a99 socket 16548->16550 16549->16544 16551 402cd3 GetProcessHeap HeapFree 16550->16551 16552 402ab4 16550->16552 16551->16549 16552->16551 16566 402abd 16552->16566 16553 402adb htons 16568 4026ff 16553->16568 16555 402b04 select 16555->16566 16556 402ca4 16557 402cb3 GetProcessHeap HeapFree closesocket 16556->16557 16557->16549 16558 402b3f recv 16558->16566 16559 402b66 htons 16559->16556 16559->16566 16560 402b87 htons 16560->16556 16560->16566 16562 402bf3 GetProcessHeap HeapAlloc 16562->16566 16564 402c17 htons 16583 402871 16564->16583 16566->16553 16566->16555 16566->16556 16566->16557 16566->16558 16566->16559 16566->16560 16566->16562 16566->16564 16567 402c4d GetProcessHeap HeapFree 16566->16567 16575 402923 16566->16575 16587 402904 16566->16587 16567->16566 16569 40271d 16568->16569 16570 402717 16568->16570 16572 40272b GetTickCount htons 16569->16572 16571 40ebcc 4 API calls 16570->16571 16571->16569 16573 4027cc htons htons sendto 16572->16573 16574 40278a 16572->16574 16573->16566 16574->16573 16576 402944 16575->16576 16578 40293d 16575->16578 16591 402816 htons 16576->16591 16578->16566 16579 402871 htons 16580 402950 16579->16580 16580->16578 16580->16579 16581 4029bd htons htons htons 16580->16581 16581->16578 16582 4029f6 GetProcessHeap HeapAlloc 16581->16582 16582->16578 16582->16580 16584 4028e3 16583->16584 16586 402889 16583->16586 16584->16566 16585 4028c3 htons 16585->16584 16585->16586 16586->16584 16586->16585 16588 402921 16587->16588 16589 402908 16587->16589 16588->16566 16590 402909 GetProcessHeap HeapFree 16589->16590 16590->16588 16590->16590 16592 40286b 16591->16592 16593 402836 16591->16593 16592->16580 16593->16592 16594 40285c htons 16593->16594 16594->16592 16594->16593 16596 406bc0 16595->16596 16597 406bbc 16595->16597 16598 40ebcc 4 API calls 16596->16598 16608 406bd4 16596->16608 16597->16133 16599 406be4 16598->16599 16600 406c07 CreateFileA 16599->16600 16601 406bfc 16599->16601 16599->16608 16603 406c34 WriteFile 16600->16603 16604 406c2a 16600->16604 16602 40ec2e codecvt 4 API calls 16601->16602 16602->16608 16606 406c49 CloseHandle DeleteFileA 16603->16606 16607 406c5a CloseHandle 16603->16607 16605 40ec2e codecvt 4 API calls 16604->16605 16605->16608 16606->16604 16609 40ec2e codecvt 4 API calls 16607->16609 16608->16133 16609->16608 14931 24f0005 14936 24f092b GetPEB 14931->14936 14933 24f0030 14938 24f003c 14933->14938 14937 24f0972 14936->14937 14937->14933 14939 24f0049 14938->14939 14953 24f0e0f SetErrorMode SetErrorMode 14939->14953 14944 24f0265 14945 24f02ce VirtualProtect 14944->14945 14947 24f030b 14945->14947 14946 24f0439 VirtualFree 14951 24f04be 14946->14951 14952 24f05f4 LoadLibraryA 14946->14952 14947->14946 14948 24f04e3 LoadLibraryA 14948->14951 14950 24f08c7 14951->14948 14951->14952 14952->14950 14954 24f0223 14953->14954 14955 24f0d90 14954->14955 14956 24f0dad 14955->14956 14957 24f0dbb GetPEB 14956->14957 14958 24f0238 VirtualAlloc 14956->14958 14957->14958 14958->14944 14916 2537891 14917 25378a0 14916->14917 14920 2538031 14917->14920 14921 253804c 14920->14921 14922 2538055 CreateToolhelp32Snapshot 14921->14922 14923 2538071 Module32First 14921->14923 14922->14921 14922->14923 14924 2538080 14923->14924 14925 25378a9 14923->14925 14927 2537cf0 14924->14927 14928 2537d1b 14927->14928 14929 2537d64 14928->14929 14930 2537d2c VirtualAlloc 14928->14930 14929->14929 14930->14929 17555 2537880 17556 2537891 17555->17556 17557 2538031 3 API calls 17556->17557 17558 25378a9 17557->17558
                                                                      APIs
                                                                      • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                      • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                      • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                        • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                        • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                        • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                      • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                      • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                      • ExitProcess.KERNEL32 ref: 00409C06
                                                                      • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                      • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                      • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                      • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                      • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                      • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                      • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                      • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                      • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                      • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                      • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                      • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                      • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                      • wsprintfA.USER32 ref: 0040A0B6
                                                                      • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                      • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                      • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                      • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                      • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                      • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                      • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                        • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,004122F8,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                        • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                        • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                      • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                      • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                      • GetLastError.KERNEL32 ref: 0040A3ED
                                                                      • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                      • DeleteFileA.KERNEL32(C:\Users\user\Desktop\H3nfKrgQbi.exe), ref: 0040A407
                                                                      • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                      • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                      • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                      • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                      • GetTickCount.KERNEL32 ref: 0040A49F
                                                                      • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                      • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                      • String ID: "$"$"$%X%08X$C:\Users\user\Desktop\H3nfKrgQbi.exe$C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exe$D$P$\$bazwewbz
                                                                      • API String ID: 2089075347-2696082175
                                                                      • Opcode ID: b647bd1953702a4e8b088f3dc0f7098de6aafb44af3c1151fcc255aea30f3bc8
                                                                      • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                      • Opcode Fuzzy Hash: b647bd1953702a4e8b088f3dc0f7098de6aafb44af3c1151fcc255aea30f3bc8
                                                                      • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 486 40637c-406384 487 406386-406389 486->487 488 40638a-4063b4 GetModuleHandleA VirtualAlloc 486->488 489 4063f5-4063f7 488->489 490 4063b6-4063d4 call 40ee08 VirtualAllocEx 488->490 492 40640b-40640f 489->492 490->489 494 4063d6-4063f3 call 4062b7 WriteProcessMemory 490->494 494->489 497 4063f9-40640a 494->497 497->492
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                      • VirtualAllocEx.KERNELBASE(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                      • WriteProcessMemory.KERNELBASE(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                      • String ID:
                                                                      • API String ID: 1965334864-0
                                                                      • Opcode ID: cfcaefece596f69424170c8c4d4841579e71e1bfc642e2c0992e76636a24e9ad
                                                                      • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                      • Opcode Fuzzy Hash: cfcaefece596f69424170c8c4d4841579e71e1bfc642e2c0992e76636a24e9ad
                                                                      • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 264 4073ff-407419 265 40741b 264->265 266 40741d-407422 264->266 265->266 267 407424 266->267 268 407426-40742b 266->268 267->268 269 407430-407435 268->269 270 40742d 268->270 271 407437 269->271 272 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 269->272 270->269 271->272 277 407487-40749d call 40ee2a 272->277 278 4077f9-4077fe call 40ee2a 272->278 283 407703-40770e RegEnumKeyA 277->283 284 407801 278->284 286 4074a2-4074b1 call 406cad 283->286 287 407714-40771d RegCloseKey 283->287 285 407804-407808 284->285 290 4074b7-4074cc call 40f1a5 286->290 291 4076ed-407700 286->291 287->284 290->291 294 4074d2-4074f8 RegOpenKeyExA 290->294 291->283 295 407727-40772a 294->295 296 4074fe-407530 call 402544 RegQueryValueExA 294->296 297 407755-407764 call 40ee2a 295->297 298 40772c-407740 call 40ef00 295->298 296->295 304 407536-40753c 296->304 309 4076df-4076e2 297->309 306 407742-407745 RegCloseKey 298->306 307 40774b-40774e 298->307 308 40753f-407544 304->308 306->307 311 4077ec-4077f7 RegCloseKey 307->311 308->308 310 407546-40754b 308->310 309->291 312 4076e4-4076e7 RegCloseKey 309->312 310->297 313 407551-40756b call 40ee95 310->313 311->285 312->291 313->297 316 407571-407593 call 402544 call 40ee95 313->316 321 407753 316->321 322 407599-4075a0 316->322 321->297 323 4075a2-4075c6 call 40ef00 call 40ed03 322->323 324 4075c8-4075d7 call 40ed03 322->324 330 4075d8-4075da 323->330 324->330 332 4075dc 330->332 333 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 330->333 332->333 342 407626-40762b 333->342 342->342 343 40762d-407634 342->343 344 407637-40763c 343->344 344->344 345 40763e-407642 344->345 346 407644-407656 call 40ed77 345->346 347 40765c-407673 call 40ed23 345->347 346->347 352 407769-40777c call 40ef00 346->352 353 407680 347->353 354 407675-40767e 347->354 359 4077e3-4077e6 RegCloseKey 352->359 356 407683-40768e call 406cad 353->356 354->356 361 407722-407725 356->361 362 407694-4076bf call 40f1a5 call 406c96 356->362 359->311 364 4076dd 361->364 368 4076c1-4076c7 362->368 369 4076d8 362->369 364->309 368->369 370 4076c9-4076d2 368->370 369->364 370->369 371 40777e-407797 GetFileAttributesExA 370->371 372 407799 371->372 373 40779a-40779f 371->373 372->373 374 4077a1 373->374 375 4077a3-4077a8 373->375 374->375 376 4077c4-4077c8 375->376 377 4077aa-4077c0 call 40ee08 375->377 379 4077d7-4077dc 376->379 380 4077ca-4077d6 call 40ef00 376->380 377->376 383 4077e0-4077e2 379->383 384 4077de 379->384 380->379 383->359 384->383
                                                                      APIs
                                                                      • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,75920F10,00000000), ref: 00407472
                                                                      • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,75920F10,00000000), ref: 004074F0
                                                                      • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,75920F10,00000000), ref: 00407528
                                                                      • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,75920F10,00000000), ref: 004076E7
                                                                      • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                      • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 00407717
                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,75920F10,00000000), ref: 00407745
                                                                      • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 004077EF
                                                                        • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                      • RegCloseKey.KERNELBASE(?), ref: 004077E6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                      • String ID: "
                                                                      • API String ID: 3433985886-123907689
                                                                      • Opcode ID: 0e14b8839bf1cc749044a03d1cbc6966cac7291dd898e36f645a3e61cb73cdcc
                                                                      • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                      • Opcode Fuzzy Hash: 0e14b8839bf1cc749044a03d1cbc6966cac7291dd898e36f645a3e61cb73cdcc
                                                                      • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 386 24f003c-24f0047 387 24f004c-24f0263 call 24f0a3f call 24f0e0f call 24f0d90 VirtualAlloc 386->387 388 24f0049 386->388 403 24f028b-24f0292 387->403 404 24f0265-24f0289 call 24f0a69 387->404 388->387 406 24f02a1-24f02b0 403->406 407 24f02ce-24f03c2 VirtualProtect call 24f0cce call 24f0ce7 404->407 406->407 408 24f02b2-24f02cc 406->408 415 24f03d1-24f03e0 407->415 408->406 416 24f0439-24f04b8 VirtualFree 415->416 417 24f03e2-24f0437 call 24f0ce7 415->417 419 24f04be-24f04cd 416->419 420 24f05f4-24f05fe 416->420 417->415 424 24f04d3-24f04dd 419->424 421 24f077f-24f0789 420->421 422 24f0604-24f060d 420->422 427 24f078b-24f07a3 421->427 428 24f07a6-24f07b0 421->428 422->421 425 24f0613-24f0637 422->425 424->420 429 24f04e3-24f0505 LoadLibraryA 424->429 434 24f063e-24f0648 425->434 427->428 430 24f086e-24f08be LoadLibraryA 428->430 431 24f07b6-24f07cb 428->431 432 24f0517-24f0520 429->432 433 24f0507-24f0515 429->433 442 24f08c7-24f08f9 430->442 435 24f07d2-24f07d5 431->435 436 24f0526-24f0547 432->436 433->436 434->421 437 24f064e-24f065a 434->437 438 24f07d7-24f07e0 435->438 439 24f0824-24f0833 435->439 440 24f054d-24f0550 436->440 437->421 441 24f0660-24f066a 437->441 443 24f07e4-24f0822 438->443 444 24f07e2 438->444 448 24f0839-24f083c 439->448 445 24f0556-24f056b 440->445 446 24f05e0-24f05ef 440->446 447 24f067a-24f0689 441->447 449 24f08fb-24f0901 442->449 450 24f0902-24f091d 442->450 443->435 444->439 451 24f056f-24f057a 445->451 452 24f056d 445->452 446->424 453 24f068f-24f06b2 447->453 454 24f0750-24f077a 447->454 448->430 455 24f083e-24f0847 448->455 449->450 457 24f057c-24f0599 451->457 458 24f059b-24f05bb 451->458 452->446 459 24f06ef-24f06fc 453->459 460 24f06b4-24f06ed 453->460 454->434 461 24f084b-24f086c 455->461 462 24f0849 455->462 469 24f05bd-24f05db 457->469 458->469 463 24f06fe-24f0748 459->463 464 24f074b 459->464 460->459 461->448 462->430 463->464 464->447 469->440
                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 024F024D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_24f0000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID: cess$kernel32.dll
                                                                      • API String ID: 4275171209-1230238691
                                                                      • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                      • Instruction ID: fbf06393b412c87a3d50d88f0dbf1f48102c0f1d04f45ddb18649da5986a0ba6
                                                                      • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                      • Instruction Fuzzy Hash: 3E526D74A01229DFDBA4CF58C984BADBBB1BF49304F1480DAE54DA7356DB30AA85CF14

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 470 40977c-4097b9 call 40ee2a CreateProcessA 473 4097c2-4097f3 call 40ee2a Wow64GetThreadContext 470->473 474 4097bb-4097bd 470->474 478 409801-40981c call 40637c 473->478 479 4097f5 473->479 475 409864-409866 474->475 480 4097f6-4097ff TerminateProcess 478->480 483 40981e-409839 WriteProcessMemory 478->483 479->480 480->474 483->479 484 40983b-409856 Wow64SetThreadContext 483->484 484->479 485 409858-409863 ResumeThread 484->485 485->475
                                                                      APIs
                                                                      • CreateProcessA.KERNELBASE(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,004122F8), ref: 004097B1
                                                                      • Wow64GetThreadContext.KERNEL32(?,?,?,?,?,?,?,004122F8), ref: 004097EB
                                                                      • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 004097F9
                                                                      • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 00409831
                                                                      • Wow64SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040984E
                                                                      • ResumeThread.KERNELBASE(?,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040985B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ProcessThread$ContextWow64$CreateMemoryResumeTerminateWrite
                                                                      • String ID: D
                                                                      • API String ID: 2098669666-2746444292
                                                                      • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                      • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                      • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                      • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 498 404000-404008 499 40400b-40402a CreateFileA 498->499 500 404057 499->500 501 40402c-404035 GetLastError 499->501 504 404059-40405c 500->504 502 404052 501->502 503 404037-40403a 501->503 506 404054-404056 502->506 503->502 505 40403c-40403f 503->505 504->506 505->504 507 404041-404050 Sleep 505->507 507->499 507->502
                                                                      APIs
                                                                      • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,004122F8,004042B6,00000000,00000001,004122F8,00000000,?,004098FD), ref: 00404021
                                                                      • GetLastError.KERNEL32(?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 0040402C
                                                                      • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404046
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateErrorFileLastSleep
                                                                      • String ID:
                                                                      • API String ID: 408151869-0
                                                                      • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                      • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                      • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                      • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                      • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                      • GetTickCount.KERNEL32 ref: 0040EC78
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Time$CountFileInformationSystemTickVolume
                                                                      • String ID:
                                                                      • API String ID: 1209300637-0
                                                                      • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                      • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                      • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                      • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 509 406e36-406e5d GetUserNameW 510 406ebe-406ec2 509->510 511 406e5f-406e95 LookupAccountNameW 509->511 511->510 512 406e97-406e9b 511->512 513 406ebb-406ebd 512->513 514 406e9d-406ea3 512->514 513->510 514->513 515 406ea5-406eaa 514->515 516 406eb7-406eb9 515->516 517 406eac-406eb0 515->517 516->510 517->513 518 406eb2-406eb5 517->518 518->513 518->516
                                                                      APIs
                                                                      • GetUserNameW.ADVAPI32(?,00401FA1), ref: 00406E55
                                                                      • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,00000000,00000012), ref: 00406E8D
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Name$AccountLookupUser
                                                                      • String ID:
                                                                      • API String ID: 2370142434-0
                                                                      • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                      • Instruction ID: d69833bf2c7126fc9b7bd4b1d5117f4fe90a033eeaed535c4400ab00b2689cfd
                                                                      • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                      • Instruction Fuzzy Hash: 0211F776900218EBDF21CFD4C884ADFB7BCAB04741F1542B6E502F6290DB749B989BE4

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 519 2538031-253804a 520 253804c-253804e 519->520 521 2538050 520->521 522 2538055-2538061 CreateToolhelp32Snapshot 520->522 521->522 523 2538063-2538069 522->523 524 2538071-253807e Module32First 522->524 523->524 530 253806b-253806f 523->530 525 2538080-2538081 call 2537cf0 524->525 526 2538087-253808f 524->526 531 2538086 525->531 530->520 530->524 531->526
                                                                      APIs
                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02538059
                                                                      • Module32First.KERNEL32(00000000,00000224), ref: 02538079
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2105550467.0000000002528000.00000040.00000020.00020000.00000000.sdmp, Offset: 02528000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_2528000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                      • String ID:
                                                                      • API String ID: 3833638111-0
                                                                      • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                      • Instruction ID: 51012cf4f23a6d081ef99955388ea8be7b873c06eddd7618440f45bdfb026f51
                                                                      • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                      • Instruction Fuzzy Hash: 75F06235500715ABD7252AF9A88CB7A77ECBF49624F101628F642D10C0DB74E8454A65

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 532 24f0e0f-24f0e24 SetErrorMode * 2 533 24f0e2b-24f0e2c 532->533 534 24f0e26 532->534 534->533
                                                                      APIs
                                                                      • SetErrorMode.KERNELBASE(00000400,?,?,024F0223,?,?), ref: 024F0E19
                                                                      • SetErrorMode.KERNELBASE(00000000,?,?,024F0223,?,?), ref: 024F0E1E
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_24f0000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorMode
                                                                      • String ID:
                                                                      • API String ID: 2340568224-0
                                                                      • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                      • Instruction ID: a1355340812a76edfb87e8f37077e87cd166259ba3829630d5b4c7a92252a5d3
                                                                      • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                      • Instruction Fuzzy Hash: 52D01231545128B7D7402A94DC09BCE7B1CDF45B66F008011FB0DD9181C770954046E5

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 535 406dc2-406dd5 536 406e33-406e35 535->536 537 406dd7-406df1 call 406cc9 call 40ef00 535->537 542 406df4-406df9 537->542 542->542 543 406dfb-406e00 542->543 544 406e02-406e22 GetVolumeInformationA 543->544 545 406e24 543->545 544->545 546 406e2e 544->546 545->546 546->536
                                                                      APIs
                                                                        • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                        • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                        • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                        • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                      • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                      • String ID:
                                                                      • API String ID: 1823874839-0
                                                                      • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                      • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                      • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                      • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 547 409892-4098c0 548 4098c2-4098c5 547->548 549 4098d9 547->549 548->549 550 4098c7-4098d7 548->550 551 4098e0-4098f1 SetServiceStatus 549->551 550->551
                                                                      APIs
                                                                      • SetServiceStatus.SECHOST(00413394), ref: 004098EB
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ServiceStatus
                                                                      • String ID:
                                                                      • API String ID: 3969395364-0
                                                                      • Opcode ID: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                      • Instruction ID: dd676a4af3dd8f9e000b524091363a81fd6157f1888c947a943bd607f736cbf1
                                                                      • Opcode Fuzzy Hash: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                      • Instruction Fuzzy Hash: 02F0F271514208EFCB18CF14E89869A7BA0F348706B20C83EE82AD2371CB749A80DF0D

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 552 2537cf0-2537d2a call 2538003 555 2537d78 552->555 556 2537d2c-2537d5f VirtualAlloc call 2537d7d 552->556 555->555 558 2537d64-2537d76 556->558 558->555
                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02537D41
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2105550467.0000000002528000.00000040.00000020.00020000.00000000.sdmp, Offset: 02528000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_2528000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID:
                                                                      • API String ID: 4275171209-0
                                                                      • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                      • Instruction ID: 9eeb3f5a463af17f9ae3b4054fa24c27836664612d13a420b9df645b9077d138
                                                                      • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                      • Instruction Fuzzy Hash: BF112B79A00208EFDB01DF98C985E98BBF5AF08351F058094F9489B361D371EA50DF84

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 559 4098f2-4098f4 560 4098f6-409902 call 404280 559->560 563 409904-409913 Sleep 560->563 564 409917 560->564 563->560 567 409915 563->567 565 409919-409942 call 402544 call 40977c 564->565 566 40995e-409960 564->566 571 409947-409957 call 40ee2a 565->571 567->564 571->566
                                                                      APIs
                                                                        • Part of subcall function 00404280: CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                      • Sleep.KERNEL32(000003E8,00000100,004122F8,0040A3C7), ref: 00409909
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateEventSleep
                                                                      • String ID:
                                                                      • API String ID: 3100162736-0
                                                                      • Opcode ID: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                      • Instruction ID: e56085e6bf9507d1b9c0d1fa6774ae3e34a200a1ca8b69066151cd7271dcc025
                                                                      • Opcode Fuzzy Hash: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                      • Instruction Fuzzy Hash: 58F05472A81360A6E62226566C07F8F19040B95B24F05417EF744BA2C395E8495141ED
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00000000), ref: 024F65F6
                                                                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 024F6610
                                                                      • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 024F6631
                                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 024F6652
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_24f0000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                      • String ID:
                                                                      • API String ID: 1965334864-0
                                                                      • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                      • Instruction ID: 27cab6013b85eb5c5bffe58820841bee06a415e93b3e3a7b3b3167204318af1b
                                                                      • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                      • Instruction Fuzzy Hash: B511A771600218BFEB515F65DC05F9B3FACEB44BA5F014025FA14E7250D7B1DD008AA4
                                                                      APIs
                                                                      • ExitProcess.KERNEL32 ref: 024F9E6D
                                                                      • lstrcpy.KERNEL32(?,00000000), ref: 024F9FE1
                                                                      • lstrcat.KERNEL32(?,?), ref: 024F9FF2
                                                                      • lstrcat.KERNEL32(?,0041070C), ref: 024FA004
                                                                      • GetFileAttributesExA.KERNEL32(?,?,?), ref: 024FA054
                                                                      • DeleteFileA.KERNEL32(?), ref: 024FA09F
                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 024FA0D6
                                                                      • lstrcpy.KERNEL32 ref: 024FA12F
                                                                      • lstrlen.KERNEL32(00000022), ref: 024FA13C
                                                                      • GetTempPathA.KERNEL32(000001F4,?), ref: 024F9F13
                                                                        • Part of subcall function 024F7029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 024F7081
                                                                        • Part of subcall function 024F6F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\ihgdldig,024F7043), ref: 024F6F4E
                                                                        • Part of subcall function 024F6F30: GetProcAddress.KERNEL32(00000000), ref: 024F6F55
                                                                        • Part of subcall function 024F6F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 024F6F7B
                                                                        • Part of subcall function 024F6F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 024F6F92
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 024FA1A2
                                                                      • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 024FA1C5
                                                                      • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 024FA214
                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 024FA21B
                                                                      • GetDriveTypeA.KERNEL32(?), ref: 024FA265
                                                                      • lstrcat.KERNEL32(?,00000000), ref: 024FA29F
                                                                      • lstrcat.KERNEL32(?,00410A34), ref: 024FA2C5
                                                                      • lstrcat.KERNEL32(?,00000022), ref: 024FA2D9
                                                                      • lstrcat.KERNEL32(?,00410A34), ref: 024FA2F4
                                                                      • wsprintfA.USER32 ref: 024FA31D
                                                                      • lstrcat.KERNEL32(?,00000000), ref: 024FA345
                                                                      • lstrcat.KERNEL32(?,?), ref: 024FA364
                                                                      • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 024FA387
                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 024FA398
                                                                      • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 024FA1D1
                                                                        • Part of subcall function 024F9966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 024F999D
                                                                        • Part of subcall function 024F9966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 024F99BD
                                                                        • Part of subcall function 024F9966: RegCloseKey.ADVAPI32(?), ref: 024F99C6
                                                                      • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 024FA3DB
                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 024FA3E2
                                                                      • GetDriveTypeA.KERNEL32(00000022), ref: 024FA41D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_24f0000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                      • String ID: "$"$"$D$P$\
                                                                      • API String ID: 1653845638-2605685093
                                                                      • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                      • Instruction ID: bf7d0c391061cdff028913eb27c40a402faff4eed16d80f8600fcca9b42e50ca
                                                                      • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                      • Instruction Fuzzy Hash: 9EF153B1D40259AFDF61DBA0DC48FEF7BBCAB48304F0440AAE709E2141E7B586858F65
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                      • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                      • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 004010E1
                                                                      • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 00401101
                                                                      • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 00401121
                                                                      • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00401140
                                                                      • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 00401160
                                                                      • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 00401180
                                                                      • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040119F
                                                                      • GetProcAddress.KERNEL32(00000000,NtClose), ref: 004011BF
                                                                      • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 004011DF
                                                                      • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 004011FE
                                                                      • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressProc$LibraryLoad
                                                                      • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                      • API String ID: 2238633743-3228201535
                                                                      • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                      • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                      • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                      • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                      APIs
                                                                      • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                      • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                      • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                      • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                      • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                      • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                      • wsprintfA.USER32 ref: 0040B3B7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                      • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                      • API String ID: 766114626-2976066047
                                                                      • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                      • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                      • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                      • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,?,?), ref: 00407B16
                                                                      • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                      • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                      • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                      • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                      • String ID: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exe$D
                                                                      • API String ID: 2976863881-489978695
                                                                      • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                      • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                      • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                      • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 024F7D21
                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 024F7D46
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 024F7D7D
                                                                      • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 024F7DA2
                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 024F7DC0
                                                                      • EqualSid.ADVAPI32(?,?), ref: 024F7DD1
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 024F7DE5
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 024F7DF3
                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 024F7E03
                                                                      • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 024F7E12
                                                                      • LocalFree.KERNEL32(00000000), ref: 024F7E19
                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 024F7E35
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_24f0000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                      • String ID: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exe$D
                                                                      • API String ID: 2976863881-489978695
                                                                      • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                      • Instruction ID: 1441937d74dc65ba5814485312ffec28e4fbc7986d073e480e555acb78138403
                                                                      • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                      • Instruction Fuzzy Hash: 82A16E71900209AFDB518FA0DD88FEFBFB9FB48304F04816AE605E6250E7758A85CB64
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                      • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                      • API String ID: 2400214276-165278494
                                                                      • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                      • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                      • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                      • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                      APIs
                                                                      • wsprintfA.USER32 ref: 0040A7FB
                                                                      • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                      • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                      • wsprintfA.USER32 ref: 0040A8AF
                                                                      • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                      • wsprintfA.USER32 ref: 0040A8E2
                                                                      • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                      • wsprintfA.USER32 ref: 0040A9B9
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: wsprintf$send$lstrlenrecv
                                                                      • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                      • API String ID: 3650048968-2394369944
                                                                      • Opcode ID: 59680a716c84fab098cc04c228647f95a811d0d2f75c561d0d852e03931200d7
                                                                      • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                      • Opcode Fuzzy Hash: 59680a716c84fab098cc04c228647f95a811d0d2f75c561d0d852e03931200d7
                                                                      • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                      APIs
                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                      • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                      • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                      • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                      • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                      • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                      • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                      • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                      • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                      • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                      • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                      • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                      • String ID: D
                                                                      • API String ID: 3722657555-2746444292
                                                                      • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                      • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                      • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                      • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                      APIs
                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 024F7A96
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 024F7ACD
                                                                      • GetLengthSid.ADVAPI32(?), ref: 024F7ADF
                                                                      • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 024F7B01
                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 024F7B1F
                                                                      • EqualSid.ADVAPI32(?,?), ref: 024F7B39
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 024F7B4A
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 024F7B58
                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 024F7B68
                                                                      • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 024F7B77
                                                                      • LocalFree.KERNEL32(00000000), ref: 024F7B7E
                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 024F7B9A
                                                                      • GetAce.ADVAPI32(?,?,?), ref: 024F7BCA
                                                                      • EqualSid.ADVAPI32(?,?), ref: 024F7BF1
                                                                      • DeleteAce.ADVAPI32(?,?), ref: 024F7C0A
                                                                      • EqualSid.ADVAPI32(?,?), ref: 024F7C2C
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 024F7CB1
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 024F7CBF
                                                                      • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 024F7CD0
                                                                      • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 024F7CE0
                                                                      • LocalFree.KERNEL32(00000000), ref: 024F7CEE
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_24f0000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                      • String ID: D
                                                                      • API String ID: 3722657555-2746444292
                                                                      • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                      • Instruction ID: 55367e2dc6caccfa52f05685572d25ec9026ae9b0629e6e6dd61d30a39351a76
                                                                      • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                      • Instruction Fuzzy Hash: B8815D71900259AFEB51CFA4DD84FEFBBB8EF48304F04806AE605E6250D7798681CB64
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                      • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                      • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                      • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Value$CloseOpenQuery
                                                                      • String ID: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exe$localcfg
                                                                      • API String ID: 237177642-767073137
                                                                      • Opcode ID: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                      • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                      • Opcode Fuzzy Hash: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                      • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                      APIs
                                                                      • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                      • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExecuteShelllstrlen
                                                                      • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDGu$uac$useless$wusa.exe
                                                                      • API String ID: 1628651668-3716895483
                                                                      • Opcode ID: aad480b6e0e58a6918efc610d136f9871add2120a421913cbbbf5b4a59ea4240
                                                                      • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                      • Opcode Fuzzy Hash: aad480b6e0e58a6918efc610d136f9871add2120a421913cbbbf5b4a59ea4240
                                                                      • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                      APIs
                                                                      • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                      • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                      • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                      • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                      • GetTickCount.KERNEL32 ref: 00401FC9
                                                                        • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                      • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                      • API String ID: 4207808166-1381319158
                                                                      • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                      • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                      • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                      • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                      APIs
                                                                      • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                      • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                      • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                      • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                      • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                      • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                      • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                      • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                      • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                      • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                      • API String ID: 835516345-270533642
                                                                      • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                      • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                      • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                      • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 024F865A
                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 024F867B
                                                                      • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 024F86A8
                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 024F86B1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_24f0000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Value$CloseOpenQuery
                                                                      • String ID: "$C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exe
                                                                      • API String ID: 237177642-2235305659
                                                                      • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                      • Instruction ID: f3aa70a5eba402f650266a0e1d6d9f756bb6284a8b419a97865b093a981d91bc
                                                                      • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                      • Instruction Fuzzy Hash: D2C191B2900149BFEB51ABA4DD84EEF7BBDEB84304F14406BF704EA150E7B04A948F65
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7591F380), ref: 00402A83
                                                                      • HeapAlloc.KERNEL32(00000000,?,7591F380), ref: 00402A86
                                                                      • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                      • htons.WS2_32(00000000), ref: 00402ADB
                                                                      • select.WS2_32 ref: 00402B28
                                                                      • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                      • htons.WS2_32(?), ref: 00402B71
                                                                      • htons.WS2_32(?), ref: 00402B8C
                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                      • String ID:
                                                                      • API String ID: 1639031587-0
                                                                      • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                      • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                      • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                      • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                      APIs
                                                                      • ShellExecuteExW.SHELL32(?), ref: 024F1601
                                                                      • lstrlenW.KERNEL32(-00000003), ref: 024F17D8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_24f0000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExecuteShelllstrlen
                                                                      • String ID: $<$@$D
                                                                      • API String ID: 1628651668-1974347203
                                                                      • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                      • Instruction ID: f4d1a6300ba202540b5e8f883527a1f752ef79c049d4e5137a6afa3d06c12475
                                                                      • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                      • Instruction Fuzzy Hash: 1AF138B1508341DFD720DF64C888AABB7E5FBC8305F00892EFA9997390D7B49944CB66
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 024F76D9
                                                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 024F7757
                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 024F778F
                                                                      • ___ascii_stricmp.LIBCMT ref: 024F78B4
                                                                      • RegCloseKey.ADVAPI32(?), ref: 024F794E
                                                                      • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 024F796D
                                                                      • RegCloseKey.ADVAPI32(?), ref: 024F797E
                                                                      • RegCloseKey.ADVAPI32(?), ref: 024F79AC
                                                                      • RegCloseKey.ADVAPI32(?), ref: 024F7A56
                                                                        • Part of subcall function 024FF40C: lstrlen.KERNEL32(000000E4,00000000,004122F8,000000E4,024F772A,?), ref: 024FF414
                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 024F79F6
                                                                      • RegCloseKey.ADVAPI32(?), ref: 024F7A4D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_24f0000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                      • String ID: "
                                                                      • API String ID: 3433985886-123907689
                                                                      • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                      • Instruction ID: 81ad110082cff91c28e047ef74f734b7936b3517d77cf77b3a800cf6e4774b84
                                                                      • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                      • Instruction Fuzzy Hash: F3C18571900209AFEB51DBA5DC44FEFBBB9EF89710F1140A7E604E6190EB759A84CF60
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,75920F10,?,75920F10,00000000), ref: 004070C2
                                                                      • RegEnumValueA.ADVAPI32(75920F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,75920F10,00000000), ref: 0040719E
                                                                      • RegCloseKey.ADVAPI32(75920F10,?,75920F10,00000000), ref: 004071B2
                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 00407208
                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 00407291
                                                                      • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 004072D0
                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 00407314
                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 004073D8
                                                                        • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                      • String ID: $"
                                                                      • API String ID: 4293430545-3817095088
                                                                      • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                      • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                      • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                      • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69
                                                                      APIs
                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 024F2CED
                                                                      • socket.WS2_32(00000002,00000002,00000011), ref: 024F2D07
                                                                      • htons.WS2_32(00000000), ref: 024F2D42
                                                                      • select.WS2_32 ref: 024F2D8F
                                                                      • recv.WS2_32(?,00000000,00001000,00000000), ref: 024F2DB1
                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 024F2E62
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_24f0000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                      • String ID:
                                                                      • API String ID: 127016686-0
                                                                      • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                      • Instruction ID: 8d26452d8de5cee50ac0cb9b522a8e7fb290aa63a477adde45208256b8fb0e06
                                                                      • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                      • Instruction Fuzzy Hash: 6461DF71904305ABC360DF61DC08B6BBBE8FB88745F15481AFE8597250E7F5D881CBA6
                                                                      APIs
                                                                      • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                        • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                        • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                        • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                        • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                        • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                        • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                      • wsprintfA.USER32 ref: 0040AEA5
                                                                        • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                      • wsprintfA.USER32 ref: 0040AE4F
                                                                      • wsprintfA.USER32 ref: 0040AE5E
                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                      • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                      • API String ID: 3631595830-1816598006
                                                                      • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                      • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                      • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                      • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(iphlpapi.dll,759223A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                      • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                      • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                      • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                      • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                      • htons.WS2_32(00000035), ref: 00402E88
                                                                      • inet_addr.WS2_32(?), ref: 00402E93
                                                                      • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                      • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                      • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                      • String ID: GetNetworkParams$iphlpapi.dll
                                                                      • API String ID: 929413710-2099955842
                                                                      • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                      • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                      • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                      • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                      APIs
                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0040677E
                                                                      • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0040679A
                                                                      • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 004067B0
                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 004067BF
                                                                      • GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 004067D3
                                                                      • ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,75920F10,00000000), ref: 00406807
                                                                      • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040681F
                                                                      • ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0040683E
                                                                      • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040685C
                                                                      • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,75920F10,00000000), ref: 0040688B
                                                                      • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000,?,75920F10,00000000), ref: 00406906
                                                                      • ReadFile.KERNEL32(000000FF,?,00000000,00408244,00000000,?,75920F10,00000000), ref: 0040691C
                                                                      • CloseHandle.KERNEL32(000000FF,?,75920F10,00000000), ref: 00406971
                                                                        • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                        • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                      • String ID:
                                                                      • API String ID: 2622201749-0
                                                                      • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                      • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                      • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                      • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54
                                                                      APIs
                                                                      • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                      • wsprintfA.USER32 ref: 004093CE
                                                                      • wsprintfA.USER32 ref: 0040940C
                                                                      • wsprintfA.USER32 ref: 0040948D
                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                      • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                      • String ID: runas
                                                                      • API String ID: 3696105349-4000483414
                                                                      • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                      • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                      • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                      • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9
                                                                      APIs
                                                                      • wsprintfA.USER32 ref: 0040B467
                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$wsprintf
                                                                      • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                      • API String ID: 1220175532-2340906255
                                                                      • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                      • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                      • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                      • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                      APIs
                                                                      • GetVersionExA.KERNEL32 ref: 024F202D
                                                                      • GetSystemInfo.KERNEL32(?), ref: 024F204F
                                                                      • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 024F206A
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 024F2071
                                                                      • GetCurrentProcess.KERNEL32(?), ref: 024F2082
                                                                      • GetTickCount.KERNEL32 ref: 024F2230
                                                                        • Part of subcall function 024F1E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 024F1E7C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_24f0000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                      • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                      • API String ID: 4207808166-1391650218
                                                                      • Opcode ID: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                      • Instruction ID: ce329c1d40c6f2450a756dbdc994d81b02cc0cd1ad1b5a25742d8a2d7c7d6bbd
                                                                      • Opcode Fuzzy Hash: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                      • Instruction Fuzzy Hash: C651D870900344AFE370AF768C85F677AECEB84704F00491FFB9686252D7B5A584CB65
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 00402078
                                                                      • GetTickCount.KERNEL32 ref: 004020D4
                                                                      • GetTickCount.KERNEL32 ref: 004020DB
                                                                      • GetTickCount.KERNEL32 ref: 0040212B
                                                                      • GetTickCount.KERNEL32 ref: 00402132
                                                                      • GetTickCount.KERNEL32 ref: 00402142
                                                                        • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,7508EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4), ref: 0040F089
                                                                        • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,7508EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0040F093
                                                                        • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                        • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                        • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                      • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                      • API String ID: 3976553417-1522128867
                                                                      • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                      • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                      • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                      • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                      APIs
                                                                      • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                      • closesocket.WS2_32(00000000), ref: 0040F375
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: closesockethtonssocket
                                                                      • String ID: time_cfg
                                                                      • API String ID: 311057483-2401304539
                                                                      • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                      • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                      • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                      • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                      APIs
                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                      • ExitProcess.KERNEL32 ref: 00404121
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateEventExitProcess
                                                                      • String ID:
                                                                      • API String ID: 2404124870-0
                                                                      • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                      • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                      • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                      • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                      APIs
                                                                        • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                        • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                      • GetTickCount.KERNEL32 ref: 0040C31F
                                                                      • GetTickCount.KERNEL32 ref: 0040C32B
                                                                      • GetTickCount.KERNEL32 ref: 0040C363
                                                                      • GetTickCount.KERNEL32 ref: 0040C378
                                                                      • GetTickCount.KERNEL32 ref: 0040C44D
                                                                      • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                      • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                      • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                      • String ID: localcfg
                                                                      • API String ID: 1553760989-1857712256
                                                                      • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                      • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                      • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                      • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 024F3068
                                                                      • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 024F3078
                                                                      • GetProcAddress.KERNEL32(00000000,00410408), ref: 024F3095
                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 024F30B6
                                                                      • htons.WS2_32(00000035), ref: 024F30EF
                                                                      • inet_addr.WS2_32(?), ref: 024F30FA
                                                                      • gethostbyname.WS2_32(?), ref: 024F310D
                                                                      • HeapFree.KERNEL32(00000000), ref: 024F314D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_24f0000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                      • String ID: iphlpapi.dll
                                                                      • API String ID: 2869546040-3565520932
                                                                      • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                      • Instruction ID: b5941bdf0e5a18d3ca32d5ad44bfc31c8debd8c0750dd4b3e60d2b76f2e39b52
                                                                      • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                      • Instruction Fuzzy Hash: 5231C731A00246ABDB929FB49D48BAF7F78EF44364F1441A7E618E3390DB74D541CB58
                                                                      APIs
                                                                      • GetVersionExA.KERNEL32(?), ref: 024F95A7
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 024F95D5
                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 024F95DC
                                                                      • wsprintfA.USER32 ref: 024F9635
                                                                      • wsprintfA.USER32 ref: 024F9673
                                                                      • wsprintfA.USER32 ref: 024F96F4
                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 024F9758
                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 024F978D
                                                                      • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 024F97D8
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_24f0000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                      • String ID:
                                                                      • API String ID: 3696105349-0
                                                                      • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                      • Instruction ID: c62da10363847511f7d41fb28b29905a10d214479ad9571535335d696d760b4f
                                                                      • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                      • Instruction Fuzzy Hash: E2A16AB2900608FBEB61DFA1CC45FDB3BADAB84740F10402BFA1596251E7B5D584CFA5
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                      • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                      • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                      • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                      • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                      • String ID: DnsQuery_A$dnsapi.dll
                                                                      • API String ID: 3560063639-3847274415
                                                                      • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                      • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                      • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                      • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                      APIs
                                                                      • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                      • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                      • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                      • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                      • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                      • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcmpi
                                                                      • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                      • API String ID: 1586166983-1625972887
                                                                      • Opcode ID: b0a2ae875f58e383b947a4d61bc12981f29674b2f93b28c56df9bb17aab017a1
                                                                      • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                      • Opcode Fuzzy Hash: b0a2ae875f58e383b947a4d61bc12981f29674b2f93b28c56df9bb17aab017a1
                                                                      • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                      APIs
                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,75918A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                      • GetDiskFreeSpaceA.KERNEL32(00409E9D,00409A60,?,?,?,004122F8,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                      • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                      • String ID:
                                                                      • API String ID: 3188212458-0
                                                                      • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                      • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                      • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                      • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69
                                                                      APIs
                                                                      • IsBadReadPtr.KERNEL32(?,00000008), ref: 024F67C3
                                                                      • htonl.WS2_32(?), ref: 024F67DF
                                                                      • htonl.WS2_32(?), ref: 024F67EE
                                                                      • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 024F68F1
                                                                      • ExitProcess.KERNEL32 ref: 024F69BC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_24f0000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Processhtonl$CurrentExitRead
                                                                      • String ID: except_info$localcfg
                                                                      • API String ID: 1430491713-3605449297
                                                                      • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                      • Instruction ID: 0e70a0c211c851caf44840e893623a4cec965050d5488d61d3f5b052dbc368d2
                                                                      • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                      • Instruction Fuzzy Hash: E4616E71A40208AFDB609FB4DC45FEA77E9FB48300F14806AFA6DD2161EB7599908F14
                                                                      APIs
                                                                      • htons.WS2_32(024FCC84), ref: 024FF5B4
                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 024FF5CE
                                                                      • closesocket.WS2_32(00000000), ref: 024FF5DC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_24f0000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: closesockethtonssocket
                                                                      • String ID: time_cfg
                                                                      • API String ID: 311057483-2401304539
                                                                      • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                      • Instruction ID: a829de05e2eba03b54815dd0ff9ee2fe8db07ce13d9aef3e8d33ae16f26a9663
                                                                      • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                      • Instruction Fuzzy Hash: E3316071900118ABDB50DFA5DC84DEF7BBCEF88710F11456AFA15D3190E7709A86CBA4
                                                                      APIs
                                                                      • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                      • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                      • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                      • wsprintfA.USER32 ref: 00407036
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                      • String ID: /%d$|
                                                                      • API String ID: 676856371-4124749705
                                                                      • Opcode ID: cea40b17ff8fa2f601ad1f23a222ab117a5c0c4b809ada7763c407b3c8c52c78
                                                                      • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                      • Opcode Fuzzy Hash: cea40b17ff8fa2f601ad1f23a222ab117a5c0c4b809ada7763c407b3c8c52c78
                                                                      • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(?), ref: 024F2FA1
                                                                      • LoadLibraryA.KERNEL32(?), ref: 024F2FB1
                                                                      • GetProcAddress.KERNEL32(00000000,004103F0), ref: 024F2FC8
                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 024F3000
                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 024F3007
                                                                      • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 024F3032
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_24f0000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                      • String ID: dnsapi.dll
                                                                      • API String ID: 1242400761-3175542204
                                                                      • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                      • Instruction ID: 2c59d0c05404c5f111d6e5b042553de91452c6174e488aef36d94586a3a6b15f
                                                                      • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                      • Instruction Fuzzy Hash: 8F219271D40226BBCB619F55DC44AAFBFB8EF48B10F014462FA01E7640D7B49AC18BE4
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                      • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                      • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                      • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                      • API String ID: 1082366364-3395550214
                                                                      • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                      • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                      • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                      • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                      APIs
                                                                      • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 024F9A18
                                                                      • GetThreadContext.KERNEL32(?,?), ref: 024F9A52
                                                                      • TerminateProcess.KERNEL32(?,00000000), ref: 024F9A60
                                                                      • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 024F9A98
                                                                      • SetThreadContext.KERNEL32(?,00010002), ref: 024F9AB5
                                                                      • ResumeThread.KERNEL32(?), ref: 024F9AC2
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_24f0000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                      • String ID: D
                                                                      • API String ID: 2981417381-2746444292
                                                                      • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                      • Instruction ID: f7f3f54aa703419f78af6d8174274fff446d7e0cc361af7e5f57a851cc2c0ba7
                                                                      • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                      • Instruction Fuzzy Hash: 60213BB1E01229BBDB619BA1DC09FEF7BBCEF44750F404062BA19E1150E7758A84CBA4
                                                                      APIs
                                                                      • inet_addr.WS2_32(004102D8), ref: 024F1C18
                                                                      • LoadLibraryA.KERNEL32(004102C8), ref: 024F1C26
                                                                      • GetProcessHeap.KERNEL32 ref: 024F1C84
                                                                      • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 024F1C9D
                                                                      • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 024F1CC1
                                                                      • HeapFree.KERNEL32(?,00000000,00000000), ref: 024F1D02
                                                                      • FreeLibrary.KERNEL32(?), ref: 024F1D0B
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_24f0000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                      • String ID:
                                                                      • API String ID: 2324436984-0
                                                                      • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                      • Instruction ID: 58d04e133c32add87a4f6a944e0ec9dcd761273cee871b8b98abb98e1666041a
                                                                      • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                      • Instruction Fuzzy Hash: D3315E32D00249FFCB519FA4DC888AFBAB9EB85705B24447BE609A2210D7B55E80DB94
                                                                      APIs
                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 024F6CE4
                                                                      • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 024F6D22
                                                                      • GetLastError.KERNEL32 ref: 024F6DA7
                                                                      • CloseHandle.KERNEL32(?), ref: 024F6DB5
                                                                      • GetLastError.KERNEL32 ref: 024F6DD6
                                                                      • DeleteFileA.KERNEL32(?), ref: 024F6DE7
                                                                      • GetLastError.KERNEL32 ref: 024F6DFD
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_24f0000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                      • String ID:
                                                                      • API String ID: 3873183294-0
                                                                      • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                      • Instruction ID: 46d94ca98cbaa321f52e1f5e2f7c8e1286a166fefbeaa3efd10aa1a04272255d
                                                                      • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                      • Instruction Fuzzy Hash: E431EE73900249BFCB419FA59D48ADF7F7DEB88300F16816AE321A3220D7708A858B61
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\ihgdldig,024F7043), ref: 024F6F4E
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 024F6F55
                                                                      • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 024F6F7B
                                                                      • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 024F6F92
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_24f0000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                      • String ID: C:\Windows\SysWOW64\$\\.\pipe\ihgdldig
                                                                      • API String ID: 1082366364-4262714149
                                                                      • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                      • Instruction ID: 0fa34587edd491e716f7d1618f33a3e59758859a38f8c42be2438947ca87c465
                                                                      • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                      • Instruction Fuzzy Hash: B421F2217403403EF7A257319C88FBB2A4C8F92714F1A40AAFA0495AD0DBD984DA8A7D
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_24f0000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen
                                                                      • String ID: $localcfg
                                                                      • API String ID: 1659193697-2018645984
                                                                      • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                      • Instruction ID: 1bce074a5de0d44bb125ee1f6e55e93cf9469f5f2bfa0e6d82615cb31421aafb
                                                                      • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                      • Instruction Fuzzy Hash: 5A712B72A00364ABDFA19B54DC85FEF376AABC0749F244027FB0CA61D0DF6199C88B55
                                                                      APIs
                                                                        • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                        • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                        • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                        • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                      • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                      • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                      • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                      • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                      • String ID: flags_upd$localcfg
                                                                      • API String ID: 204374128-3505511081
                                                                      • Opcode ID: c9ad8023725aab8d2fa60d869e3a7a47c0dc8c499feb85b8788b54ce06fbb5cf
                                                                      • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                      • Opcode Fuzzy Hash: c9ad8023725aab8d2fa60d869e3a7a47c0dc8c499feb85b8788b54ce06fbb5cf
                                                                      • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                      APIs
                                                                        • Part of subcall function 024FDF6C: GetCurrentThreadId.KERNEL32 ref: 024FDFBA
                                                                      • lstrcmp.KERNEL32(00410178,00000000), ref: 024FE8FA
                                                                      • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,024F6128), ref: 024FE950
                                                                      • lstrcmp.KERNEL32(?,00000008), ref: 024FE989
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_24f0000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                      • String ID: A$ A$ A
                                                                      • API String ID: 2920362961-1846390581
                                                                      • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                      • Instruction ID: dadaf5de2ed26876fb454433dc0f7590e0106b56fee411f013dd345338b3e8bb
                                                                      • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                      • Instruction Fuzzy Hash: A1319231B00705DBDBB18F25C884FAB7BE5EB85726F00852BEB5587661D370E480CBA1
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Code
                                                                      • String ID:
                                                                      • API String ID: 3609698214-0
                                                                      • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                      • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                      • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                      • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_24f0000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Code
                                                                      • String ID:
                                                                      • API String ID: 3609698214-0
                                                                      • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                      • Instruction ID: 30ab593c2473aebfd1d45b0ea47de3bac8974f8690fb089cbf03723c8bf40b88
                                                                      • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                      • Instruction Fuzzy Hash: 04215C73204219BFDB509BB1FC48EDF7FADEB89265B118426F612D10A0FB71DA409A74
                                                                      APIs
                                                                      • GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                      • wsprintfA.USER32 ref: 004090E9
                                                                      • CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                      • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                      • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                      • String ID:
                                                                      • API String ID: 2439722600-0
                                                                      • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                      • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                      • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                      • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                      APIs
                                                                      • GetTempPathA.KERNEL32(00000400,?), ref: 024F92E2
                                                                      • wsprintfA.USER32 ref: 024F9350
                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 024F9375
                                                                      • lstrlen.KERNEL32(?,?,00000000), ref: 024F9389
                                                                      • WriteFile.KERNEL32(00000000,?,00000000), ref: 024F9394
                                                                      • CloseHandle.KERNEL32(00000000), ref: 024F939B
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_24f0000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                      • String ID:
                                                                      • API String ID: 2439722600-0
                                                                      • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                      • Instruction ID: 00e0c5956023fe4b07fbb779d4e377da03230f15907cf86a314cb9cc18d752be
                                                                      • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                      • Instruction Fuzzy Hash: EE119AB57401147BE7606732DC0DFEF3A6EDFC8B11F01C06ABB06E5090EAB44A458A75
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                      • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                      • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                      • Sleep.KERNEL32(00000000,?,75920F10,?,00000000,0040E538,?,75920F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                      • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                      • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                      • String ID:
                                                                      • API String ID: 3819781495-0
                                                                      • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                      • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                      • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                      • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 024FC6B4
                                                                      • InterlockedIncrement.KERNEL32(024FC74B), ref: 024FC715
                                                                      • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,024FC747), ref: 024FC728
                                                                      • CloseHandle.KERNEL32(00000000,?,024FC747,00413588,024F8A77), ref: 024FC733
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_24f0000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                      • String ID: localcfg
                                                                      • API String ID: 1026198776-1857712256
                                                                      • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                      • Instruction ID: d800eaceae510e1df57b912a0c9065c9211c0c13b61362d09497bacd5537fa87
                                                                      • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                      • Instruction Fuzzy Hash: 97514CB1A04B458FD7A4CF29C5C462ABBE9FB88704B50693FE28BC7A90D774E444CB50
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 0040815F
                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 00408187
                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 004081BE
                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 00408210
                                                                        • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0040677E
                                                                        • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0040679A
                                                                        • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 004067B0
                                                                        • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 004067BF
                                                                        • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 004067D3
                                                                        • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,75920F10,00000000), ref: 00406807
                                                                        • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040681F
                                                                        • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0040683E
                                                                        • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040685C
                                                                        • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                        • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                      • String ID: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exe
                                                                      • API String ID: 124786226-3712348508
                                                                      • Opcode ID: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                      • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                      • Opcode Fuzzy Hash: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                      • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                      APIs
                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 024F71E1
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 024F7228
                                                                      • LocalFree.KERNEL32(?,?,?), ref: 024F7286
                                                                      • wsprintfA.USER32 ref: 024F729D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_24f0000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                      • String ID: |
                                                                      • API String ID: 2539190677-2343686810
                                                                      • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                      • Instruction ID: 37e515816f8ccd3fd5b0a66c7130925b7837e47e00d98b9a33afabb3d3c56606
                                                                      • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                      • Instruction Fuzzy Hash: 9D313872A00208BFDB41DFA8DC44BDB7BACEF44314F148066F959DB240EB79D6488B94
                                                                      APIs
                                                                      • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                      • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                      • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                      • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$gethostnamelstrcpy
                                                                      • String ID: LocalHost
                                                                      • API String ID: 3695455745-3154191806
                                                                      • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                      • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                      • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                      • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,004122F8), ref: 0040E3E6
                                                                      • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                      • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                      • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                      • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: QueryValue$CloseOpen
                                                                      • String ID:
                                                                      • API String ID: 1586453840-0
                                                                      • Opcode ID: 430104cac5c13c71f5437c0750a91fe091c0dcfcbc33bae831f1428fc17f18ae
                                                                      • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                      • Opcode Fuzzy Hash: 430104cac5c13c71f5437c0750a91fe091c0dcfcbc33bae831f1428fc17f18ae
                                                                      • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                      APIs
                                                                      • GetLocalTime.KERNEL32(?), ref: 024FB51A
                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 024FB529
                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 024FB548
                                                                      • GetTimeZoneInformation.KERNEL32(?), ref: 024FB590
                                                                      • wsprintfA.USER32 ref: 024FB61E
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_24f0000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                      • String ID:
                                                                      • API String ID: 4026320513-0
                                                                      • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                      • Instruction ID: 7c1e5bd8289b24d1cd9650f3b7a713fa30cfff52a6da8684ce552db02d8485b7
                                                                      • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                      • Instruction Fuzzy Hash: 375111B1D0021DAACF54DFD5D8445EEBBB9FF49308F10816BE605A6150E7B84AC9CF98
                                                                      APIs
                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                      • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                      • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseHandle$CreateEvent
                                                                      • String ID:
                                                                      • API String ID: 1371578007-0
                                                                      • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                      • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                      • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                      • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                      APIs
                                                                      • IsBadReadPtr.KERNEL32(?,00000014), ref: 0040609C
                                                                      • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                      • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                      • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Read$AddressLibraryLoadProc
                                                                      • String ID:
                                                                      • API String ID: 2438460464-0
                                                                      • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                      • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                      • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                      • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                      APIs
                                                                      • IsBadReadPtr.KERNEL32(?,00000014), ref: 024F6303
                                                                      • LoadLibraryA.KERNEL32(?), ref: 024F632A
                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 024F63B1
                                                                      • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 024F6405
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_24f0000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Read$AddressLibraryLoadProc
                                                                      • String ID:
                                                                      • API String ID: 2438460464-0
                                                                      • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                      • Instruction ID: 4fd8eb62b7d13b9e75f98712db089c9eef1ded8d6fcc7d0094217f2e82e0c335
                                                                      • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                      • Instruction Fuzzy Hash: 48417E71A00219AFDB54CF58C884BAAB7B8EF84318F16816EEA25D7390E771E941CB50
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c79c3bb314f3d5ac5fee99c519c64317d163b7d5a05993d84b0a40af9e19cc60
                                                                      • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                      • Opcode Fuzzy Hash: c79c3bb314f3d5ac5fee99c519c64317d163b7d5a05993d84b0a40af9e19cc60
                                                                      • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                      APIs
                                                                        • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                        • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                        • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                      • lstrcmpA.KERNEL32(75920F18,00000000,?,75920F10,00000000,?,00405EC1), ref: 0040E693
                                                                      • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,75920F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                      • lstrcmpA.KERNEL32(?,00000008,?,75920F10,00000000,?,00405EC1), ref: 0040E722
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                      • String ID: A$ A
                                                                      • API String ID: 3343386518-686259309
                                                                      • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                      • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                      • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                      • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 0040272E
                                                                      • htons.WS2_32(00000001), ref: 00402752
                                                                      • htons.WS2_32(0000000F), ref: 004027D5
                                                                      • htons.WS2_32(00000001), ref: 004027E3
                                                                      • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                        • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                        • Part of subcall function 0040EBCC: HeapAlloc.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: htons$Heap$AllocCountProcessTicksendto
                                                                      • String ID:
                                                                      • API String ID: 1802437671-0
                                                                      • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                      • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                      • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                      • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                      APIs
                                                                      • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                      • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                      • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                      • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                      • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: setsockopt
                                                                      • String ID:
                                                                      • API String ID: 3981526788-0
                                                                      • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                      • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                      • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                      • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,004122F8), ref: 0040915F
                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                      • CharToOemA.USER32(?,?), ref: 00409174
                                                                      • wsprintfA.USER32 ref: 004091A9
                                                                        • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                        • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                        • Part of subcall function 00409064: CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                        • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                        • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                        • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                      • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                      • String ID:
                                                                      • API String ID: 3857584221-0
                                                                      • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                      • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                      • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                      • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 024F93C6
                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 024F93CD
                                                                      • CharToOemA.USER32(?,?), ref: 024F93DB
                                                                      • wsprintfA.USER32 ref: 024F9410
                                                                        • Part of subcall function 024F92CB: GetTempPathA.KERNEL32(00000400,?), ref: 024F92E2
                                                                        • Part of subcall function 024F92CB: wsprintfA.USER32 ref: 024F9350
                                                                        • Part of subcall function 024F92CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 024F9375
                                                                        • Part of subcall function 024F92CB: lstrlen.KERNEL32(?,?,00000000), ref: 024F9389
                                                                        • Part of subcall function 024F92CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 024F9394
                                                                        • Part of subcall function 024F92CB: CloseHandle.KERNEL32(00000000), ref: 024F939B
                                                                      • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 024F9448
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_24f0000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                      • String ID:
                                                                      • API String ID: 3857584221-0
                                                                      • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                      • Instruction ID: 7aa64262734e9c28a7cde013a6e2a3c02bd3f6b9aa9b44ac7b0a71dbe2d4fabe
                                                                      • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                      • Instruction Fuzzy Hash: A4015EF69001187BDB61A7619D89FDF3B7CDBD5701F0040A6BB49E2080EAB496C98F75
                                                                      APIs
                                                                      • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                      • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                      • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                      • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$lstrcmpi
                                                                      • String ID: localcfg
                                                                      • API String ID: 1808961391-1857712256
                                                                      • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                      • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                      • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                      • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressLibraryLoadProc
                                                                      • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                      • API String ID: 2574300362-1087626847
                                                                      • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                      • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                      • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                      • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                      APIs
                                                                        • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                        • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                      • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                      • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                      • String ID: hi_id$localcfg
                                                                      • API String ID: 2777991786-2393279970
                                                                      • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                      • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                      • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                      • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                      APIs
                                                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                      • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                      • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                      • String ID: *p@
                                                                      • API String ID: 3429775523-2474123842
                                                                      • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                      • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                      • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                      • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_24f0000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: gethostbynameinet_addr
                                                                      • String ID: time_cfg$u6A
                                                                      • API String ID: 1594361348-1940331995
                                                                      • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                      • Instruction ID: 04a30915f72c89a7130f78be1c237eb8441b54fff2797699d3e31540da7430e3
                                                                      • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                      • Instruction Fuzzy Hash: 97E0C2306041118FCB80CB2CF848AC637E4EF8A230F008282F940D32A0C7B4DCC09740
                                                                      APIs
                                                                      • SetFileAttributesA.KERNEL32(?,00000080), ref: 024F69E5
                                                                      • SetFileAttributesA.KERNEL32(?,00000002), ref: 024F6A26
                                                                      • GetFileSize.KERNEL32(000000FF,00000000), ref: 024F6A3A
                                                                      • CloseHandle.KERNEL32(000000FF), ref: 024F6BD8
                                                                        • Part of subcall function 024FEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,024F1DCF,?), ref: 024FEEA8
                                                                        • Part of subcall function 024FEE95: HeapFree.KERNEL32(00000000), ref: 024FEEAF
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_24f0000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                      • String ID:
                                                                      • API String ID: 3384756699-0
                                                                      • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                      • Instruction ID: 938147c7c0cc6e4ac267dfe4d3b18324f6311335e6d7007dcd3517a4f118d760
                                                                      • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                      • Instruction Fuzzy Hash: 9F712971D0022DEFDF11DFA4CD80AEEBBB9FB44314F11456AE625A6290D7309E92CB60
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: wsprintf
                                                                      • String ID: %u.%u.%u.%u.%s$localcfg
                                                                      • API String ID: 2111968516-120809033
                                                                      • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                      • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                      • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                      • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                      APIs
                                                                      • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                      • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0040E127
                                                                      • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,004122F8), ref: 0040E158
                                                                      • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Value$CloseCreateDelete
                                                                      • String ID:
                                                                      • API String ID: 2667537340-0
                                                                      • Opcode ID: 97717f860553cace0da6839a14b7da98954d63f37c5a4b4a783214777e1a839d
                                                                      • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                      • Opcode Fuzzy Hash: 97717f860553cace0da6839a14b7da98954d63f37c5a4b4a783214777e1a839d
                                                                      • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                      APIs
                                                                      • RegCreateKeyExA.ADVAPI32(80000001,024FE50A,00000000,00000000,00000000,00020106,00000000,024FE50A,00000000,000000E4), ref: 024FE319
                                                                      • RegSetValueExA.ADVAPI32(024FE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 024FE38E
                                                                      • RegDeleteValueA.ADVAPI32(024FE50A,?,?,?,?,?,000000C8,004122F8), ref: 024FE3BF
                                                                      • RegCloseKey.ADVAPI32(024FE50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,024FE50A), ref: 024FE3C8
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_24f0000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Value$CloseCreateDelete
                                                                      • String ID:
                                                                      • API String ID: 2667537340-0
                                                                      • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                      • Instruction ID: 961e00fdc4dfd9beae16d4dcc7fc12e15c1089d0304f5a021ebde7572bae9d7d
                                                                      • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                      • Instruction Fuzzy Hash: 3A214F71A0021DABDF609FA5EC89EDF7F79EF48750F048026FA04E6160E3B19A54DB91
                                                                      APIs
                                                                      • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                      • GetLastError.KERNEL32 ref: 00403F4E
                                                                      • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                      • String ID:
                                                                      • API String ID: 3373104450-0
                                                                      • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                      • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                      • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                      • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                      APIs
                                                                      • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                      • GetLastError.KERNEL32 ref: 00403FC2
                                                                      • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                      • String ID:
                                                                      • API String ID: 888215731-0
                                                                      • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                      • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                      • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                      • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                      APIs
                                                                      • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 024F41AB
                                                                      • GetLastError.KERNEL32 ref: 024F41B5
                                                                      • WaitForSingleObject.KERNEL32(?,?), ref: 024F41C6
                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 024F41D9
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_24f0000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                      • String ID:
                                                                      • API String ID: 3373104450-0
                                                                      • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                      • Instruction ID: e25839bc1c0ccd4d78a83f97f8c62893c935e49a87f215d732c3eda93b177f8d
                                                                      • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                      • Instruction Fuzzy Hash: B701E97651110EABDF02DF90EE88BEF7B6CEB18255F004062FA01E2150DB70AB548BB5
                                                                      APIs
                                                                      • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 024F421F
                                                                      • GetLastError.KERNEL32 ref: 024F4229
                                                                      • WaitForSingleObject.KERNEL32(?,?), ref: 024F423A
                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 024F424D
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_24f0000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                      • String ID:
                                                                      • API String ID: 888215731-0
                                                                      • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                      • Instruction ID: f81c76ef026897eaab91a6c462a0c3af0e84f051b9661b6027abee0e54737243
                                                                      • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                      • Instruction Fuzzy Hash: 1A010872511109AFDF41DF90ED84BEF7BACEB48295F018062FA01E6150DB70DA548BB6
                                                                      APIs
                                                                      • lstrcmp.KERNEL32(?,80000009), ref: 024FE066
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_24f0000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcmp
                                                                      • String ID: A$ A$ A
                                                                      • API String ID: 1534048567-1846390581
                                                                      • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                      • Instruction ID: 5e63c1852aae49fa7618872449b59412900e7ec915620f9e5e5c56066fc0d285
                                                                      • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                      • Instruction Fuzzy Hash: 04F062313007229FCB60CF25D884A83B7E9FB85326B54872BE654C3A70D374A499CF55
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                      • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                      • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                      • String ID:
                                                                      • API String ID: 2207858713-0
                                                                      • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                      • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                      • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                      • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 00404E9E
                                                                      • GetTickCount.KERNEL32 ref: 00404EAD
                                                                      • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                      • String ID:
                                                                      • API String ID: 2207858713-0
                                                                      • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                      • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                      • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                      • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 00404BDD
                                                                      • GetTickCount.KERNEL32 ref: 00404BEC
                                                                      • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                      • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                      • String ID:
                                                                      • API String ID: 2207858713-0
                                                                      • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                      • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                      • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                      • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 00403103
                                                                      • GetTickCount.KERNEL32 ref: 0040310F
                                                                      • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                      • String ID:
                                                                      • API String ID: 2207858713-0
                                                                      • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                      • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                      • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                      • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 024F83C6
                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 024F8477
                                                                        • Part of subcall function 024F69C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 024F69E5
                                                                        • Part of subcall function 024F69C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 024F6A26
                                                                        • Part of subcall function 024F69C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 024F6A3A
                                                                        • Part of subcall function 024FEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,024F1DCF,?), ref: 024FEEA8
                                                                        • Part of subcall function 024FEE95: HeapFree.KERNEL32(00000000), ref: 024FEEAF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_24f0000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                      • String ID: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exe
                                                                      • API String ID: 359188348-3712348508
                                                                      • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                      • Instruction ID: 57e0a585f8af466b2f18bf718e8c77468ceb7bd7ee470d275e9e35f15bae483d
                                                                      • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                      • Instruction Fuzzy Hash: FD4181B2900109BFEB50EBA19E80EFF777DEB84304F0444ABE704DA150F7B05A988B60
                                                                      APIs
                                                                      • GetLocalTime.KERNEL32(?), ref: 024FAFFF
                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 024FB00D
                                                                        • Part of subcall function 024FAF6F: gethostname.WS2_32(?,00000080), ref: 024FAF83
                                                                        • Part of subcall function 024FAF6F: lstrcpy.KERNEL32(?,00410B90), ref: 024FAFE6
                                                                        • Part of subcall function 024F331C: gethostname.WS2_32(?,00000080), ref: 024F333F
                                                                        • Part of subcall function 024F331C: gethostbyname.WS2_32(?), ref: 024F3349
                                                                        • Part of subcall function 024FAA0A: inet_ntoa.WS2_32(00000000), ref: 024FAA10
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_24f0000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                      • String ID: %OUTLOOK_BND_
                                                                      • API String ID: 1981676241-3684217054
                                                                      • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                      • Instruction ID: 6c67656ecfee36a0685cebd46c3c3f7ec0befaaf91a2ae693f1d92d93231ff67
                                                                      • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                      • Instruction Fuzzy Hash: 3E41607290020CAFDB61EFA1DC45EEE3B6DFF48304F14442BFA2592151EA75EA448F54
                                                                      APIs
                                                                      • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 024F9536
                                                                      • Sleep.KERNEL32(000001F4), ref: 024F955D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_24f0000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExecuteShellSleep
                                                                      • String ID:
                                                                      • API String ID: 4194306370-3916222277
                                                                      • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                      • Instruction ID: 3d3aaffe0af8942e09e337ea3c7125b716f914edf360eda09c4142e6ef97bae7
                                                                      • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                      • Instruction Fuzzy Hash: 1D412972C083997FEBB68B68D89C7A73FA49BC2318F1410A7D682572A2D7744981C711
                                                                      APIs
                                                                      • WriteFile.KERNEL32(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                      • WriteFile.KERNEL32(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FileWrite
                                                                      • String ID: ,k@
                                                                      • API String ID: 3934441357-1053005162
                                                                      • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                      • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                      • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                      • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 024FB9D9
                                                                      • InterlockedIncrement.KERNEL32(00413648), ref: 024FBA3A
                                                                      • InterlockedIncrement.KERNEL32(?), ref: 024FBA94
                                                                      • GetTickCount.KERNEL32 ref: 024FBB79
                                                                      • GetTickCount.KERNEL32 ref: 024FBB99
                                                                      • InterlockedIncrement.KERNEL32(?), ref: 024FBE15
                                                                      • closesocket.WS2_32(00000000), ref: 024FBEB4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_24f0000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountIncrementInterlockedTick$closesocket
                                                                      • String ID: %FROM_EMAIL
                                                                      • API String ID: 1869671989-2903620461
                                                                      • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                      • Instruction ID: bd667fb0036900d3adb318375d01ecf2c7cb3a80b1f8e5fe3323589bf978ea6f
                                                                      • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                      • Instruction Fuzzy Hash: 28317C71500248DFDFA5DFA5DC84AEAB7A9EB89704F20405BFB2482160EB30DA85CF10
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick
                                                                      • String ID: localcfg
                                                                      • API String ID: 536389180-1857712256
                                                                      • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                      • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                      • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                      • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                      APIs
                                                                      Strings
                                                                      • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTickwsprintf
                                                                      • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                      • API String ID: 2424974917-1012700906
                                                                      • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                      • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                      • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                      • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                      APIs
                                                                        • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                        • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                      • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                      • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                      • String ID: %FROM_EMAIL
                                                                      • API String ID: 3716169038-2903620461
                                                                      • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                      • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                      • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                      • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                      APIs
                                                                      • GetUserNameW.ADVAPI32(?,?), ref: 024F70BC
                                                                      • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 024F70F4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_24f0000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Name$AccountLookupUser
                                                                      • String ID: |
                                                                      • API String ID: 2370142434-2343686810
                                                                      • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                      • Instruction ID: ab2670516983cca0ee6db256ebadc1ce2e6803e9dc6c1fd48acecf2f3763383d
                                                                      • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                      • Instruction Fuzzy Hash: C0112A72900118EBDB52CFD4DD84ADFB7BCEB44305F1441A6E701E6294D7749B88CBA0
                                                                      APIs
                                                                        • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                        • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                      • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                      • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                      • String ID: localcfg
                                                                      • API String ID: 2777991786-1857712256
                                                                      • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                      • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                      • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                      • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                      APIs
                                                                      • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                      • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: IncrementInterlockedlstrcpyn
                                                                      • String ID: %FROM_EMAIL
                                                                      • API String ID: 224340156-2903620461
                                                                      • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                      • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                      • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                      • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                      APIs
                                                                      • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                      • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: gethostbyaddrinet_ntoa
                                                                      • String ID: localcfg
                                                                      • API String ID: 2112563974-1857712256
                                                                      • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                      • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                      • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                      • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                      APIs
                                                                      • inet_addr.WS2_32(00000001), ref: 00402693
                                                                      • gethostbyname.WS2_32(00000001), ref: 0040269F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: gethostbynameinet_addr
                                                                      • String ID: time_cfg
                                                                      • API String ID: 1594361348-2401304539
                                                                      • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                      • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                      • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                      • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,7508EA50,80000001,00000000), ref: 0040EAF2
                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040EB07
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressLibraryLoadProc
                                                                      • String ID: ntdll.dll
                                                                      • API String ID: 2574300362-2227199552
                                                                      • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                      • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                      • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                      • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                      APIs
                                                                        • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                        • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                      • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2103702997.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                      • String ID:
                                                                      • API String ID: 1017166417-0
                                                                      • Opcode ID: 62cf705a705524b5481c3e56b905c2216abe02b2d19e69cd26a80eb50737c7aa
                                                                      • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                      • Opcode Fuzzy Hash: 62cf705a705524b5481c3e56b905c2216abe02b2d19e69cd26a80eb50737c7aa
                                                                      • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88
                                                                      APIs
                                                                        • Part of subcall function 024F2F88: GetModuleHandleA.KERNEL32(?), ref: 024F2FA1
                                                                        • Part of subcall function 024F2F88: LoadLibraryA.KERNEL32(?), ref: 024F2FB1
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 024F31DA
                                                                      • HeapFree.KERNEL32(00000000), ref: 024F31E1
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2105430301.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_24f0000_wuefhdgm.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                      • String ID:
                                                                      • API String ID: 1017166417-0
                                                                      • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                      • Instruction ID: 8147e6e128b689361e744be1c35b16ef96e8b44771509174dceaa996af349663
                                                                      • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                      • Instruction Fuzzy Hash: AE51BE3190028AEFCB41DF64D884AFABB75FF45304F1541AAED96D7210E732DA19CB90

                                                                      Execution Graph

                                                                      Execution Coverage:14.6%
                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                      Signature Coverage:0.7%
                                                                      Total number of Nodes:1807
                                                                      Total number of Limit Nodes:18
                                                                      execution_graph 8064 278be31 lstrcmpiA 8065 278be55 lstrcmpiA 8064->8065 8071 278be71 8064->8071 8067 278be61 lstrcmpiA 8065->8067 8065->8071 8066 278bf62 lstrcmpiA 8068 278bf77 lstrcmpiA 8066->8068 8070 278bf70 8066->8070 8067->8071 8076 278bfc8 8067->8076 8069 278bf8c lstrcmpiA 8068->8069 8068->8070 8069->8070 8072 278bfc2 8070->8072 8073 278ec2e codecvt 4 API calls 8070->8073 8070->8076 8071->8066 8074 278ebcc 4 API calls 8071->8074 8075 278ec2e codecvt 4 API calls 8072->8075 8073->8070 8079 278beb6 8074->8079 8075->8076 8077 278ebcc 4 API calls 8077->8079 8078 278bf5a 8078->8066 8079->8066 8079->8076 8079->8077 8079->8078 8080 2785d34 IsBadWritePtr 8081 2785d47 8080->8081 8082 2785d4a 8080->8082 8085 2785389 8082->8085 8086 2784bd1 4 API calls 8085->8086 8087 27853a5 8086->8087 8088 2784ae6 8 API calls 8087->8088 8090 27853ad 8088->8090 8089 2784ae6 8 API calls 8089->8090 8090->8089 8091 2785407 8090->8091 7925 2784c75 7926 2784c83 7925->7926 7927 2784c92 7926->7927 7929 2781940 7926->7929 7930 278ec2e codecvt 4 API calls 7929->7930 7931 2781949 7930->7931 7931->7927 8092 2785029 8097 2784a02 8092->8097 8098 2784a18 8097->8098 8099 2784a12 8097->8099 8101 2784a26 8098->8101 8102 278ec2e codecvt 4 API calls 8098->8102 8100 278ec2e codecvt 4 API calls 8099->8100 8100->8098 8103 2784a34 8101->8103 8104 278ec2e codecvt 4 API calls 8101->8104 8102->8101 8104->8103 6145 2789a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 6261 278ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6145->6261 6147 2789a95 6148 2789aa3 GetModuleHandleA GetModuleFileNameA 6147->6148 6153 278a3cc 6147->6153 6156 2789ac4 6148->6156 6149 278a41c CreateThread WSAStartup 6262 278e52e 6149->6262 7336 278405e CreateEventA 6149->7336 6150 2789afd GetCommandLineA 6162 2789b22 6150->6162 6151 278a406 DeleteFileA 6151->6153 6154 278a40d 6151->6154 6153->6149 6153->6151 6153->6154 6157 278a3ed GetLastError 6153->6157 6154->6149 6155 278a445 6281 278eaaf 6155->6281 6156->6150 6157->6154 6159 278a3f8 Sleep 6157->6159 6159->6151 6160 278a44d 6285 2781d96 6160->6285 6166 2789c0c 6162->6166 6172 2789b47 6162->6172 6163 278a457 6333 27880c9 6163->6333 6525 27896aa 6166->6525 6176 2789b96 lstrlenA 6172->6176 6182 2789b58 6172->6182 6173 2789c39 6177 278a167 GetModuleHandleA GetModuleFileNameA 6173->6177 6531 2784280 CreateEventA 6173->6531 6174 278a1d2 6178 278a1e3 GetCommandLineA 6174->6178 6176->6182 6180 278a189 6177->6180 6181 2789c05 ExitProcess 6177->6181 6205 278a205 6178->6205 6180->6181 6190 278a1b2 GetDriveTypeA 6180->6190 6182->6181 6484 278675c 6182->6484 6190->6181 6192 278a1c5 6190->6192 6191 278675c 21 API calls 6194 2789c79 6191->6194 6632 2789145 GetModuleHandleA GetModuleFileNameA CharToOemA 6192->6632 6194->6177 6201 2789e3e 6194->6201 6202 2789ca0 GetTempPathA 6194->6202 6195 2789bff 6195->6181 6197 278a491 6198 278a49f GetTickCount 6197->6198 6199 278a4be Sleep 6197->6199 6204 278a4b7 GetTickCount 6197->6204 6380 278c913 6197->6380 6198->6197 6198->6199 6199->6197 6208 2789e6b GetEnvironmentVariableA 6201->6208 6213 2789e04 6201->6213 6202->6201 6203 2789cba 6202->6203 6557 27899d2 lstrcpyA 6203->6557 6204->6199 6209 278a285 lstrlenA 6205->6209 6212 278a239 6205->6212 6208->6213 6214 2789e7d 6208->6214 6209->6212 6640 2786ec3 6212->6640 6627 278ec2e 6213->6627 6215 27899d2 16 API calls 6214->6215 6218 2789e9d 6215->6218 6218->6213 6221 2789eb0 lstrcpyA lstrlenA 6218->6221 6219 2789d5f 6571 2786cc9 6219->6571 6220 278a3c2 6644 27898f2 6220->6644 6222 2789ef4 6221->6222 6226 2786dc2 6 API calls 6222->6226 6229 2789f03 6222->6229 6225 278a3c7 6225->6153 6226->6229 6227 278a39d StartServiceCtrlDispatcherA 6227->6220 6228 2789d72 lstrcpyA lstrcatA lstrcatA 6231 2789cf6 6228->6231 6230 2789f32 RegOpenKeyExA 6229->6230 6232 2789f48 RegSetValueExA RegCloseKey 6230->6232 6236 2789f70 6230->6236 6580 2789326 6231->6580 6232->6236 6233 278a35f 6233->6220 6233->6227 6241 2789f9d GetModuleHandleA GetModuleFileNameA 6236->6241 6237 2789dde GetFileAttributesExA 6238 2789e0c DeleteFileA 6237->6238 6239 2789df7 6237->6239 6238->6201 6239->6213 6617 27896ff 6239->6617 6243 278a093 6241->6243 6244 2789fc2 6241->6244 6245 278a103 CreateProcessA 6243->6245 6246 278a0a4 wsprintfA 6243->6246 6244->6243 6250 2789ff1 GetDriveTypeA 6244->6250 6247 278a13a 6245->6247 6248 278a12a DeleteFileA 6245->6248 6623 2782544 6246->6623 6247->6213 6253 27896ff 3 API calls 6247->6253 6248->6247 6250->6243 6252 278a00d 6250->6252 6256 278a02d lstrcatA 6252->6256 6253->6213 6257 278a046 6256->6257 6258 278a052 lstrcatA 6257->6258 6259 278a064 lstrcatA 6257->6259 6258->6259 6259->6243 6260 278a081 lstrcatA 6259->6260 6260->6243 6261->6147 6651 278dd05 GetTickCount 6262->6651 6264 278e538 6659 278dbcf 6264->6659 6266 278e544 6267 278e555 GetFileSize 6266->6267 6271 278e5b8 6266->6271 6268 278e5b1 CloseHandle 6267->6268 6269 278e566 6267->6269 6268->6271 6683 278db2e 6269->6683 6669 278e3ca RegOpenKeyExA 6271->6669 6273 278e576 ReadFile 6273->6268 6275 278e58d 6273->6275 6687 278e332 6275->6687 6276 278e5f2 6279 278e629 6276->6279 6280 278e3ca 19 API calls 6276->6280 6279->6155 6280->6279 6282 278eabe 6281->6282 6284 278eaba 6281->6284 6283 278dd05 6 API calls 6282->6283 6282->6284 6283->6284 6284->6160 6286 278ee2a 6285->6286 6287 2781db4 GetVersionExA 6286->6287 6288 2781dd0 GetSystemInfo GetModuleHandleA GetProcAddress 6287->6288 6290 2781e24 6288->6290 6291 2781e16 GetCurrentProcess 6288->6291 6745 278e819 6290->6745 6291->6290 6293 2781e3d 6294 278e819 11 API calls 6293->6294 6295 2781e4e 6294->6295 6302 2781e77 6295->6302 6786 278df70 6295->6786 6299 2781e6c 6300 278df70 12 API calls 6299->6300 6300->6302 6301 278e819 11 API calls 6303 2781e93 6301->6303 6752 278ea84 6302->6752 6756 278199c inet_addr LoadLibraryA 6303->6756 6306 278e819 11 API calls 6307 2781eb9 6306->6307 6308 2781ed8 6307->6308 6310 278f04e 4 API calls 6307->6310 6309 278e819 11 API calls 6308->6309 6312 2781eee 6309->6312 6311 2781ec9 6310->6311 6313 278ea84 30 API calls 6311->6313 6314 2781f0a 6312->6314 6770 2781b71 6312->6770 6313->6308 6316 278e819 11 API calls 6314->6316 6318 2781f23 6316->6318 6317 2781efd 6319 278ea84 30 API calls 6317->6319 6320 2781f3f 6318->6320 6774 2781bdf 6318->6774 6319->6314 6321 278e819 11 API calls 6320->6321 6324 2781f5e 6321->6324 6326 2781f77 6324->6326 6327 278ea84 30 API calls 6324->6327 6325 278ea84 30 API calls 6325->6320 6782 27830b5 6326->6782 6327->6326 6331 2786ec3 2 API calls 6332 2781f8e GetTickCount 6331->6332 6332->6163 6334 2786ec3 2 API calls 6333->6334 6335 27880eb 6334->6335 6336 27880f9 6335->6336 6337 27880ef 6335->6337 6853 278704c 6336->6853 6840 2787ee6 6337->6840 6340 2788110 6341 27880f4 6340->6341 6343 2788156 RegOpenKeyExA 6340->6343 6342 278675c 21 API calls 6341->6342 6352 2788269 CreateThread 6341->6352 6348 2788244 6342->6348 6344 278816d RegQueryValueExA 6343->6344 6345 2788216 6343->6345 6346 278818d 6344->6346 6347 27881f7 6344->6347 6345->6341 6346->6347 6353 278ebcc 4 API calls 6346->6353 6349 278820d RegCloseKey 6347->6349 6351 278ec2e codecvt 4 API calls 6347->6351 6350 278ec2e codecvt 4 API calls 6348->6350 6348->6352 6349->6345 6350->6352 6358 27881dd 6351->6358 6359 2785e6c 6352->6359 7314 278877e 6352->7314 6354 27881a0 6353->6354 6354->6349 6355 27881aa RegQueryValueExA 6354->6355 6355->6347 6356 27881c4 6355->6356 6357 278ebcc 4 API calls 6356->6357 6357->6358 6358->6349 6955 278ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6359->6955 6361 2785e71 6956 278e654 6361->6956 6363 2785ec1 6364 2783132 6363->6364 6365 278df70 12 API calls 6364->6365 6366 278313b 6365->6366 6367 278c125 6366->6367 6967 278ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6367->6967 6369 278c12d 6370 278e654 13 API calls 6369->6370 6371 278c2bd 6370->6371 6372 278e654 13 API calls 6371->6372 6373 278c2c9 6372->6373 6374 278e654 13 API calls 6373->6374 6375 278a47a 6374->6375 6376 2788db1 6375->6376 6377 2788dbc 6376->6377 6378 278e654 13 API calls 6377->6378 6379 2788dec Sleep 6378->6379 6379->6197 6381 278c92f 6380->6381 6382 278c93c 6381->6382 6979 278c517 6381->6979 6384 278ca2b 6382->6384 6385 278e819 11 API calls 6382->6385 6384->6197 6386 278c96a 6385->6386 6387 278e819 11 API calls 6386->6387 6388 278c97d 6387->6388 6389 278e819 11 API calls 6388->6389 6390 278c990 6389->6390 6391 278c9aa 6390->6391 6392 278ebcc 4 API calls 6390->6392 6391->6384 6968 2782684 6391->6968 6392->6391 6397 278ca26 6996 278c8aa 6397->6996 6400 278ca44 6401 278ca4b closesocket 6400->6401 6402 278ca83 6400->6402 6401->6397 6403 278ea84 30 API calls 6402->6403 6404 278caac 6403->6404 6405 278f04e 4 API calls 6404->6405 6406 278cab2 6405->6406 6407 278ea84 30 API calls 6406->6407 6408 278caca 6407->6408 6409 278ea84 30 API calls 6408->6409 6410 278cad9 6409->6410 7000 278c65c 6410->7000 6413 278cb60 closesocket 6413->6384 6415 278dad2 closesocket 6416 278e318 23 API calls 6415->6416 6417 278dae0 6416->6417 6417->6384 6418 278df4c 20 API calls 6438 278cb70 6418->6438 6423 278e654 13 API calls 6423->6438 6429 278ea84 30 API calls 6429->6438 6430 278cc1c GetTempPathA 6430->6438 6431 278d569 closesocket Sleep 7047 278e318 6431->7047 6432 278d815 wsprintfA 6432->6438 6433 278c517 23 API calls 6433->6438 6435 278f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 6435->6438 6436 278e8a1 30 API calls 6436->6438 6437 278d582 ExitProcess 6438->6415 6438->6418 6438->6423 6438->6429 6438->6430 6438->6431 6438->6432 6438->6433 6438->6435 6438->6436 6439 278c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 6438->6439 6440 278cfe3 GetSystemDirectoryA 6438->6440 6441 278675c 21 API calls 6438->6441 6442 278d027 GetSystemDirectoryA 6438->6442 6443 278cfad GetEnvironmentVariableA 6438->6443 6444 278d105 lstrcatA 6438->6444 6445 278ef1e lstrlenA 6438->6445 6446 278ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 6438->6446 6447 278cc9f CreateFileA 6438->6447 6448 278d15b CreateFileA 6438->6448 6453 278d149 SetFileAttributesA 6438->6453 6455 278d36e GetEnvironmentVariableA 6438->6455 6456 278d1bf SetFileAttributesA 6438->6456 6457 2788e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 6438->6457 6459 2787ead 6 API calls 6438->6459 6460 278d22d GetEnvironmentVariableA 6438->6460 6461 278d3af lstrcatA 6438->6461 6463 2787fcf 64 API calls 6438->6463 6464 278d3f2 CreateFileA 6438->6464 6472 278d4b1 CreateProcessA 6438->6472 6473 278d3e0 SetFileAttributesA 6438->6473 6474 278d26e lstrcatA 6438->6474 6476 278d2b1 CreateFileA 6438->6476 6478 2787ee6 64 API calls 6438->6478 6479 278d452 SetFileAttributesA 6438->6479 6481 278d29f SetFileAttributesA 6438->6481 6483 278d31d SetFileAttributesA 6438->6483 7008 278c75d 6438->7008 7020 2787e2f 6438->7020 7042 2787ead 6438->7042 7052 27831d0 6438->7052 7069 2783c09 6438->7069 7079 2783a00 6438->7079 7083 278e7b4 6438->7083 7086 278c06c 6438->7086 7092 2786f5f GetUserNameA 6438->7092 7103 278e854 6438->7103 7113 2787dd6 6438->7113 6439->6438 6440->6438 6441->6438 6442->6438 6443->6438 6444->6438 6445->6438 6446->6438 6447->6438 6449 278ccc6 WriteFile 6447->6449 6448->6438 6450 278d182 WriteFile CloseHandle 6448->6450 6451 278cdcc CloseHandle 6449->6451 6452 278cced CloseHandle 6449->6452 6450->6438 6451->6438 6458 278cd2f 6452->6458 6453->6448 6454 278cd16 wsprintfA 6454->6458 6455->6438 6456->6438 6457->6438 6458->6454 7029 2787fcf 6458->7029 6459->6438 6460->6438 6461->6438 6461->6464 6463->6438 6464->6438 6468 278d415 WriteFile CloseHandle 6464->6468 6466 278cda5 6470 2787ee6 64 API calls 6466->6470 6467 278cd81 WaitForSingleObject CloseHandle CloseHandle 6469 278f04e 4 API calls 6467->6469 6468->6438 6469->6466 6471 278cdbd DeleteFileA 6470->6471 6471->6438 6472->6438 6475 278d4e8 CloseHandle CloseHandle 6472->6475 6473->6464 6474->6438 6474->6476 6475->6438 6476->6438 6477 278d2d8 WriteFile CloseHandle 6476->6477 6477->6438 6478->6438 6479->6438 6481->6476 6483->6438 6485 278677a SetFileAttributesA 6484->6485 6486 2786784 CreateFileA 6484->6486 6485->6486 6487 27867a4 CreateFileA 6486->6487 6488 27867b5 6486->6488 6487->6488 6489 27867ba SetFileAttributesA 6488->6489 6490 27867c5 6488->6490 6489->6490 6491 27867cf GetFileSize 6490->6491 6492 2786977 6490->6492 6493 27867e5 6491->6493 6511 2786965 6491->6511 6492->6181 6512 2786a60 CreateFileA 6492->6512 6495 27867ed ReadFile 6493->6495 6493->6511 6494 278696e CloseHandle 6494->6492 6496 2786811 SetFilePointer 6495->6496 6495->6511 6497 278682a ReadFile 6496->6497 6496->6511 6498 2786848 SetFilePointer 6497->6498 6497->6511 6499 2786867 6498->6499 6498->6511 6500 2786878 ReadFile 6499->6500 6501 27868d5 6499->6501 6502 27868d0 6500->6502 6505 2786891 6500->6505 6501->6494 6503 278ebcc 4 API calls 6501->6503 6502->6501 6504 27868f8 6503->6504 6506 2786900 SetFilePointer 6504->6506 6504->6511 6505->6500 6505->6502 6507 278695a 6506->6507 6508 278690d ReadFile 6506->6508 6510 278ec2e codecvt 4 API calls 6507->6510 6508->6507 6509 2786922 6508->6509 6509->6494 6510->6511 6511->6494 6513 2786b8c GetLastError 6512->6513 6514 2786a8f GetDiskFreeSpaceA 6512->6514 6516 2786b86 6513->6516 6515 2786ac5 6514->6515 6524 2786ad7 6514->6524 7198 278eb0e 6515->7198 6516->6195 6520 2786b56 CloseHandle 6520->6516 6523 2786b65 GetLastError CloseHandle 6520->6523 6521 2786b36 GetLastError CloseHandle 6522 2786b7f DeleteFileA 6521->6522 6522->6516 6523->6522 7202 2786987 6524->7202 6526 27896b9 6525->6526 6527 27873ff 17 API calls 6526->6527 6528 27896e2 6527->6528 6529 27896f7 6528->6529 6530 278704c 16 API calls 6528->6530 6529->6173 6529->6174 6530->6529 6532 27842a5 6531->6532 6537 278429d 6531->6537 7208 2783ecd 6532->7208 6534 27842b0 7212 2784000 6534->7212 6536 27843c1 CloseHandle 6536->6537 6537->6177 6537->6191 6538 27842b6 6538->6536 6538->6537 7218 2783f18 WriteFile 6538->7218 6543 27843ba CloseHandle 6543->6536 6544 2784318 6545 2783f18 4 API calls 6544->6545 6546 2784331 6545->6546 6547 2783f18 4 API calls 6546->6547 6548 278434a 6547->6548 6549 278ebcc 4 API calls 6548->6549 6550 2784350 6549->6550 6551 2783f18 4 API calls 6550->6551 6552 2784389 6551->6552 6553 278ec2e codecvt 4 API calls 6552->6553 6554 278438f 6553->6554 6555 2783f8c 4 API calls 6554->6555 6556 278439f CloseHandle CloseHandle 6555->6556 6556->6537 6558 27899eb 6557->6558 6559 2789a2f lstrcatA 6558->6559 6560 278ee2a 6559->6560 6561 2789a4b lstrcatA 6560->6561 6562 2786a60 13 API calls 6561->6562 6563 2789a60 6562->6563 6563->6201 6563->6231 6564 2786dc2 6563->6564 6565 2786e33 6564->6565 6566 2786dd7 6564->6566 6565->6219 6567 2786cc9 5 API calls 6566->6567 6568 2786ddc 6567->6568 6568->6568 6569 2786e02 GetVolumeInformationA 6568->6569 6570 2786e24 6568->6570 6569->6570 6570->6565 6572 2786cdc GetModuleHandleA GetProcAddress 6571->6572 6579 2786d8b 6571->6579 6573 2786cfd 6572->6573 6574 2786d12 GetSystemDirectoryA 6572->6574 6573->6574 6573->6579 6575 2786d1e 6574->6575 6576 2786d27 GetWindowsDirectoryA 6574->6576 6575->6576 6575->6579 6577 2786d42 6576->6577 6578 278ef1e lstrlenA 6577->6578 6578->6579 6579->6228 7226 2781910 6580->7226 6583 278934a GetModuleHandleA GetModuleFileNameA 6585 278937f 6583->6585 6586 27893d9 6585->6586 6587 27893a4 6585->6587 6589 2789401 wsprintfA 6586->6589 6588 27893c3 wsprintfA 6587->6588 6590 2789415 6588->6590 6589->6590 6593 2786cc9 5 API calls 6590->6593 6612 27894a0 6590->6612 6591 2786edd 5 API calls 6592 27894ac 6591->6592 6594 278962f 6592->6594 6595 27894e8 RegOpenKeyExA 6592->6595 6599 2789439 6593->6599 6601 2789646 6594->6601 7241 2781820 6594->7241 6597 27894fb 6595->6597 6598 2789502 6595->6598 6597->6594 6603 278958a 6597->6603 6604 278951f RegQueryValueExA 6598->6604 6605 278ef1e lstrlenA 6599->6605 6602 27895d6 6601->6602 7247 27891eb 6601->7247 6602->6237 6602->6238 6603->6601 6611 2789593 6603->6611 6607 2789539 6604->6607 6613 2789530 6604->6613 6606 2789462 6605->6606 6609 278947e wsprintfA 6606->6609 6610 2789556 RegQueryValueExA 6607->6610 6608 278956e RegCloseKey 6608->6597 6609->6612 6610->6608 6610->6613 6611->6602 7228 278f0e4 6611->7228 6612->6591 6613->6608 6615 27895bb 6615->6602 7235 27818e0 6615->7235 6618 2782544 6617->6618 6619 278972d RegOpenKeyExA 6618->6619 6620 2789740 6619->6620 6621 2789765 6619->6621 6622 278974f RegDeleteValueA RegCloseKey 6620->6622 6621->6213 6622->6621 6624 2782554 lstrcatA 6623->6624 6625 278ee2a 6624->6625 6626 278a0ec lstrcatA 6625->6626 6626->6245 6628 278a15d 6627->6628 6629 278ec37 6627->6629 6628->6177 6628->6181 6630 278eba0 codecvt 2 API calls 6629->6630 6631 278ec3d GetProcessHeap RtlFreeHeap 6630->6631 6631->6628 6633 2782544 6632->6633 6634 278919e wsprintfA 6633->6634 6635 27891bb 6634->6635 7285 2789064 GetTempPathA 6635->7285 6638 27891d5 ShellExecuteA 6639 27891e7 6638->6639 6639->6195 6641 2786ed5 6640->6641 6642 2786ecc 6640->6642 6641->6233 6643 2786e36 2 API calls 6642->6643 6643->6641 6646 27898f6 6644->6646 6645 2784280 30 API calls 6645->6646 6646->6645 6647 2789904 Sleep 6646->6647 6648 2789915 6646->6648 6647->6646 6647->6648 6650 2789947 6648->6650 7292 278977c 6648->7292 6650->6225 6652 278dd41 InterlockedExchange 6651->6652 6653 278dd4a 6652->6653 6654 278dd20 GetCurrentThreadId 6652->6654 6656 278dd53 GetCurrentThreadId 6653->6656 6655 278dd2e GetTickCount 6654->6655 6654->6656 6657 278dd39 Sleep 6655->6657 6658 278dd4c 6655->6658 6656->6264 6657->6652 6658->6656 6660 278dbf0 6659->6660 6692 278db67 GetEnvironmentVariableA 6660->6692 6662 278dc19 6663 278dcda 6662->6663 6664 278db67 3 API calls 6662->6664 6663->6266 6665 278dc5c 6664->6665 6665->6663 6666 278db67 3 API calls 6665->6666 6667 278dc9b 6666->6667 6667->6663 6668 278db67 3 API calls 6667->6668 6668->6663 6670 278e528 6669->6670 6671 278e3f4 6669->6671 6670->6276 6672 278e434 RegQueryValueExA 6671->6672 6673 278e458 6672->6673 6674 278e51d RegCloseKey 6672->6674 6675 278e46e RegQueryValueExA 6673->6675 6674->6670 6675->6673 6676 278e488 6675->6676 6676->6674 6677 278db2e 8 API calls 6676->6677 6678 278e499 6677->6678 6678->6674 6679 278e4b9 RegQueryValueExA 6678->6679 6680 278e4e8 6678->6680 6679->6678 6679->6680 6680->6674 6681 278e332 14 API calls 6680->6681 6682 278e513 6681->6682 6682->6674 6684 278db3a 6683->6684 6686 278db55 6683->6686 6696 278ebed 6684->6696 6686->6268 6686->6273 6714 278f04e SystemTimeToFileTime GetSystemTimeAsFileTime 6687->6714 6689 278e3be 6689->6268 6690 278e342 6690->6689 6717 278de24 6690->6717 6693 278dbca 6692->6693 6695 278db89 lstrcpyA CreateFileA 6692->6695 6693->6662 6695->6662 6697 278ec01 6696->6697 6698 278ebf6 6696->6698 6708 278eba0 6697->6708 6705 278ebcc GetProcessHeap RtlAllocateHeap 6698->6705 6706 278eb74 2 API calls 6705->6706 6707 278ebe8 6706->6707 6707->6686 6709 278eba7 GetProcessHeap HeapSize 6708->6709 6710 278ebbf GetProcessHeap HeapReAlloc 6708->6710 6709->6710 6711 278eb74 6710->6711 6712 278eb7b GetProcessHeap HeapSize 6711->6712 6713 278eb93 6711->6713 6712->6713 6713->6686 6728 278eb41 6714->6728 6716 278f0b7 6716->6690 6718 278de3a 6717->6718 6724 278de4e 6718->6724 6737 278dd84 6718->6737 6721 278ebed 8 API calls 6726 278def6 6721->6726 6722 278de9e 6722->6721 6722->6724 6723 278de76 6741 278ddcf 6723->6741 6724->6690 6726->6724 6727 278ddcf lstrcmpA 6726->6727 6727->6724 6729 278eb4a 6728->6729 6730 278eb61 6728->6730 6733 278eae4 6729->6733 6730->6716 6732 278eb54 6732->6716 6732->6730 6734 278eaed LoadLibraryA 6733->6734 6735 278eb02 GetProcAddress 6733->6735 6734->6735 6736 278eb01 6734->6736 6735->6732 6736->6732 6738 278dd96 6737->6738 6739 278ddc5 6737->6739 6738->6739 6740 278ddad lstrcmpiA 6738->6740 6739->6722 6739->6723 6740->6738 6740->6739 6742 278de20 6741->6742 6743 278dddd 6741->6743 6742->6724 6743->6742 6744 278ddfa lstrcmpA 6743->6744 6744->6743 6746 278dd05 6 API calls 6745->6746 6747 278e821 6746->6747 6748 278dd84 lstrcmpiA 6747->6748 6749 278e82c 6748->6749 6751 278e844 6749->6751 6795 2782480 6749->6795 6751->6293 6753 278ea98 6752->6753 6804 278e8a1 6753->6804 6755 2781e84 6755->6301 6757 27819ce 6756->6757 6758 27819d5 GetProcAddress GetProcAddress GetProcAddress 6756->6758 6757->6306 6759 2781ab3 FreeLibrary 6758->6759 6760 2781a04 6758->6760 6759->6757 6760->6759 6761 2781a14 GetBestInterface GetProcessHeap 6760->6761 6761->6757 6762 2781a2e HeapAlloc 6761->6762 6762->6757 6763 2781a42 GetAdaptersInfo 6762->6763 6764 2781a62 6763->6764 6765 2781a52 HeapReAlloc 6763->6765 6766 2781a69 GetAdaptersInfo 6764->6766 6767 2781aa1 FreeLibrary 6764->6767 6765->6764 6766->6767 6768 2781a75 HeapFree 6766->6768 6767->6757 6768->6767 6832 2781ac3 LoadLibraryA 6770->6832 6773 2781bcf 6773->6317 6775 2781ac3 13 API calls 6774->6775 6776 2781c09 6775->6776 6777 2781c5a 6776->6777 6778 2781c0d GetComputerNameA 6776->6778 6777->6325 6779 2781c1f 6778->6779 6780 2781c45 GetVolumeInformationA 6778->6780 6779->6780 6781 2781c41 6779->6781 6780->6777 6781->6777 6783 278ee2a 6782->6783 6784 27830d0 gethostname gethostbyname 6783->6784 6785 2781f82 6784->6785 6785->6331 6785->6332 6787 278dd05 6 API calls 6786->6787 6788 278df7c 6787->6788 6789 278dd84 lstrcmpiA 6788->6789 6793 278df89 6789->6793 6790 278dfc4 6790->6299 6791 278ddcf lstrcmpA 6791->6793 6792 278ec2e codecvt 4 API calls 6792->6793 6793->6790 6793->6791 6793->6792 6794 278dd84 lstrcmpiA 6793->6794 6794->6793 6798 2782419 lstrlenA 6795->6798 6797 2782491 6797->6751 6799 278243d lstrlenA 6798->6799 6800 2782474 6798->6800 6801 278244e lstrcmpiA 6799->6801 6802 2782464 lstrlenA 6799->6802 6800->6797 6801->6802 6803 278245c 6801->6803 6802->6799 6802->6800 6803->6800 6803->6802 6805 278dd05 6 API calls 6804->6805 6806 278e8b4 6805->6806 6807 278dd84 lstrcmpiA 6806->6807 6808 278e8c0 6807->6808 6809 278e8c8 lstrcpynA 6808->6809 6810 278e90a 6808->6810 6811 278e8f5 6809->6811 6812 2782419 4 API calls 6810->6812 6820 278ea27 6810->6820 6825 278df4c 6811->6825 6813 278e926 lstrlenA lstrlenA 6812->6813 6815 278e96a 6813->6815 6816 278e94c lstrlenA 6813->6816 6819 278ebcc 4 API calls 6815->6819 6815->6820 6816->6815 6817 278e901 6818 278dd84 lstrcmpiA 6817->6818 6818->6810 6821 278e98f 6819->6821 6820->6755 6821->6820 6822 278df4c 20 API calls 6821->6822 6823 278ea1e 6822->6823 6824 278ec2e codecvt 4 API calls 6823->6824 6824->6820 6826 278dd05 6 API calls 6825->6826 6827 278df51 6826->6827 6828 278f04e 4 API calls 6827->6828 6829 278df58 6828->6829 6830 278de24 10 API calls 6829->6830 6831 278df63 6830->6831 6831->6817 6833 2781b68 GetComputerNameA GetVolumeInformationA 6832->6833 6834 2781ae2 GetProcAddress 6832->6834 6833->6773 6834->6833 6839 2781af5 6834->6839 6835 2781b1c GetAdaptersAddresses 6836 2781b29 6835->6836 6835->6839 6836->6833 6838 278ec2e codecvt 4 API calls 6836->6838 6837 278ebed 8 API calls 6837->6839 6838->6833 6839->6835 6839->6836 6839->6837 6841 2786ec3 2 API calls 6840->6841 6842 2787ef4 6841->6842 6844 2787fc9 6842->6844 6876 27873ff 6842->6876 6844->6341 6845 2787f16 6845->6844 6845->6845 6896 2787809 GetUserNameA 6845->6896 6847 2787f63 6847->6844 6920 278ef1e lstrlenA 6847->6920 6850 278ef1e lstrlenA 6851 2787fb7 6850->6851 6922 2787a95 RegOpenKeyExA 6851->6922 6854 2787073 6853->6854 6855 27870b9 RegOpenKeyExA 6854->6855 6856 27871b8 6855->6856 6857 27870d0 6855->6857 6856->6340 6858 2786dc2 6 API calls 6857->6858 6861 27870d5 6858->6861 6859 278719b RegEnumValueA 6860 27871af RegCloseKey 6859->6860 6859->6861 6860->6856 6861->6859 6862 27871d0 6861->6862 6953 278f1a5 lstrlenA 6861->6953 6864 2787205 RegCloseKey 6862->6864 6865 2787227 6862->6865 6864->6856 6866 27872b8 ___ascii_stricmp 6865->6866 6867 278728e RegCloseKey 6865->6867 6868 27872cd RegCloseKey 6866->6868 6869 27872dd 6866->6869 6867->6856 6868->6856 6870 2787311 RegCloseKey 6869->6870 6871 2787335 6869->6871 6870->6856 6872 27873d5 RegCloseKey 6871->6872 6874 278737e GetFileAttributesExA 6871->6874 6875 2787397 6871->6875 6873 27873e4 6872->6873 6874->6875 6875->6872 6877 278741b 6876->6877 6878 2786dc2 6 API calls 6877->6878 6879 278743f 6878->6879 6880 2787469 RegOpenKeyExA 6879->6880 6881 27877f9 6880->6881 6891 2787487 ___ascii_stricmp 6880->6891 6881->6845 6882 2787703 RegEnumKeyA 6883 2787714 RegCloseKey 6882->6883 6882->6891 6883->6881 6884 27874d2 RegOpenKeyExA 6884->6891 6885 278772c 6887 278774b 6885->6887 6888 2787742 RegCloseKey 6885->6888 6886 2787521 RegQueryValueExA 6886->6891 6890 27877ec RegCloseKey 6887->6890 6888->6887 6889 27876e4 RegCloseKey 6889->6891 6890->6881 6891->6882 6891->6884 6891->6885 6891->6886 6891->6889 6892 2787769 6891->6892 6894 278f1a5 lstrlenA 6891->6894 6895 278777e GetFileAttributesExA 6891->6895 6893 27877e3 RegCloseKey 6892->6893 6893->6890 6894->6891 6895->6892 6897 278783d LookupAccountNameA 6896->6897 6898 2787a8d 6896->6898 6897->6898 6899 2787874 GetLengthSid GetFileSecurityA 6897->6899 6898->6847 6899->6898 6900 27878a8 GetSecurityDescriptorOwner 6899->6900 6901 278791d GetSecurityDescriptorDacl 6900->6901 6902 27878c5 EqualSid 6900->6902 6901->6898 6909 2787941 6901->6909 6902->6901 6903 27878dc LocalAlloc 6902->6903 6903->6901 6904 27878ef InitializeSecurityDescriptor 6903->6904 6905 27878fb SetSecurityDescriptorOwner 6904->6905 6906 2787916 LocalFree 6904->6906 6905->6906 6908 278790b SetFileSecurityA 6905->6908 6906->6901 6907 278795b GetAce 6907->6909 6908->6906 6909->6898 6909->6907 6910 2787980 EqualSid 6909->6910 6911 2787a3d 6909->6911 6912 27879be EqualSid 6909->6912 6913 278799d DeleteAce 6909->6913 6910->6909 6911->6898 6914 2787a43 LocalAlloc 6911->6914 6912->6909 6913->6909 6914->6898 6915 2787a56 InitializeSecurityDescriptor 6914->6915 6916 2787a62 SetSecurityDescriptorDacl 6915->6916 6917 2787a86 LocalFree 6915->6917 6916->6917 6918 2787a73 SetFileSecurityA 6916->6918 6917->6898 6918->6917 6919 2787a83 6918->6919 6919->6917 6921 2787fa6 6920->6921 6921->6850 6923 2787acb GetUserNameA 6922->6923 6924 2787ac4 6922->6924 6925 2787aed LookupAccountNameA 6923->6925 6926 2787da7 RegCloseKey 6923->6926 6924->6844 6925->6926 6927 2787b24 RegGetKeySecurity 6925->6927 6926->6924 6927->6926 6928 2787b49 GetSecurityDescriptorOwner 6927->6928 6929 2787bb8 GetSecurityDescriptorDacl 6928->6929 6930 2787b63 EqualSid 6928->6930 6932 2787bdc 6929->6932 6933 2787da6 6929->6933 6930->6929 6931 2787b74 LocalAlloc 6930->6931 6931->6929 6934 2787b8a InitializeSecurityDescriptor 6931->6934 6932->6933 6937 2787bf8 GetAce 6932->6937 6939 2787c1d EqualSid 6932->6939 6940 2787c5f EqualSid 6932->6940 6941 2787cd9 6932->6941 6942 2787c3a DeleteAce 6932->6942 6933->6926 6935 2787bb1 LocalFree 6934->6935 6936 2787b96 SetSecurityDescriptorOwner 6934->6936 6935->6929 6936->6935 6938 2787ba6 RegSetKeySecurity 6936->6938 6937->6932 6938->6935 6939->6932 6940->6932 6941->6933 6943 2787d5a LocalAlloc 6941->6943 6945 2787cf2 RegOpenKeyExA 6941->6945 6942->6932 6943->6933 6944 2787d70 InitializeSecurityDescriptor 6943->6944 6946 2787d7c SetSecurityDescriptorDacl 6944->6946 6947 2787d9f LocalFree 6944->6947 6945->6943 6950 2787d0f 6945->6950 6946->6947 6948 2787d8c RegSetKeySecurity 6946->6948 6947->6933 6948->6947 6949 2787d9c 6948->6949 6949->6947 6951 2787d43 RegSetValueExA 6950->6951 6951->6943 6952 2787d54 6951->6952 6952->6943 6954 278f1c3 6953->6954 6954->6861 6955->6361 6957 278dd05 6 API calls 6956->6957 6960 278e65f 6957->6960 6958 278e6a5 6959 278ebcc 4 API calls 6958->6959 6964 278e6f5 6958->6964 6962 278e6b0 6959->6962 6960->6958 6961 278e68c lstrcmpA 6960->6961 6961->6960 6963 278e6e0 lstrcpynA 6962->6963 6962->6964 6966 278e6b7 6962->6966 6963->6964 6965 278e71d lstrcmpA 6964->6965 6964->6966 6965->6964 6966->6363 6967->6369 6969 2782692 inet_addr 6968->6969 6971 278268e 6968->6971 6970 278269e gethostbyname 6969->6970 6969->6971 6970->6971 6972 278f428 6971->6972 7120 278f315 6972->7120 6975 278f43e 6976 278f473 recv 6975->6976 6977 278f47c 6976->6977 6978 278f458 6976->6978 6977->6400 6978->6976 6978->6977 6980 278c532 6979->6980 6981 278c525 6979->6981 6982 278c548 6980->6982 7133 278e7ff 6980->7133 6981->6980 6984 278ec2e codecvt 4 API calls 6981->6984 6985 278e7ff lstrcmpiA 6982->6985 6992 278c54f 6982->6992 6984->6980 6986 278c615 6985->6986 6987 278ebcc 4 API calls 6986->6987 6986->6992 6987->6992 6988 278c5d1 6991 278ebcc 4 API calls 6988->6991 6990 278e819 11 API calls 6993 278c5b7 6990->6993 6991->6992 6992->6382 6994 278f04e 4 API calls 6993->6994 6995 278c5bf 6994->6995 6995->6982 6995->6988 6998 278c8d2 6996->6998 6997 278c907 6997->6384 6998->6997 6999 278c517 23 API calls 6998->6999 6999->6997 7001 278c670 7000->7001 7002 278c67d 7000->7002 7003 278ebcc 4 API calls 7001->7003 7004 278c699 7002->7004 7005 278ebcc 4 API calls 7002->7005 7003->7002 7006 278c6f3 7004->7006 7007 278c73c send 7004->7007 7005->7004 7006->6413 7006->6438 7007->7006 7009 278c770 7008->7009 7011 278c77d 7008->7011 7010 278ebcc 4 API calls 7009->7010 7010->7011 7012 278c799 7011->7012 7013 278ebcc 4 API calls 7011->7013 7014 278c7b5 7012->7014 7015 278ebcc 4 API calls 7012->7015 7013->7012 7016 278f43e recv 7014->7016 7015->7014 7017 278c7cb 7016->7017 7018 278f43e recv 7017->7018 7019 278c7d3 7017->7019 7018->7019 7019->6438 7136 2787db7 7020->7136 7023 2787e70 7024 2787e96 7023->7024 7026 278f04e 4 API calls 7023->7026 7024->6438 7025 278f04e 4 API calls 7027 2787e4c 7025->7027 7026->7024 7027->7023 7028 278f04e 4 API calls 7027->7028 7028->7023 7030 2786ec3 2 API calls 7029->7030 7031 2787fdd 7030->7031 7032 27880c2 CreateProcessA 7031->7032 7033 27873ff 17 API calls 7031->7033 7032->6466 7032->6467 7034 2787fff 7033->7034 7034->7032 7035 2787809 21 API calls 7034->7035 7036 278804d 7035->7036 7036->7032 7037 278ef1e lstrlenA 7036->7037 7038 278809e 7037->7038 7039 278ef1e lstrlenA 7038->7039 7040 27880af 7039->7040 7041 2787a95 24 API calls 7040->7041 7041->7032 7043 2787db7 2 API calls 7042->7043 7044 2787eb8 7043->7044 7045 278f04e 4 API calls 7044->7045 7046 2787ece DeleteFileA 7045->7046 7046->6438 7048 278dd05 6 API calls 7047->7048 7049 278e31d 7048->7049 7140 278e177 7049->7140 7051 278e326 7051->6437 7053 27831f3 7052->7053 7063 27831ec 7052->7063 7054 278ebcc 4 API calls 7053->7054 7067 27831fc 7054->7067 7055 278344b 7056 2783459 7055->7056 7057 278349d 7055->7057 7059 278f04e 4 API calls 7056->7059 7058 278ec2e codecvt 4 API calls 7057->7058 7058->7063 7060 278345f 7059->7060 7061 27830fa 4 API calls 7060->7061 7061->7063 7062 278ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 7062->7067 7063->6438 7064 278344d 7065 278ec2e codecvt 4 API calls 7064->7065 7065->7055 7067->7055 7067->7062 7067->7063 7067->7064 7068 2783141 lstrcmpiA 7067->7068 7166 27830fa GetTickCount 7067->7166 7068->7067 7070 27830fa 4 API calls 7069->7070 7071 2783c1a 7070->7071 7072 2783ce6 7071->7072 7171 2783a72 7071->7171 7072->6438 7075 2783a72 9 API calls 7078 2783c5e 7075->7078 7076 2783a72 9 API calls 7076->7078 7077 278ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7077->7078 7078->7072 7078->7076 7078->7077 7080 2783a10 7079->7080 7081 27830fa 4 API calls 7080->7081 7082 2783a1a 7081->7082 7082->6438 7084 278dd05 6 API calls 7083->7084 7085 278e7be 7084->7085 7085->6438 7087 278c07e wsprintfA 7086->7087 7091 278c105 7086->7091 7180 278bfce GetTickCount wsprintfA 7087->7180 7089 278c0ef 7181 278bfce GetTickCount wsprintfA 7089->7181 7091->6438 7093 2786f88 LookupAccountNameA 7092->7093 7094 2787047 7092->7094 7096 2786fcb 7093->7096 7097 2787025 7093->7097 7094->6438 7100 2786fdb ConvertSidToStringSidA 7096->7100 7182 2786edd 7097->7182 7100->7097 7101 2786ff1 7100->7101 7102 2787013 LocalFree 7101->7102 7102->7097 7104 278dd05 6 API calls 7103->7104 7105 278e85c 7104->7105 7106 278dd84 lstrcmpiA 7105->7106 7107 278e867 7106->7107 7108 278e885 lstrcpyA 7107->7108 7193 27824a5 7107->7193 7196 278dd69 7108->7196 7114 2787db7 2 API calls 7113->7114 7115 2787de1 7114->7115 7116 2787e16 7115->7116 7117 278f04e 4 API calls 7115->7117 7116->6438 7118 2787df2 7117->7118 7118->7116 7119 278f04e 4 API calls 7118->7119 7119->7116 7121 278f33b 7120->7121 7122 278ca1d 7120->7122 7123 278f347 htons socket 7121->7123 7122->6397 7122->6975 7124 278f382 ioctlsocket 7123->7124 7125 278f374 closesocket 7123->7125 7126 278f3aa connect select 7124->7126 7127 278f39d 7124->7127 7125->7122 7126->7122 7129 278f3f2 __WSAFDIsSet 7126->7129 7128 278f39f closesocket 7127->7128 7128->7122 7129->7128 7130 278f403 ioctlsocket 7129->7130 7132 278f26d setsockopt setsockopt setsockopt setsockopt setsockopt 7130->7132 7132->7122 7134 278dd84 lstrcmpiA 7133->7134 7135 278c58e 7134->7135 7135->6982 7135->6988 7135->6990 7137 2787dc8 InterlockedExchange 7136->7137 7138 2787dc0 Sleep 7137->7138 7139 2787dd4 7137->7139 7138->7137 7139->7023 7139->7025 7141 278e184 7140->7141 7142 278e2e4 7141->7142 7143 278e223 7141->7143 7156 278dfe2 7141->7156 7142->7051 7143->7142 7146 278dfe2 8 API calls 7143->7146 7145 278e1be 7145->7143 7147 278dbcf 3 API calls 7145->7147 7149 278e23c 7146->7149 7150 278e1d6 7147->7150 7148 278e21a CloseHandle 7148->7143 7149->7142 7160 278e095 RegCreateKeyExA 7149->7160 7150->7143 7150->7148 7151 278e1f9 WriteFile 7150->7151 7151->7148 7153 278e213 7151->7153 7153->7148 7154 278e2a3 7154->7142 7155 278e095 4 API calls 7154->7155 7155->7142 7157 278dffc 7156->7157 7159 278e024 7156->7159 7158 278db2e 8 API calls 7157->7158 7157->7159 7158->7159 7159->7145 7161 278e172 7160->7161 7163 278e0c0 7160->7163 7161->7154 7162 278e13d 7164 278e14e RegDeleteValueA RegCloseKey 7162->7164 7163->7162 7165 278e115 RegSetValueExA 7163->7165 7164->7161 7165->7162 7165->7163 7167 2783122 InterlockedExchange 7166->7167 7168 278312e 7167->7168 7169 278310f GetTickCount 7167->7169 7168->7067 7169->7168 7170 278311a Sleep 7169->7170 7170->7167 7172 278f04e 4 API calls 7171->7172 7179 2783a83 7172->7179 7173 2783ac1 7173->7072 7173->7075 7174 2783be6 7176 278ec2e codecvt 4 API calls 7174->7176 7175 2783bc0 7175->7174 7177 278ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7175->7177 7176->7173 7177->7175 7178 2783b66 lstrlenA 7178->7173 7178->7179 7179->7173 7179->7175 7179->7178 7180->7089 7181->7091 7183 2786eef AllocateAndInitializeSid 7182->7183 7189 2786f55 wsprintfA 7182->7189 7184 2786f1c CheckTokenMembership 7183->7184 7185 2786f44 7183->7185 7186 2786f3b FreeSid 7184->7186 7187 2786f2e 7184->7187 7185->7189 7190 2786e36 GetUserNameW 7185->7190 7186->7185 7187->7186 7189->7094 7191 2786e97 7190->7191 7192 2786e5f LookupAccountNameW 7190->7192 7191->7189 7192->7191 7194 2782419 4 API calls 7193->7194 7195 27824b6 7194->7195 7195->7108 7197 278dd79 lstrlenA 7196->7197 7197->6438 7199 278eb17 7198->7199 7201 278eb21 7198->7201 7200 278eae4 2 API calls 7199->7200 7200->7201 7201->6524 7203 27869b9 WriteFile 7202->7203 7205 2786a3c 7203->7205 7207 27869ff 7203->7207 7205->6520 7205->6521 7206 2786a10 WriteFile 7206->7205 7206->7207 7207->7205 7207->7206 7209 2783edc 7208->7209 7210 2783ee2 7208->7210 7211 2786dc2 6 API calls 7209->7211 7210->6534 7211->7210 7213 278400b CreateFileA 7212->7213 7214 278402c GetLastError 7213->7214 7216 2784052 7213->7216 7215 2784037 7214->7215 7214->7216 7215->7216 7217 2784041 Sleep 7215->7217 7216->6538 7217->7213 7217->7216 7219 2783f7c 7218->7219 7220 2783f4e GetLastError 7218->7220 7222 2783f8c ReadFile 7219->7222 7220->7219 7221 2783f5b WaitForSingleObject GetOverlappedResult 7220->7221 7221->7219 7223 2783fc2 GetLastError 7222->7223 7225 2783ff0 7222->7225 7224 2783fcf WaitForSingleObject GetOverlappedResult 7223->7224 7223->7225 7224->7225 7225->6543 7225->6544 7227 2781924 GetVersionExA 7226->7227 7227->6583 7229 278f0ed 7228->7229 7230 278f0f1 7228->7230 7229->6615 7231 278f119 7230->7231 7232 278f0fa lstrlenA SysAllocStringByteLen 7230->7232 7233 278f11c MultiByteToWideChar 7231->7233 7232->7233 7234 278f117 7232->7234 7233->7234 7234->6615 7236 2781820 17 API calls 7235->7236 7237 27818f2 7236->7237 7238 27818f9 7237->7238 7252 2781280 7237->7252 7238->6602 7240 2781908 7240->6602 7264 2781000 7241->7264 7243 2781839 7244 278183d 7243->7244 7245 2781851 GetCurrentProcess 7243->7245 7244->6601 7246 2781864 7245->7246 7246->6601 7248 2789308 7247->7248 7251 278920e 7247->7251 7248->6602 7249 27892f1 Sleep 7249->7251 7250 27892bf ShellExecuteA 7250->7248 7250->7251 7251->7248 7251->7249 7251->7250 7253 27812e1 7252->7253 7254 27816f9 GetLastError 7253->7254 7262 27813a8 7253->7262 7255 2781699 7254->7255 7255->7240 7256 2781570 lstrlenW 7256->7262 7257 27815be GetStartupInfoW 7257->7262 7258 27815ff CreateProcessWithLogonW 7259 27816bf GetLastError 7258->7259 7260 278163f WaitForSingleObject 7258->7260 7259->7255 7261 2781659 CloseHandle 7260->7261 7260->7262 7261->7262 7262->7255 7262->7256 7262->7257 7262->7258 7263 2781668 CloseHandle 7262->7263 7263->7262 7265 278100d LoadLibraryA 7264->7265 7282 2781023 7264->7282 7267 2781021 7265->7267 7265->7282 7266 27810b5 GetProcAddress 7268 278127b 7266->7268 7269 27810d1 GetProcAddress 7266->7269 7267->7243 7268->7243 7269->7268 7270 27810f0 GetProcAddress 7269->7270 7270->7268 7271 2781110 GetProcAddress 7270->7271 7271->7268 7272 2781130 GetProcAddress 7271->7272 7272->7268 7273 278114f GetProcAddress 7272->7273 7273->7268 7274 278116f GetProcAddress 7273->7274 7274->7268 7275 278118f GetProcAddress 7274->7275 7275->7268 7276 27811ae GetProcAddress 7275->7276 7276->7268 7277 27811ce GetProcAddress 7276->7277 7277->7268 7278 27811ee GetProcAddress 7277->7278 7278->7268 7279 2781209 GetProcAddress 7278->7279 7279->7268 7280 2781225 GetProcAddress 7279->7280 7280->7268 7281 2781241 GetProcAddress 7280->7281 7281->7268 7283 278125c GetProcAddress 7281->7283 7282->7266 7284 27810ae 7282->7284 7283->7268 7284->7243 7286 278908d 7285->7286 7287 27890e2 wsprintfA 7286->7287 7288 278ee2a 7287->7288 7289 27890fd CreateFileA 7288->7289 7290 278911a lstrlenA WriteFile CloseHandle 7289->7290 7291 278913f 7289->7291 7290->7291 7291->6638 7291->6639 7293 278ee2a 7292->7293 7294 2789794 CreateProcessA 7293->7294 7295 27897bb 7294->7295 7296 27897c2 7294->7296 7295->6650 7297 27897d4 GetThreadContext 7296->7297 7298 2789801 7297->7298 7299 27897f5 7297->7299 7306 278637c 7298->7306 7300 27897f6 TerminateProcess 7299->7300 7300->7295 7302 2789816 7302->7300 7303 278981e WriteProcessMemory 7302->7303 7303->7299 7304 278983b SetThreadContext 7303->7304 7304->7299 7305 2789858 ResumeThread 7304->7305 7305->7295 7307 278638a GetModuleHandleA VirtualAlloc 7306->7307 7308 2786386 7306->7308 7309 27863b6 7307->7309 7313 27863f5 7307->7313 7308->7302 7310 27863be VirtualAllocEx 7309->7310 7311 27863d6 7310->7311 7310->7313 7312 27863df WriteProcessMemory 7311->7312 7312->7313 7313->7302 7315 2788791 7314->7315 7316 278879f 7314->7316 7318 278f04e 4 API calls 7315->7318 7317 27887bc 7316->7317 7319 278f04e 4 API calls 7316->7319 7320 278e819 11 API calls 7317->7320 7318->7316 7319->7317 7321 27887d7 7320->7321 7324 2788803 7321->7324 7469 27826b2 gethostbyaddr 7321->7469 7330 278f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 7324->7330 7331 278e819 11 API calls 7324->7331 7332 27888a0 Sleep 7324->7332 7334 27826b2 2 API calls 7324->7334 7335 278e8a1 30 API calls 7324->7335 7366 2788cee 7324->7366 7374 278c4d6 7324->7374 7377 278c4e2 7324->7377 7380 2782011 7324->7380 7415 2788328 7324->7415 7325 27887eb 7325->7324 7327 278e8a1 30 API calls 7325->7327 7327->7324 7330->7324 7331->7324 7332->7324 7334->7324 7335->7324 7337 278407d 7336->7337 7338 2784084 7336->7338 7339 2783ecd 6 API calls 7338->7339 7340 278408f 7339->7340 7341 2784000 3 API calls 7340->7341 7342 2784095 7341->7342 7343 2784130 7342->7343 7344 27840c0 7342->7344 7345 2783ecd 6 API calls 7343->7345 7349 2783f18 4 API calls 7344->7349 7346 2784159 CreateNamedPipeA 7345->7346 7347 2784188 ConnectNamedPipe 7346->7347 7348 2784167 Sleep 7346->7348 7352 2784195 GetLastError 7347->7352 7360 27841ab 7347->7360 7348->7343 7350 2784176 CloseHandle 7348->7350 7351 27840da 7349->7351 7350->7347 7353 2783f8c 4 API calls 7351->7353 7354 278425e DisconnectNamedPipe 7352->7354 7352->7360 7355 27840ec 7353->7355 7354->7347 7356 2784127 CloseHandle 7355->7356 7357 2784101 7355->7357 7356->7343 7359 2783f18 4 API calls 7357->7359 7358 2783f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 7358->7360 7361 278411c ExitProcess 7359->7361 7360->7347 7360->7354 7360->7358 7362 2783f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 7360->7362 7363 278426a CloseHandle CloseHandle 7360->7363 7362->7360 7364 278e318 23 API calls 7363->7364 7365 278427b 7364->7365 7365->7365 7367 2788dae 7366->7367 7368 2788d02 GetTickCount 7366->7368 7367->7324 7368->7367 7370 2788d19 7368->7370 7369 2788da1 GetTickCount 7369->7367 7370->7369 7373 2788d89 7370->7373 7474 278a677 7370->7474 7477 278a688 7370->7477 7373->7369 7485 278c2dc 7374->7485 7378 278c2dc 142 API calls 7377->7378 7379 278c4ec 7378->7379 7379->7324 7381 2782020 7380->7381 7382 278202e 7380->7382 7383 278f04e 4 API calls 7381->7383 7384 278204b 7382->7384 7385 278f04e 4 API calls 7382->7385 7383->7382 7386 278206e GetTickCount 7384->7386 7387 278f04e 4 API calls 7384->7387 7385->7384 7388 27820db GetTickCount 7386->7388 7396 2782090 7386->7396 7390 2782068 7387->7390 7389 2782132 GetTickCount GetTickCount 7388->7389 7401 27820e7 7388->7401 7392 278f04e 4 API calls 7389->7392 7390->7386 7391 27820d4 GetTickCount 7391->7388 7395 2782159 7392->7395 7393 278212b GetTickCount 7393->7389 7394 2782684 2 API calls 7394->7396 7397 27821b4 7395->7397 7400 278e854 13 API calls 7395->7400 7396->7391 7396->7394 7404 27820ce 7396->7404 7825 2781978 7396->7825 7399 278f04e 4 API calls 7397->7399 7403 27821d1 7399->7403 7405 278218e 7400->7405 7401->7393 7406 2781978 15 API calls 7401->7406 7407 2782125 7401->7407 7815 2782ef8 7401->7815 7408 27821f2 7403->7408 7410 278ea84 30 API calls 7403->7410 7404->7391 7409 278e819 11 API calls 7405->7409 7406->7401 7407->7393 7408->7324 7411 278219c 7409->7411 7412 27821ec 7410->7412 7411->7397 7830 2781c5f 7411->7830 7413 278f04e 4 API calls 7412->7413 7413->7408 7416 2787dd6 6 API calls 7415->7416 7417 278833c 7416->7417 7418 2786ec3 2 API calls 7417->7418 7445 2788340 7417->7445 7419 278834f 7418->7419 7420 278835c 7419->7420 7424 278846b 7419->7424 7421 27873ff 17 API calls 7420->7421 7439 2788373 7421->7439 7422 27885df 7425 2788626 GetTempPathA 7422->7425 7435 2788768 7422->7435 7456 2788671 7422->7456 7423 278675c 21 API calls 7423->7422 7426 27884a7 RegOpenKeyExA 7424->7426 7449 2788450 7424->7449 7436 2788638 7425->7436 7428 27884c0 RegQueryValueExA 7426->7428 7429 278852f 7426->7429 7432 27884dd 7428->7432 7433 2788521 RegCloseKey 7428->7433 7437 2788564 RegOpenKeyExA 7429->7437 7441 27885a5 7429->7441 7430 27886ad 7431 2788762 7430->7431 7434 2787e2f 6 API calls 7430->7434 7431->7435 7432->7433 7444 278ebcc 4 API calls 7432->7444 7433->7429 7438 27886bb 7434->7438 7443 278ec2e codecvt 4 API calls 7435->7443 7435->7445 7436->7456 7440 2788573 RegSetValueExA RegCloseKey 7437->7440 7437->7441 7442 278875b DeleteFileA 7438->7442 7455 27886e0 lstrcpyA lstrlenA 7438->7455 7439->7445 7439->7449 7450 27883ea RegOpenKeyExA 7439->7450 7440->7441 7441->7449 7452 278ec2e codecvt 4 API calls 7441->7452 7442->7431 7443->7445 7447 27884f0 7444->7447 7445->7324 7447->7433 7448 27884f8 RegQueryValueExA 7447->7448 7448->7433 7451 2788515 7448->7451 7449->7422 7449->7423 7450->7449 7453 27883fd RegQueryValueExA 7450->7453 7454 278ec2e codecvt 4 API calls 7451->7454 7452->7449 7457 278842d RegSetValueExA 7453->7457 7458 278841e 7453->7458 7460 278851d 7454->7460 7461 2787fcf 64 API calls 7455->7461 7902 2786ba7 IsBadCodePtr 7456->7902 7459 2788447 RegCloseKey 7457->7459 7458->7457 7458->7459 7459->7449 7460->7433 7462 2788719 CreateProcessA 7461->7462 7463 278873d CloseHandle CloseHandle 7462->7463 7464 278874f 7462->7464 7463->7435 7465 2787ee6 64 API calls 7464->7465 7466 2788754 7465->7466 7467 2787ead 6 API calls 7466->7467 7468 278875a 7467->7468 7468->7442 7470 27826fb 7469->7470 7471 27826cd 7469->7471 7470->7325 7472 27826e1 inet_ntoa 7471->7472 7473 27826de 7471->7473 7472->7473 7473->7325 7480 278a63d 7474->7480 7476 278a685 7476->7370 7478 278a63d GetTickCount 7477->7478 7479 278a696 7478->7479 7479->7370 7481 278a64d 7480->7481 7482 278a645 7480->7482 7483 278a65e GetTickCount 7481->7483 7484 278a66e 7481->7484 7482->7476 7483->7484 7484->7476 7502 278a4c7 GetTickCount 7485->7502 7488 278c47a 7493 278c4ab InterlockedIncrement CreateThread 7488->7493 7494 278c4d2 7488->7494 7489 278c300 GetTickCount 7491 278c337 7489->7491 7490 278c326 7490->7491 7492 278c32b GetTickCount 7490->7492 7491->7488 7496 278c363 GetTickCount 7491->7496 7492->7491 7493->7494 7495 278c4cb CloseHandle 7493->7495 7507 278b535 7493->7507 7494->7324 7495->7494 7496->7488 7497 278c373 7496->7497 7498 278c378 GetTickCount 7497->7498 7499 278c37f 7497->7499 7498->7499 7500 278c43b GetTickCount 7499->7500 7501 278c45e 7500->7501 7501->7488 7503 278a4f7 InterlockedExchange 7502->7503 7504 278a500 7503->7504 7505 278a4e4 GetTickCount 7503->7505 7504->7488 7504->7489 7504->7490 7505->7504 7506 278a4ef Sleep 7505->7506 7506->7503 7508 278b566 7507->7508 7509 278ebcc 4 API calls 7508->7509 7510 278b587 7509->7510 7511 278ebcc 4 API calls 7510->7511 7549 278b590 7511->7549 7512 278bdcd InterlockedDecrement 7513 278bde2 7512->7513 7515 278ec2e codecvt 4 API calls 7513->7515 7516 278bdea 7515->7516 7517 278ec2e codecvt 4 API calls 7516->7517 7519 278bdf2 7517->7519 7518 278bdb7 Sleep 7518->7549 7520 278be05 7519->7520 7522 278ec2e codecvt 4 API calls 7519->7522 7521 278bdcc 7521->7512 7522->7520 7523 278ebed 8 API calls 7523->7549 7526 278b6b6 lstrlenA 7526->7549 7527 27830b5 2 API calls 7527->7549 7528 278b6ed lstrcpyA 7582 2785ce1 7528->7582 7529 278e819 11 API calls 7529->7549 7532 278b71f lstrcmpA 7533 278b731 lstrlenA 7532->7533 7532->7549 7533->7549 7534 278b772 GetTickCount 7534->7549 7535 278bd49 InterlockedIncrement 7676 278a628 7535->7676 7538 278bc5b InterlockedIncrement 7538->7549 7539 278b7ce InterlockedIncrement 7592 278acd7 7539->7592 7540 27838f0 6 API calls 7540->7549 7543 278b912 GetTickCount 7543->7549 7544 278b826 InterlockedIncrement 7544->7534 7545 278bcdc closesocket 7545->7549 7546 278b932 GetTickCount 7547 278bc6d InterlockedIncrement 7546->7547 7546->7549 7547->7549 7549->7512 7549->7518 7549->7521 7549->7523 7549->7526 7549->7527 7549->7528 7549->7529 7549->7532 7549->7533 7549->7534 7549->7535 7549->7538 7549->7539 7549->7540 7549->7543 7549->7544 7549->7545 7549->7546 7550 278a7c1 22 API calls 7549->7550 7551 278bba6 InterlockedIncrement 7549->7551 7554 278bc4c closesocket 7549->7554 7556 2785ce1 22 API calls 7549->7556 7557 278ba71 wsprintfA 7549->7557 7558 2785ded 12 API calls 7549->7558 7561 278ab81 lstrcpynA InterlockedIncrement 7549->7561 7562 278ef1e lstrlenA 7549->7562 7563 278a688 GetTickCount 7549->7563 7564 2783e10 7549->7564 7567 2783e4f 7549->7567 7570 278384f 7549->7570 7590 278a7a3 inet_ntoa 7549->7590 7597 278abee 7549->7597 7609 2781feb GetTickCount 7549->7609 7630 2783cfb 7549->7630 7633 278b3c5 7549->7633 7664 278ab81 7549->7664 7550->7549 7551->7549 7554->7549 7556->7549 7610 278a7c1 7557->7610 7558->7549 7561->7549 7562->7549 7563->7549 7565 27830fa 4 API calls 7564->7565 7566 2783e1d 7565->7566 7566->7549 7568 27830fa 4 API calls 7567->7568 7569 2783e5c 7568->7569 7569->7549 7571 27830fa 4 API calls 7570->7571 7573 2783863 7571->7573 7572 27838b2 7572->7549 7573->7572 7574 27838b9 7573->7574 7575 2783889 7573->7575 7685 27835f9 7574->7685 7679 2783718 7575->7679 7580 27835f9 6 API calls 7580->7572 7581 2783718 6 API calls 7581->7572 7583 2785cec 7582->7583 7584 2785cf4 7582->7584 7691 2784bd1 GetTickCount 7583->7691 7586 2784bd1 4 API calls 7584->7586 7587 2785d02 7586->7587 7696 2785472 7587->7696 7591 278a7b9 7590->7591 7591->7549 7593 278f315 14 API calls 7592->7593 7594 278aceb 7593->7594 7595 278f315 14 API calls 7594->7595 7596 278acff 7594->7596 7595->7596 7596->7549 7598 278abfb 7597->7598 7601 278ac65 7598->7601 7759 2782f22 7598->7759 7600 278f315 14 API calls 7600->7601 7601->7600 7602 278ac6f 7601->7602 7603 278ac8a 7601->7603 7605 278ab81 2 API calls 7602->7605 7603->7549 7604 278ac23 7604->7601 7607 2782684 2 API calls 7604->7607 7606 278ac81 7605->7606 7767 27838f0 7606->7767 7607->7604 7609->7549 7611 278a87d lstrlenA send 7610->7611 7612 278a7df 7610->7612 7613 278a899 7611->7613 7614 278a8bf 7611->7614 7612->7611 7618 278a7fa wsprintfA 7612->7618 7621 278a80a 7612->7621 7622 278a8f2 7612->7622 7616 278a8a5 wsprintfA 7613->7616 7629 278a89e 7613->7629 7617 278a8c4 send 7614->7617 7614->7622 7615 278a978 recv 7615->7622 7623 278a982 7615->7623 7616->7629 7619 278a8d8 wsprintfA 7617->7619 7617->7622 7618->7621 7619->7629 7620 278a9b0 wsprintfA 7620->7629 7621->7611 7622->7615 7622->7620 7622->7623 7624 27830b5 2 API calls 7623->7624 7623->7629 7625 278ab05 7624->7625 7626 278e819 11 API calls 7625->7626 7627 278ab17 7626->7627 7628 278a7a3 inet_ntoa 7627->7628 7628->7629 7629->7549 7631 27830fa 4 API calls 7630->7631 7632 2783d0b 7631->7632 7632->7549 7634 2785ce1 22 API calls 7633->7634 7635 278b3e6 7634->7635 7636 2785ce1 22 API calls 7635->7636 7637 278b404 7636->7637 7638 278b440 7637->7638 7640 278ef7c 3 API calls 7637->7640 7639 278ef7c 3 API calls 7638->7639 7642 278b458 wsprintfA 7639->7642 7641 278b42b 7640->7641 7643 278ef7c 3 API calls 7641->7643 7644 278ef7c 3 API calls 7642->7644 7643->7638 7645 278b480 7644->7645 7646 278ef7c 3 API calls 7645->7646 7647 278b493 7646->7647 7648 278ef7c 3 API calls 7647->7648 7649 278b4bb 7648->7649 7783 278ad89 GetLocalTime SystemTimeToFileTime 7649->7783 7653 278b4cc 7654 278ef7c 3 API calls 7653->7654 7655 278b4dd 7654->7655 7656 278b211 7 API calls 7655->7656 7657 278b4ec 7656->7657 7658 278ef7c 3 API calls 7657->7658 7659 278b4fd 7658->7659 7660 278b211 7 API calls 7659->7660 7661 278b509 7660->7661 7662 278ef7c 3 API calls 7661->7662 7663 278b51a 7662->7663 7663->7549 7665 278abe9 GetTickCount 7664->7665 7667 278ab8c 7664->7667 7669 278a51d 7665->7669 7666 278aba8 lstrcpynA 7666->7667 7667->7665 7667->7666 7668 278abe1 InterlockedIncrement 7667->7668 7668->7667 7670 278a4c7 4 API calls 7669->7670 7671 278a52c 7670->7671 7672 278a542 GetTickCount 7671->7672 7674 278a539 GetTickCount 7671->7674 7672->7674 7675 278a56c 7674->7675 7675->7549 7677 278a4c7 4 API calls 7676->7677 7678 278a633 7677->7678 7678->7549 7680 278f04e 4 API calls 7679->7680 7682 278372a 7680->7682 7681 2783847 7681->7572 7681->7581 7682->7681 7683 27837b3 GetCurrentThreadId 7682->7683 7683->7682 7684 27837c8 GetCurrentThreadId 7683->7684 7684->7682 7686 278f04e 4 API calls 7685->7686 7689 278360c 7686->7689 7687 27836f1 7687->7572 7687->7580 7688 27836da GetCurrentThreadId 7688->7687 7690 27836e5 GetCurrentThreadId 7688->7690 7689->7687 7689->7688 7690->7687 7692 2784bff InterlockedExchange 7691->7692 7693 2784c08 7692->7693 7694 2784bec GetTickCount 7692->7694 7693->7584 7694->7693 7695 2784bf7 Sleep 7694->7695 7695->7692 7715 2784763 7696->7715 7698 2785b58 7725 2784699 7698->7725 7701 2784763 lstrlenA 7702 2785b6e 7701->7702 7746 2784f9f 7702->7746 7704 2785b79 7704->7549 7706 2785549 lstrlenA 7712 278548a 7706->7712 7708 278558d lstrcpynA 7708->7712 7709 2785a9f lstrcpyA 7709->7712 7710 2785935 lstrcpynA 7710->7712 7711 2785472 13 API calls 7711->7712 7712->7698 7712->7708 7712->7709 7712->7710 7712->7711 7713 27858e7 lstrcpyA 7712->7713 7714 2784ae6 8 API calls 7712->7714 7719 2784ae6 7712->7719 7723 278ef7c lstrlenA lstrlenA lstrlenA 7712->7723 7713->7712 7714->7712 7717 278477a 7715->7717 7716 2784859 7716->7712 7717->7716 7718 278480d lstrlenA 7717->7718 7718->7717 7720 2784af3 7719->7720 7722 2784b03 7719->7722 7721 278ebed 8 API calls 7720->7721 7721->7722 7722->7706 7724 278efb4 7723->7724 7724->7712 7751 27845b3 7725->7751 7728 27845b3 7 API calls 7729 27846c6 7728->7729 7730 27845b3 7 API calls 7729->7730 7731 27846d8 7730->7731 7732 27845b3 7 API calls 7731->7732 7733 27846ea 7732->7733 7734 27845b3 7 API calls 7733->7734 7735 27846ff 7734->7735 7736 27845b3 7 API calls 7735->7736 7737 2784711 7736->7737 7738 27845b3 7 API calls 7737->7738 7739 2784723 7738->7739 7740 278ef7c 3 API calls 7739->7740 7741 2784735 7740->7741 7742 278ef7c 3 API calls 7741->7742 7743 278474a 7742->7743 7744 278ef7c 3 API calls 7743->7744 7745 278475c 7744->7745 7745->7701 7747 2784fac 7746->7747 7750 2784fb0 7746->7750 7747->7704 7748 2784ffd 7748->7704 7749 2784fd5 IsBadCodePtr 7749->7750 7750->7748 7750->7749 7752 27845c8 7751->7752 7753 27845c1 7751->7753 7755 278ebcc 4 API calls 7752->7755 7757 27845e1 7752->7757 7754 278ebcc 4 API calls 7753->7754 7754->7752 7755->7757 7756 2784691 7756->7728 7757->7756 7758 278ef7c 3 API calls 7757->7758 7758->7757 7774 2782d21 GetModuleHandleA 7759->7774 7762 2782fcf GetProcessHeap HeapFree 7766 2782f44 7762->7766 7763 2782f4f 7765 2782f6b GetProcessHeap HeapFree 7763->7765 7764 2782f85 7764->7762 7764->7764 7765->7766 7766->7604 7768 2783900 7767->7768 7772 2783980 7767->7772 7769 27830fa 4 API calls 7768->7769 7773 278390a 7769->7773 7770 278391b GetCurrentThreadId 7770->7773 7771 2783939 GetCurrentThreadId 7771->7773 7772->7603 7773->7770 7773->7771 7773->7772 7775 2782d5b GetProcAddress 7774->7775 7776 2782d46 LoadLibraryA 7774->7776 7777 2782d6b DnsQuery_A 7775->7777 7780 2782d54 7775->7780 7776->7775 7776->7780 7778 2782d7d 7777->7778 7777->7780 7779 2782d97 GetProcessHeap HeapAlloc 7778->7779 7778->7780 7779->7780 7781 2782dac 7779->7781 7780->7763 7780->7764 7780->7766 7781->7778 7782 2782db5 lstrcpynA 7781->7782 7782->7781 7784 278adbf 7783->7784 7808 278ad08 gethostname 7784->7808 7787 27830b5 2 API calls 7788 278add3 7787->7788 7789 278a7a3 inet_ntoa 7788->7789 7790 278ade4 7788->7790 7789->7790 7791 278ae85 wsprintfA 7790->7791 7793 278ae36 wsprintfA wsprintfA 7790->7793 7792 278ef7c 3 API calls 7791->7792 7794 278aebb 7792->7794 7795 278ef7c 3 API calls 7793->7795 7796 278ef7c 3 API calls 7794->7796 7795->7790 7797 278aed2 7796->7797 7798 278b211 7797->7798 7799 278b2bb FileTimeToLocalFileTime FileTimeToSystemTime 7798->7799 7800 278b2af GetLocalTime 7798->7800 7801 278b2d2 7799->7801 7800->7801 7802 278b2d9 SystemTimeToFileTime 7801->7802 7803 278b31c GetTimeZoneInformation 7801->7803 7804 278b2ec 7802->7804 7805 278b33a wsprintfA 7803->7805 7806 278b312 FileTimeToSystemTime 7804->7806 7805->7653 7806->7803 7809 278ad71 7808->7809 7813 278ad26 lstrlenA 7808->7813 7810 278ad79 lstrcpyA 7809->7810 7811 278ad85 7809->7811 7810->7811 7811->7787 7813->7809 7814 278ad68 lstrlenA 7813->7814 7814->7809 7816 2782d21 7 API calls 7815->7816 7817 2782f01 7816->7817 7818 2782f14 7817->7818 7819 2782f06 7817->7819 7821 2782684 2 API calls 7818->7821 7838 2782df2 GetModuleHandleA 7819->7838 7823 2782f1d 7821->7823 7823->7401 7824 2782f1f 7824->7401 7826 278f428 14 API calls 7825->7826 7827 278198a 7826->7827 7828 2781998 7827->7828 7829 2781990 closesocket 7827->7829 7828->7396 7829->7828 7831 2781c80 7830->7831 7832 2781d1c 7831->7832 7833 2781cc2 wsprintfA 7831->7833 7837 2781d79 7831->7837 7832->7832 7835 2781d47 wsprintfA 7832->7835 7834 2782684 2 API calls 7833->7834 7834->7831 7836 2782684 2 API calls 7835->7836 7836->7837 7837->7397 7839 2782e0b 7838->7839 7840 2782e10 LoadLibraryA 7838->7840 7839->7840 7841 2782e17 7839->7841 7840->7841 7842 2782ef1 7841->7842 7843 2782e28 GetProcAddress 7841->7843 7842->7818 7842->7824 7843->7842 7844 2782e3e GetProcessHeap HeapAlloc 7843->7844 7845 2782e62 7844->7845 7845->7842 7846 2782ede GetProcessHeap HeapFree 7845->7846 7847 2782e7f htons inet_addr 7845->7847 7848 2782ea5 gethostbyname 7845->7848 7850 2782ceb 7845->7850 7846->7842 7847->7845 7847->7848 7848->7845 7851 2782cf2 7850->7851 7853 2782d1c 7851->7853 7854 2782d0e Sleep 7851->7854 7855 2782a62 GetProcessHeap HeapAlloc 7851->7855 7853->7845 7854->7851 7854->7853 7856 2782a99 socket 7855->7856 7857 2782a92 7855->7857 7858 2782cd3 GetProcessHeap HeapFree 7856->7858 7859 2782ab4 7856->7859 7857->7851 7858->7857 7859->7858 7863 2782abd 7859->7863 7860 2782adb htons 7875 27826ff 7860->7875 7862 2782b04 select 7862->7863 7863->7860 7863->7862 7864 2782ca4 7863->7864 7865 2782cb3 GetProcessHeap HeapFree closesocket 7863->7865 7866 2782b3f recv 7863->7866 7867 2782b66 htons 7863->7867 7868 2782b87 htons 7863->7868 7871 2782bf3 GetProcessHeap HeapAlloc 7863->7871 7872 2782c17 htons 7863->7872 7874 2782c4d GetProcessHeap HeapFree 7863->7874 7882 2782923 7863->7882 7894 2782904 7863->7894 7864->7865 7865->7857 7866->7863 7867->7863 7867->7864 7868->7863 7868->7864 7871->7863 7890 2782871 7872->7890 7874->7863 7876 278271d 7875->7876 7877 2782717 7875->7877 7879 278272b GetTickCount htons 7876->7879 7878 278ebcc 4 API calls 7877->7878 7878->7876 7880 27827cc htons htons sendto 7879->7880 7881 278278a 7879->7881 7880->7863 7881->7880 7883 2782944 7882->7883 7885 278293d 7882->7885 7898 2782816 htons 7883->7898 7885->7863 7886 2782950 7886->7885 7887 2782871 htons 7886->7887 7888 27829bd htons htons htons 7886->7888 7887->7886 7888->7885 7889 27829f6 GetProcessHeap HeapAlloc 7888->7889 7889->7885 7889->7886 7891 27828e3 7890->7891 7892 2782889 7890->7892 7891->7863 7892->7891 7893 27828c3 htons 7892->7893 7893->7891 7893->7892 7895 2782908 7894->7895 7896 2782921 7894->7896 7897 2782909 GetProcessHeap HeapFree 7895->7897 7896->7863 7897->7896 7897->7897 7899 278286b 7898->7899 7900 2782836 7898->7900 7899->7886 7900->7899 7901 278285c htons 7900->7901 7901->7899 7901->7900 7903 2786bbc 7902->7903 7904 2786bc0 7902->7904 7903->7430 7905 278ebcc 4 API calls 7904->7905 7915 2786bd4 7904->7915 7906 2786be4 7905->7906 7907 2786bfc 7906->7907 7908 2786c07 CreateFileA 7906->7908 7906->7915 7911 278ec2e codecvt 4 API calls 7907->7911 7909 2786c2a 7908->7909 7910 2786c34 WriteFile 7908->7910 7912 278ec2e codecvt 4 API calls 7909->7912 7913 2786c49 CloseHandle DeleteFileA 7910->7913 7914 2786c5a CloseHandle 7910->7914 7911->7915 7912->7915 7913->7909 7916 278ec2e codecvt 4 API calls 7914->7916 7915->7430 7916->7915 7932 2784960 7933 278496d 7932->7933 7935 278497d 7932->7935 7934 278ebed 8 API calls 7933->7934 7934->7935 7936 2784861 IsBadWritePtr 7937 2784876 7936->7937 7938 2789961 RegisterServiceCtrlHandlerA 7939 278997d 7938->7939 7940 27899cb 7938->7940 7948 2789892 7939->7948 7942 278999a 7943 27899ba 7942->7943 7944 2789892 SetServiceStatus 7942->7944 7943->7940 7945 2789892 SetServiceStatus 7943->7945 7946 27899aa 7944->7946 7945->7940 7946->7943 7947 27898f2 41 API calls 7946->7947 7947->7943 7949 27898c2 SetServiceStatus 7948->7949 7949->7942 8105 2785e21 8106 2785e29 8105->8106 8107 2785e36 8105->8107 8109 27850dc 8106->8109 8110 2784bd1 4 API calls 8109->8110 8111 27850f2 8110->8111 8112 2784ae6 8 API calls 8111->8112 8118 27850ff 8112->8118 8113 2785130 8114 2784ae6 8 API calls 8113->8114 8116 2785138 8114->8116 8115 2784ae6 8 API calls 8117 2785110 lstrcmpA 8115->8117 8120 278516e 8116->8120 8121 2784ae6 8 API calls 8116->8121 8151 278513e 8116->8151 8117->8113 8117->8118 8118->8113 8118->8115 8119 2784ae6 8 API calls 8118->8119 8119->8118 8122 2784ae6 8 API calls 8120->8122 8120->8151 8123 278515e 8121->8123 8124 27851b6 8122->8124 8123->8120 8126 2784ae6 8 API calls 8123->8126 8152 2784a3d 8124->8152 8126->8120 8128 2784ae6 8 API calls 8129 27851c7 8128->8129 8130 2784ae6 8 API calls 8129->8130 8131 27851d7 8130->8131 8132 2784ae6 8 API calls 8131->8132 8133 27851e7 8132->8133 8134 2784ae6 8 API calls 8133->8134 8133->8151 8135 2785219 8134->8135 8136 2784ae6 8 API calls 8135->8136 8137 2785227 8136->8137 8138 2784ae6 8 API calls 8137->8138 8139 278524f lstrcpyA 8138->8139 8140 2784ae6 8 API calls 8139->8140 8145 2785263 8140->8145 8141 2784ae6 8 API calls 8142 2785315 8141->8142 8143 2784ae6 8 API calls 8142->8143 8144 2785323 8143->8144 8146 2784ae6 8 API calls 8144->8146 8145->8141 8148 2785331 8146->8148 8147 2784ae6 8 API calls 8147->8148 8148->8147 8149 2784ae6 8 API calls 8148->8149 8148->8151 8150 2785351 lstrcmpA 8149->8150 8150->8148 8150->8151 8151->8107 8153 2784a4a 8152->8153 8154 2784a53 8152->8154 8155 278ebed 8 API calls 8153->8155 8156 278ebed 8 API calls 8154->8156 8159 2784a78 8154->8159 8155->8154 8156->8159 8157 2784a8e 8160 2784a9b 8157->8160 8161 278ec2e codecvt 4 API calls 8157->8161 8158 2784aa3 8158->8160 8162 278ebed 8 API calls 8158->8162 8159->8157 8159->8158 8160->8128 8161->8160 8162->8160 8163 27835a5 8164 27830fa 4 API calls 8163->8164 8165 27835b3 8164->8165 8169 27835ea 8165->8169 8170 278355d 8165->8170 8167 27835da 8168 278355d 4 API calls 8167->8168 8167->8169 8168->8169 8171 278f04e 4 API calls 8170->8171 8172 278356a 8171->8172 8172->8167 8173 2785099 8174 2784bd1 4 API calls 8173->8174 8175 27850a2 8174->8175 7955 278195b 7956 278196b 7955->7956 7957 2781971 7955->7957 7958 278ec2e codecvt 4 API calls 7956->7958 7958->7957 7959 2788c51 7960 2788c5d 7959->7960 7961 2788c86 7959->7961 7966 2788c7d 7960->7966 7967 2788c6e 7960->7967 7962 2788c8b lstrcmpA 7961->7962 7963 2788c7b 7961->7963 7962->7963 7964 2788c9e 7962->7964 7965 2788cad 7964->7965 7969 278ec2e codecvt 4 API calls 7964->7969 7965->7963 7972 278ebcc 4 API calls 7965->7972 7981 2788bb3 7966->7981 7973 2788be7 7967->7973 7969->7965 7972->7963 7974 2788bf2 7973->7974 7980 2788c2a 7973->7980 7975 2788bb3 6 API calls 7974->7975 7976 2788bf8 7975->7976 7985 2786410 7976->7985 7978 2788c01 7978->7980 8000 2786246 7978->8000 7980->7963 7982 2788be4 7981->7982 7983 2788bbc 7981->7983 7983->7982 7984 2786246 6 API calls 7983->7984 7984->7982 7986 278641e 7985->7986 7987 2786421 7985->7987 7986->7978 7988 278643a 7987->7988 7989 278643e VirtualAlloc 7987->7989 7988->7978 7990 278645b VirtualAlloc 7989->7990 7991 2786472 7989->7991 7990->7991 7999 27864fb 7990->7999 7992 278ebcc 4 API calls 7991->7992 7993 2786479 7992->7993 7993->7999 8010 2786069 7993->8010 7996 27864da 7997 2786246 6 API calls 7996->7997 7996->7999 7997->7999 7999->7978 8002 2786252 8000->8002 8009 27862b3 8000->8009 8001 2786297 8003 27862ad 8001->8003 8004 27862a0 VirtualFree 8001->8004 8002->8001 8005 278628f 8002->8005 8007 2786281 FreeLibrary 8002->8007 8006 278ec2e codecvt 4 API calls 8003->8006 8004->8003 8008 278ec2e codecvt 4 API calls 8005->8008 8006->8009 8007->8002 8008->8001 8009->7980 8011 2786090 IsBadReadPtr 8010->8011 8012 2786089 8010->8012 8011->8012 8017 27860aa 8011->8017 8012->7996 8020 2785f3f 8012->8020 8013 27860c0 LoadLibraryA 8013->8012 8013->8017 8014 278ebcc 4 API calls 8014->8017 8015 278ebed 8 API calls 8015->8017 8016 2786191 IsBadReadPtr 8016->8012 8016->8017 8017->8012 8017->8013 8017->8014 8017->8015 8017->8016 8018 2786141 GetProcAddress 8017->8018 8019 2786155 GetProcAddress 8017->8019 8018->8017 8019->8017 8021 2785fe6 8020->8021 8023 2785f61 8020->8023 8021->7996 8022 2785fbf VirtualProtect 8022->8021 8022->8023 8023->8021 8023->8022 8176 2786511 wsprintfA IsBadReadPtr 8177 278656a htonl htonl wsprintfA wsprintfA 8176->8177 8178 278674e 8176->8178 8183 27865f3 8177->8183 8179 278e318 23 API calls 8178->8179 8180 2786753 ExitProcess 8179->8180 8181 278668a GetCurrentProcess StackWalk64 8182 27866a0 wsprintfA 8181->8182 8181->8183 8184 27866ba 8182->8184 8183->8181 8183->8182 8185 2786652 wsprintfA 8183->8185 8186 2786712 wsprintfA 8184->8186 8187 27866da wsprintfA 8184->8187 8188 27866ed wsprintfA 8184->8188 8185->8183 8189 278e8a1 30 API calls 8186->8189 8187->8188 8188->8184 8190 2786739 8189->8190 8191 278e318 23 API calls 8190->8191 8192 2786741 8191->8192 8024 27843d2 8025 27843e0 8024->8025 8026 27843ef 8025->8026 8027 2781940 4 API calls 8025->8027 8027->8026 8193 2784e92 GetTickCount 8194 2784ec0 InterlockedExchange 8193->8194 8195 2784ec9 8194->8195 8196 2784ead GetTickCount 8194->8196 8196->8195 8197 2784eb8 Sleep 8196->8197 8197->8194 8028 2785453 8033 278543a 8028->8033 8036 2785048 8033->8036 8037 2784bd1 4 API calls 8036->8037 8038 2785056 8037->8038 8039 278ec2e codecvt 4 API calls 8038->8039 8040 278508b 8038->8040 8039->8040 8041 2784ed3 8046 2784c9a 8041->8046 8047 2784cd8 8046->8047 8049 2784ca9 8046->8049 8048 278ec2e codecvt 4 API calls 8048->8047 8049->8048 8198 2785d93 IsBadWritePtr 8199 2785da8 8198->8199 8201 2785ddc 8198->8201 8200 2785389 12 API calls 8199->8200 8199->8201 8200->8201 8202 2788314 8203 278675c 21 API calls 8202->8203 8204 2788324 8203->8204 8050 278e749 8051 278dd05 6 API calls 8050->8051 8052 278e751 8051->8052 8053 278e781 lstrcmpA 8052->8053 8054 278e799 8052->8054 8053->8052 8059 2785e4d 8060 2785048 8 API calls 8059->8060 8061 2785e55 8060->8061 8062 2785e64 8061->8062 8063 2781940 4 API calls 8061->8063 8063->8062 8218 2785e0d 8219 27850dc 17 API calls 8218->8219 8220 2785e20 8219->8220 8221 2784c0d 8222 2784ae6 8 API calls 8221->8222 8223 2784c17 8222->8223 8224 278f483 WSAStartup 8225 278f304 8228 278f26d setsockopt setsockopt setsockopt setsockopt setsockopt 8225->8228 8227 278f312 8228->8227 8229 2785b84 IsBadWritePtr 8230 2785b99 8229->8230 8231 2785b9d 8229->8231 8232 2784bd1 4 API calls 8231->8232 8233 2785bcc 8232->8233 8234 2785472 18 API calls 8233->8234 8235 2785be5 8234->8235 8236 2785c05 IsBadWritePtr 8237 2785c24 IsBadWritePtr 8236->8237 8244 2785ca6 8236->8244 8238 2785c32 8237->8238 8237->8244 8239 2785c82 8238->8239 8241 2784bd1 4 API calls 8238->8241 8240 2784bd1 4 API calls 8239->8240 8242 2785c90 8240->8242 8241->8239 8243 2785472 18 API calls 8242->8243 8243->8244
                                                                      APIs
                                                                      • closesocket.WS2_32(?), ref: 0278CA4E
                                                                      • closesocket.WS2_32(?), ref: 0278CB63
                                                                      • GetTempPathA.KERNEL32(00000120,?), ref: 0278CC28
                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0278CCB4
                                                                      • WriteFile.KERNEL32(0278A4B3,?,-000000E8,?,00000000), ref: 0278CCDC
                                                                      • CloseHandle.KERNEL32(0278A4B3), ref: 0278CCED
                                                                      • wsprintfA.USER32 ref: 0278CD21
                                                                      • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0278CD77
                                                                      • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0278CD89
                                                                      • CloseHandle.KERNEL32(?), ref: 0278CD98
                                                                      • CloseHandle.KERNEL32(?), ref: 0278CD9D
                                                                      • DeleteFileA.KERNEL32(?), ref: 0278CDC4
                                                                      • CloseHandle.KERNEL32(0278A4B3), ref: 0278CDCC
                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0278CFB1
                                                                      • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0278CFEF
                                                                      • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0278D033
                                                                      • lstrcatA.KERNEL32(?,03F00108), ref: 0278D10C
                                                                      • SetFileAttributesA.KERNEL32(?,00000080), ref: 0278D155
                                                                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0278D171
                                                                      • WriteFile.KERNEL32(00000000,03F0012C,?,?,00000000), ref: 0278D195
                                                                      • CloseHandle.KERNEL32(00000000), ref: 0278D19C
                                                                      • SetFileAttributesA.KERNEL32(?,00000002), ref: 0278D1C8
                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0278D231
                                                                      • lstrcatA.KERNEL32(?,03F00108,?,?,?,?,?,?,?,00000100), ref: 0278D27C
                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0278D2AB
                                                                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0278D2C7
                                                                      • WriteFile.KERNEL32(00000000,03F0012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0278D2EB
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0278D2F2
                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0278D326
                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0278D372
                                                                      • lstrcatA.KERNEL32(?,03F00108,?,?,?,?,?,?,?,00000100), ref: 0278D3BD
                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0278D3EC
                                                                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0278D408
                                                                      • WriteFile.KERNEL32(00000000,03F0012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0278D428
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0278D42F
                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0278D45B
                                                                      • CreateProcessA.KERNEL32(?,02790264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0278D4DE
                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0278D4F4
                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0278D4FC
                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0278D513
                                                                      • closesocket.WS2_32(?), ref: 0278D56C
                                                                      • Sleep.KERNEL32(000003E8), ref: 0278D577
                                                                      • ExitProcess.KERNEL32 ref: 0278D583
                                                                      • wsprintfA.USER32 ref: 0278D81F
                                                                        • Part of subcall function 0278C65C: send.WS2_32(00000000,?,00000000), ref: 0278C74B
                                                                      • closesocket.WS2_32(?), ref: 0278DAD5
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                      • String ID: .dat$.sys$4$@$C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exe$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                      • API String ID: 562065436-2402615725
                                                                      • Opcode ID: fa639f71d0819cdbb95d2e0b0fb0d48f34d9373b7af34f0421d0c165360cc539
                                                                      • Instruction ID: aa71ab638476704bda05e618cf2415a73d718b25637c6913823cf8cd226854df
                                                                      • Opcode Fuzzy Hash: fa639f71d0819cdbb95d2e0b0fb0d48f34d9373b7af34f0421d0c165360cc539
                                                                      • Instruction Fuzzy Hash: FFB2A3B2DC0309AFEB25BFA4DC49FEE7BB9EB04304F14446AE605A6180D7309955CF61
                                                                      APIs
                                                                      • SetErrorMode.KERNELBASE(00000003), ref: 02789A7F
                                                                      • SetErrorMode.KERNELBASE(00000003), ref: 02789A83
                                                                      • SetUnhandledExceptionFilter.KERNEL32(02786511), ref: 02789A8A
                                                                        • Part of subcall function 0278EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0278EC5E
                                                                        • Part of subcall function 0278EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0278EC72
                                                                        • Part of subcall function 0278EC54: GetTickCount.KERNEL32 ref: 0278EC78
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 02789AB3
                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 02789ABA
                                                                      • GetCommandLineA.KERNEL32 ref: 02789AFD
                                                                      • lstrlenA.KERNEL32(?), ref: 02789B99
                                                                      • ExitProcess.KERNEL32 ref: 02789C06
                                                                      • GetTempPathA.KERNEL32(000001F4,?), ref: 02789CAC
                                                                      • lstrcpyA.KERNEL32(?,00000000), ref: 02789D7A
                                                                      • lstrcatA.KERNEL32(?,?), ref: 02789D8B
                                                                      • lstrcatA.KERNEL32(?,0279070C), ref: 02789D9D
                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 02789DED
                                                                      • DeleteFileA.KERNEL32(00000022), ref: 02789E38
                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 02789E6F
                                                                      • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 02789EC8
                                                                      • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 02789ED5
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 02789F3B
                                                                      • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 02789F5E
                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 02789F6A
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 02789FAD
                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 02789FB4
                                                                      • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 02789FFE
                                                                      • lstrcatA.KERNEL32(00000022,00000000), ref: 0278A038
                                                                      • lstrcatA.KERNEL32(00000022,02790A34), ref: 0278A05E
                                                                      • lstrcatA.KERNEL32(00000022,00000022), ref: 0278A072
                                                                      • lstrcatA.KERNEL32(00000022,02790A34), ref: 0278A08D
                                                                      • wsprintfA.USER32 ref: 0278A0B6
                                                                      • lstrcatA.KERNEL32(00000022,00000000), ref: 0278A0DE
                                                                      • lstrcatA.KERNEL32(00000022,?), ref: 0278A0FD
                                                                      • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0278A120
                                                                      • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0278A131
                                                                      • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0278A174
                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 0278A17B
                                                                      • GetDriveTypeA.KERNEL32(00000022), ref: 0278A1B6
                                                                      • GetCommandLineA.KERNEL32 ref: 0278A1E5
                                                                        • Part of subcall function 027899D2: lstrcpyA.KERNEL32(?,?,00000100,027922F8,00000000,?,02789E9D,?,00000022,?,?,?,?,?,?,?), ref: 027899DF
                                                                        • Part of subcall function 027899D2: lstrcatA.KERNEL32(00000022,00000000,?,?,02789E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 02789A3C
                                                                        • Part of subcall function 027899D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,02789E9D,?,00000022,?,?,?), ref: 02789A52
                                                                      • lstrlenA.KERNEL32(?), ref: 0278A288
                                                                      • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0278A3B7
                                                                      • GetLastError.KERNEL32 ref: 0278A3ED
                                                                      • Sleep.KERNELBASE(000003E8), ref: 0278A400
                                                                      • DeleteFileA.KERNELBASE(027933D8), ref: 0278A407
                                                                      • CreateThread.KERNELBASE(00000000,00000000,0278405E,00000000,00000000,00000000), ref: 0278A42C
                                                                      • WSAStartup.WS2_32(00001010,?), ref: 0278A43A
                                                                      • CreateThread.KERNELBASE(00000000,00000000,0278877E,00000000,00000000,00000000), ref: 0278A469
                                                                      • Sleep.KERNELBASE(00000BB8), ref: 0278A48A
                                                                      • GetTickCount.KERNEL32 ref: 0278A49F
                                                                      • GetTickCount.KERNEL32 ref: 0278A4B7
                                                                      • Sleep.KERNELBASE(00001A90), ref: 0278A4C3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                      • String ID: "$"$"$%X%08X$C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exe$D$P$\$bazwewbz
                                                                      • API String ID: 2089075347-4239878819
                                                                      • Opcode ID: a645f9d0c8186bbf3c2de24d68ccfaf10f71980552677d1f3522a98e47a6ea14
                                                                      • Instruction ID: 6546e41da9cc0c89dba8eeec1c108ceb9185d0dcaa28eb99ecbb0a437ea32253
                                                                      • Opcode Fuzzy Hash: a645f9d0c8186bbf3c2de24d68ccfaf10f71980552677d1f3522a98e47a6ea14
                                                                      • Instruction Fuzzy Hash: 835272B2DC0359EFDF21BBA4CC49EEE7BBDAB04304F1444A6F609A2141E7709A558F61

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 905 278199c-27819cc inet_addr LoadLibraryA 906 27819ce-27819d0 905->906 907 27819d5-27819fe GetProcAddress * 3 905->907 908 2781abf-2781ac2 906->908 909 2781ab3-2781ab6 FreeLibrary 907->909 910 2781a04-2781a06 907->910 911 2781abc 909->911 910->909 912 2781a0c-2781a0e 910->912 914 2781abe 911->914 912->909 913 2781a14-2781a28 GetBestInterface GetProcessHeap 912->913 913->911 915 2781a2e-2781a40 HeapAlloc 913->915 914->908 915->911 916 2781a42-2781a50 GetAdaptersInfo 915->916 917 2781a62-2781a67 916->917 918 2781a52-2781a60 HeapReAlloc 916->918 919 2781a69-2781a73 GetAdaptersInfo 917->919 920 2781aa1-2781aad FreeLibrary 917->920 918->917 919->920 921 2781a75 919->921 920->911 922 2781aaf-2781ab1 920->922 923 2781a77-2781a80 921->923 922->914 924 2781a8a-2781a91 923->924 925 2781a82-2781a86 923->925 927 2781a93 924->927 928 2781a96-2781a9b HeapFree 924->928 925->923 926 2781a88 925->926 926->928 927->928 928->920
                                                                      APIs
                                                                      • inet_addr.WS2_32(123.45.67.89), ref: 027819B1
                                                                      • LoadLibraryA.KERNELBASE(Iphlpapi.dll,?,?,?,?,00000001,02781E9E), ref: 027819BF
                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 027819E2
                                                                      • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 027819ED
                                                                      • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 027819F9
                                                                      • GetBestInterface.IPHLPAPI(?,?,?,?,?,?,00000001,02781E9E), ref: 02781A1B
                                                                      • GetProcessHeap.KERNEL32(?,?,?,?,00000001,02781E9E), ref: 02781A1D
                                                                      • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,02781E9E), ref: 02781A36
                                                                      • GetAdaptersInfo.IPHLPAPI(00000000,02781E9E,?,?,?,?,00000001,02781E9E), ref: 02781A4A
                                                                      • HeapReAlloc.KERNEL32(?,00000000,00000000,02781E9E,?,?,?,?,00000001,02781E9E), ref: 02781A5A
                                                                      • GetAdaptersInfo.IPHLPAPI(00000000,02781E9E,?,?,?,?,00000001,02781E9E), ref: 02781A6E
                                                                      • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,02781E9E), ref: 02781A9B
                                                                      • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,02781E9E), ref: 02781AA4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$AddressProc$AdaptersAllocFreeInfoLibrary$BestInterfaceLoadProcessinet_addr
                                                                      • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                      • API String ID: 293628436-270533642
                                                                      • Opcode ID: ef8fd99879fdb9015d2383c5e194a642582e9c41e0ae20a823770d74d16727f6
                                                                      • Instruction ID: 7f89764c4b23953107eb84ea531532cdf5901371166ecc879c891e63825b31f1
                                                                      • Opcode Fuzzy Hash: ef8fd99879fdb9015d2383c5e194a642582e9c41e0ae20a823770d74d16727f6
                                                                      • Instruction Fuzzy Hash: C1318E72D90219AFDF11EFE4DC888BEBFB9EF45205B94497AE509E3110D7304A42CBA5

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 696 2787a95-2787ac2 RegOpenKeyExA 697 2787acb-2787ae7 GetUserNameA 696->697 698 2787ac4-2787ac6 696->698 700 2787aed-2787b1e LookupAccountNameA 697->700 701 2787da7-2787db3 RegCloseKey 697->701 699 2787db4-2787db6 698->699 700->701 702 2787b24-2787b43 RegGetKeySecurity 700->702 701->699 702->701 703 2787b49-2787b61 GetSecurityDescriptorOwner 702->703 704 2787bb8-2787bd6 GetSecurityDescriptorDacl 703->704 705 2787b63-2787b72 EqualSid 703->705 707 2787bdc-2787be1 704->707 708 2787da6 704->708 705->704 706 2787b74-2787b88 LocalAlloc 705->706 706->704 709 2787b8a-2787b94 InitializeSecurityDescriptor 706->709 707->708 710 2787be7-2787bf2 707->710 708->701 711 2787bb1-2787bb2 LocalFree 709->711 712 2787b96-2787ba4 SetSecurityDescriptorOwner 709->712 710->708 713 2787bf8-2787c08 GetAce 710->713 711->704 712->711 714 2787ba6-2787bab RegSetKeySecurity 712->714 715 2787c0e-2787c1b 713->715 716 2787cc6 713->716 714->711 718 2787c1d-2787c2f EqualSid 715->718 719 2787c4f-2787c52 715->719 717 2787cc9-2787cd3 716->717 717->713 722 2787cd9-2787cdc 717->722 723 2787c31-2787c34 718->723 724 2787c36-2787c38 718->724 720 2787c5f-2787c71 EqualSid 719->720 721 2787c54-2787c5e 719->721 725 2787c73-2787c84 720->725 726 2787c86 720->726 721->720 722->708 727 2787ce2-2787ce8 722->727 723->718 723->724 724->719 728 2787c3a-2787c4d DeleteAce 724->728 729 2787c8b-2787c8e 725->729 726->729 730 2787d5a-2787d6e LocalAlloc 727->730 731 2787cea-2787cf0 727->731 728->717 732 2787c9d-2787c9f 729->732 733 2787c90-2787c96 729->733 730->708 734 2787d70-2787d7a InitializeSecurityDescriptor 730->734 731->730 735 2787cf2-2787d0d RegOpenKeyExA 731->735 736 2787ca1-2787ca5 732->736 737 2787ca7-2787cc3 732->737 733->732 738 2787d7c-2787d8a SetSecurityDescriptorDacl 734->738 739 2787d9f-2787da0 LocalFree 734->739 735->730 740 2787d0f-2787d16 735->740 736->716 736->737 737->716 738->739 742 2787d8c-2787d9a RegSetKeySecurity 738->742 739->708 741 2787d19-2787d1e 740->741 741->741 743 2787d20-2787d52 call 2782544 RegSetValueExA 741->743 742->739 744 2787d9c 742->744 743->730 747 2787d54 743->747 744->739 747->730
                                                                      APIs
                                                                      • RegOpenKeyExA.KERNELBASE(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 02787ABA
                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 02787ADF
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,0279070C,?,?,?), ref: 02787B16
                                                                      • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 02787B3B
                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 02787B59
                                                                      • EqualSid.ADVAPI32(?,00000022), ref: 02787B6A
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 02787B7E
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02787B8C
                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02787B9C
                                                                      • RegSetKeySecurity.KERNELBASE(00000000,00000001,00000000), ref: 02787BAB
                                                                      • LocalFree.KERNEL32(00000000), ref: 02787BB2
                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,02787FC9,?,00000000), ref: 02787BCE
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                      • String ID: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exe$D
                                                                      • API String ID: 2976863881-489978695
                                                                      • Opcode ID: 2b85095bba823048d91f7c6ec8c6ea4eceac0b9e8e445f6e29716f5dc1cd394d
                                                                      • Instruction ID: fef07e4fd81563e515092f4824e3de7b97f8e3f4ea35a5410eec2aafda55de49
                                                                      • Opcode Fuzzy Hash: 2b85095bba823048d91f7c6ec8c6ea4eceac0b9e8e445f6e29716f5dc1cd394d
                                                                      • Instruction Fuzzy Hash: 48A16E76D80219AFDF15AFA5DC88FEEBBBDFB44304F148469E606E2140E7318A55CB60

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 748 2787809-2787837 GetUserNameA 749 278783d-278786e LookupAccountNameA 748->749 750 2787a8e-2787a94 748->750 749->750 751 2787874-27878a2 GetLengthSid GetFileSecurityA 749->751 751->750 752 27878a8-27878c3 GetSecurityDescriptorOwner 751->752 753 278791d-278793b GetSecurityDescriptorDacl 752->753 754 27878c5-27878da EqualSid 752->754 756 2787a8d 753->756 757 2787941-2787946 753->757 754->753 755 27878dc-27878ed LocalAlloc 754->755 755->753 758 27878ef-27878f9 InitializeSecurityDescriptor 755->758 756->750 757->756 759 278794c-2787955 757->759 760 27878fb-2787909 SetSecurityDescriptorOwner 758->760 761 2787916-2787917 LocalFree 758->761 759->756 762 278795b-278796b GetAce 759->762 760->761 763 278790b-2787910 SetFileSecurityA 760->763 761->753 764 2787a2a 762->764 765 2787971-278797e 762->765 763->761 766 2787a2d-2787a37 764->766 767 27879ae-27879b1 765->767 768 2787980-2787992 EqualSid 765->768 766->762 769 2787a3d-2787a41 766->769 770 27879be-27879d0 EqualSid 767->770 771 27879b3-27879bd 767->771 772 2787999-278799b 768->772 773 2787994-2787997 768->773 769->756 775 2787a43-2787a54 LocalAlloc 769->775 776 27879d2-27879e3 770->776 777 27879e5 770->777 771->770 772->767 774 278799d-27879ac DeleteAce 772->774 773->768 773->772 774->766 775->756 778 2787a56-2787a60 InitializeSecurityDescriptor 775->778 779 27879ea-27879ed 776->779 777->779 780 2787a62-2787a71 SetSecurityDescriptorDacl 778->780 781 2787a86-2787a87 LocalFree 778->781 782 27879f8-27879fb 779->782 783 27879ef-27879f5 779->783 780->781 784 2787a73-2787a81 SetFileSecurityA 780->784 781->756 785 27879fd-2787a01 782->785 786 2787a03-2787a0e 782->786 783->782 784->781 787 2787a83 784->787 785->764 785->786 788 2787a19-2787a24 786->788 789 2787a10-2787a17 786->789 787->781 790 2787a27 788->790 789->790 790->764
                                                                      APIs
                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 0278782F
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02787866
                                                                      • GetLengthSid.ADVAPI32(?), ref: 02787878
                                                                      • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0278789A
                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,02787F63,?), ref: 027878B8
                                                                      • EqualSid.ADVAPI32(?,02787F63), ref: 027878D2
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 027878E3
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 027878F1
                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02787901
                                                                      • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 02787910
                                                                      • LocalFree.KERNEL32(00000000), ref: 02787917
                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02787933
                                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 02787963
                                                                      • EqualSid.ADVAPI32(?,02787F63), ref: 0278798A
                                                                      • DeleteAce.ADVAPI32(?,00000000), ref: 027879A3
                                                                      • EqualSid.ADVAPI32(?,02787F63), ref: 027879C5
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 02787A4A
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02787A58
                                                                      • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 02787A69
                                                                      • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 02787A79
                                                                      • LocalFree.KERNEL32(00000000), ref: 02787A87
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                      • String ID: D
                                                                      • API String ID: 3722657555-2746444292
                                                                      • Opcode ID: f0f9ae889aac0b14b3ff67ba7f886f8d393a2d2fd3993bb7b46bb582fa045a79
                                                                      • Instruction ID: 23d7456b1ecc38d3889fd692108de19b0c0f80436842cd3fe6d81a5c9174f82b
                                                                      • Opcode Fuzzy Hash: f0f9ae889aac0b14b3ff67ba7f886f8d393a2d2fd3993bb7b46bb582fa045a79
                                                                      • Instruction Fuzzy Hash: EE815C76D80219AFDB21DFA9CD44FEEBBB8EF08344F24856AE506E2140E7348651CF65

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 791 2788328-278833e call 2787dd6 794 2788348-2788356 call 2786ec3 791->794 795 2788340-2788343 791->795 799 278846b-2788474 794->799 800 278835c-2788378 call 27873ff 794->800 796 278877b-278877d 795->796 801 278847a-2788480 799->801 802 27885c2-27885ce 799->802 808 278837e-2788384 800->808 809 2788464-2788466 800->809 801->802 807 2788486-27884ba call 2782544 RegOpenKeyExA 801->807 805 27885d0-27885da call 278675c 802->805 806 2788615-2788620 802->806 816 27885df-27885eb 805->816 812 2788626-278864c GetTempPathA call 2788274 call 278eca5 806->812 813 27886a7-27886b0 call 2786ba7 806->813 823 27884c0-27884db RegQueryValueExA 807->823 824 2788543-2788571 call 2782544 RegOpenKeyExA 807->824 808->809 814 278838a-278838d 808->814 815 2788779-278877a 809->815 845 278864e-278866f call 278eca5 812->845 846 2788671-27886a4 call 2782544 call 278ef00 call 278ee2a 812->846 826 2788762 813->826 827 27886b6-27886bd call 2787e2f 813->827 814->809 821 2788393-2788399 814->821 815->796 816->806 822 27885ed-27885ef 816->822 829 278839c-27883a1 821->829 822->806 830 27885f1-27885fa 822->830 832 27884dd-27884e1 823->832 833 2788521-278852d RegCloseKey 823->833 851 2788573-278857b 824->851 852 27885a5-27885b7 call 278ee2a 824->852 835 2788768-278876b 826->835 854 278875b-278875c DeleteFileA 827->854 855 27886c3-278873b call 278ee2a * 2 lstrcpyA lstrlenA call 2787fcf CreateProcessA 827->855 829->829 837 27883a3-27883af 829->837 830->806 839 27885fc-278860f call 27824c2 830->839 832->833 841 27884e3-27884e6 832->841 833->824 838 278852f-2788541 call 278eed1 833->838 843 278876d-2788775 call 278ec2e 835->843 844 2788776-2788778 835->844 847 27883b1 837->847 848 27883b3-27883ba 837->848 838->824 838->852 839->806 839->835 841->833 853 27884e8-27884f6 call 278ebcc 841->853 843->844 844->815 845->846 846->813 847->848 860 2788450-278845f call 278ee2a 848->860 861 27883c0-27883fb call 2782544 RegOpenKeyExA 848->861 863 278857e-2788583 851->863 852->802 876 27885b9-27885c1 call 278ec2e 852->876 853->833 875 27884f8-2788513 RegQueryValueExA 853->875 854->826 899 278873d-278874d CloseHandle * 2 855->899 900 278874f-278875a call 2787ee6 call 2787ead 855->900 860->802 861->860 885 27883fd-278841c RegQueryValueExA 861->885 863->863 873 2788585-278859f RegSetValueExA RegCloseKey 863->873 873->852 875->833 881 2788515-278851e call 278ec2e 875->881 876->802 881->833 890 278842d-2788441 RegSetValueExA 885->890 891 278841e-2788421 885->891 892 2788447-278844a RegCloseKey 890->892 891->890 896 2788423-2788426 891->896 892->860 896->890 898 2788428-278842b 896->898 898->890 898->892 899->835 900->854
                                                                      APIs
                                                                      • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000103,02790750,?,?,00000000,localcfg,00000000), ref: 027883F3
                                                                      • RegQueryValueExA.KERNELBASE(02790750,?,00000000,?,02788893,?,?,?,00000000,00000103,02790750,?,?,00000000,localcfg,00000000), ref: 02788414
                                                                      • RegSetValueExA.KERNELBASE(02790750,?,00000000,00000004,02788893,00000004,?,?,00000000,00000103,02790750,?,?,00000000,localcfg,00000000), ref: 02788441
                                                                      • RegCloseKey.ADVAPI32(02790750,?,?,00000000,00000103,02790750,?,?,00000000,localcfg,00000000), ref: 0278844A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Value$CloseOpenQuery
                                                                      • String ID: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exe$localcfg
                                                                      • API String ID: 237177642-767073137
                                                                      • Opcode ID: 9859b9d0467871625c471ede651f03ea07194cc306778ad409595128a15e6fa2
                                                                      • Instruction ID: 71660585584b0da60b8fda52d1316b9e68b0487cbe08e5aee059125751a03dde
                                                                      • Opcode Fuzzy Hash: 9859b9d0467871625c471ede651f03ea07194cc306778ad409595128a15e6fa2
                                                                      • Instruction Fuzzy Hash: 3CC18DB2DC024DBFEB12BBA49C89EEE7BBDEB05304F544465F605A2041E7304A95CF62

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetVersionExA.KERNEL32 ref: 02781DC6
                                                                      • GetSystemInfo.KERNELBASE(?), ref: 02781DE8
                                                                      • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 02781E03
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 02781E0A
                                                                      • GetCurrentProcess.KERNEL32(?), ref: 02781E1B
                                                                      • GetTickCount.KERNEL32 ref: 02781FC9
                                                                        • Part of subcall function 02781BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 02781C15
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                      • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                      • API String ID: 4207808166-1381319158
                                                                      • Opcode ID: 48fa9ba05078bb1c04bee84acea0692f517ed83406beb6647c7378711f836f2c
                                                                      • Instruction ID: 504e0323d3cc0e74f0ab8ced75bca331412d8b49b7aeb3f376a87e4a05c848df
                                                                      • Opcode Fuzzy Hash: 48fa9ba05078bb1c04bee84acea0692f517ed83406beb6647c7378711f836f2c
                                                                      • Instruction Fuzzy Hash: 4C51C3B19843446FE720BF798C89F2BBAECEF45708F44491DF58A82242D774A505CB61

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 999 27873ff-2787419 1000 278741b 999->1000 1001 278741d-2787422 999->1001 1000->1001 1002 2787424 1001->1002 1003 2787426-278742b 1001->1003 1002->1003 1004 278742d 1003->1004 1005 2787430-2787435 1003->1005 1004->1005 1006 278743a-2787481 call 2786dc2 call 2782544 RegOpenKeyExA 1005->1006 1007 2787437 1005->1007 1012 27877f9-27877fe call 278ee2a 1006->1012 1013 2787487-278749d call 278ee2a 1006->1013 1007->1006 1018 2787801 1012->1018 1019 2787703-278770e RegEnumKeyA 1013->1019 1022 2787804-2787808 1018->1022 1020 27874a2-27874b1 call 2786cad 1019->1020 1021 2787714-278771d RegCloseKey 1019->1021 1025 27876ed-2787700 1020->1025 1026 27874b7-27874cc call 278f1a5 1020->1026 1021->1018 1025->1019 1026->1025 1029 27874d2-27874f8 RegOpenKeyExA 1026->1029 1030 27874fe-2787530 call 2782544 RegQueryValueExA 1029->1030 1031 2787727-278772a 1029->1031 1030->1031 1038 2787536-278753c 1030->1038 1033 278772c-2787740 call 278ef00 1031->1033 1034 2787755-2787764 call 278ee2a 1031->1034 1043 278774b-278774e 1033->1043 1044 2787742-2787745 RegCloseKey 1033->1044 1041 27876df-27876e2 1034->1041 1042 278753f-2787544 1038->1042 1041->1025 1045 27876e4-27876e7 RegCloseKey 1041->1045 1042->1042 1046 2787546-278754b 1042->1046 1047 27877ec-27877f7 RegCloseKey 1043->1047 1044->1043 1045->1025 1046->1034 1048 2787551-278756b call 278ee95 1046->1048 1047->1022 1048->1034 1051 2787571-2787593 call 2782544 call 278ee95 1048->1051 1056 2787599-27875a0 1051->1056 1057 2787753 1051->1057 1058 27875c8-27875d7 call 278ed03 1056->1058 1059 27875a2-27875c6 call 278ef00 call 278ed03 1056->1059 1057->1034 1065 27875d8-27875da 1058->1065 1059->1065 1067 27875dc 1065->1067 1068 27875df-2787623 call 278ee95 call 2782544 call 278ee95 call 278ee2a 1065->1068 1067->1068 1077 2787626-278762b 1068->1077 1077->1077 1078 278762d-2787634 1077->1078 1079 2787637-278763c 1078->1079 1079->1079 1080 278763e-2787642 1079->1080 1081 278765c-2787673 call 278ed23 1080->1081 1082 2787644-2787656 call 278ed77 1080->1082 1087 2787680 1081->1087 1088 2787675-278767e 1081->1088 1082->1081 1089 2787769-278777c call 278ef00 1082->1089 1091 2787683-278768e call 2786cad 1087->1091 1088->1091 1094 27877e3-27877e6 RegCloseKey 1089->1094 1096 2787722-2787725 1091->1096 1097 2787694-27876bf call 278f1a5 call 2786c96 1091->1097 1094->1047 1098 27876dd 1096->1098 1103 27876d8 1097->1103 1104 27876c1-27876c7 1097->1104 1098->1041 1103->1098 1104->1103 1105 27876c9-27876d2 1104->1105 1105->1103 1106 278777e-2787797 GetFileAttributesExA 1105->1106 1107 2787799 1106->1107 1108 278779a-278779f 1106->1108 1107->1108 1109 27877a1 1108->1109 1110 27877a3-27877a8 1108->1110 1109->1110 1111 27877aa-27877c0 call 278ee08 1110->1111 1112 27877c4-27877c8 1110->1112 1111->1112 1114 27877ca-27877d6 call 278ef00 1112->1114 1115 27877d7-27877dc 1112->1115 1114->1115 1116 27877de 1115->1116 1117 27877e0-27877e2 1115->1117 1116->1117 1117->1094
                                                                      APIs
                                                                      • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,75920F10,00000000), ref: 02787472
                                                                      • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,75920F10,00000000), ref: 027874F0
                                                                      • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,75920F10,00000000), ref: 02787528
                                                                      • ___ascii_stricmp.LIBCMT ref: 0278764D
                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,75920F10,00000000), ref: 027876E7
                                                                      • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 02787706
                                                                      • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 02787717
                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,75920F10,00000000), ref: 02787745
                                                                      • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 027877EF
                                                                        • Part of subcall function 0278F1A5: lstrlenA.KERNEL32(000000C8,000000E4,027922F8,000000C8,02787150,?), ref: 0278F1AD
                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0278778F
                                                                      • RegCloseKey.KERNELBASE(?), ref: 027877E6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                      • String ID: "
                                                                      • API String ID: 3433985886-123907689
                                                                      • Opcode ID: bc4d7f5e5794d85ef1d520008dc95403acdde0aa1c1422d221f254aaf2a34baf
                                                                      • Instruction ID: d51f4fed55acf99638f450e6a70f9d9e9e97fe0560dc52ea2164baa5fa56bdaf
                                                                      • Opcode Fuzzy Hash: bc4d7f5e5794d85ef1d520008dc95403acdde0aa1c1422d221f254aaf2a34baf
                                                                      • Instruction Fuzzy Hash: FFC1E476980209AFEB16AFA4DC48FEEBBB9EF45310F240495F505E6190EB31DA44CF60

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1121 278675c-2786778 1122 278677a-278677e SetFileAttributesA 1121->1122 1123 2786784-27867a2 CreateFileA 1121->1123 1122->1123 1124 27867a4-27867b2 CreateFileA 1123->1124 1125 27867b5-27867b8 1123->1125 1124->1125 1126 27867ba-27867bf SetFileAttributesA 1125->1126 1127 27867c5-27867c9 1125->1127 1126->1127 1128 27867cf-27867df GetFileSize 1127->1128 1129 2786977-2786986 1127->1129 1130 278696b 1128->1130 1131 27867e5-27867e7 1128->1131 1132 278696e-2786971 CloseHandle 1130->1132 1131->1130 1133 27867ed-278680b ReadFile 1131->1133 1132->1129 1133->1130 1134 2786811-2786824 SetFilePointer 1133->1134 1134->1130 1135 278682a-2786842 ReadFile 1134->1135 1135->1130 1136 2786848-2786861 SetFilePointer 1135->1136 1136->1130 1137 2786867-2786876 1136->1137 1138 2786878-278688f ReadFile 1137->1138 1139 27868d5-27868df 1137->1139 1141 2786891-278689e 1138->1141 1142 27868d2 1138->1142 1139->1132 1140 27868e5-27868eb 1139->1140 1143 27868ed 1140->1143 1144 27868f0-27868fe call 278ebcc 1140->1144 1145 27868a0-27868b5 1141->1145 1146 27868b7-27868ba 1141->1146 1142->1139 1143->1144 1144->1130 1153 2786900-278690b SetFilePointer 1144->1153 1148 27868bd-27868c3 1145->1148 1146->1148 1150 27868c8-27868ce 1148->1150 1151 27868c5 1148->1151 1150->1138 1152 27868d0 1150->1152 1151->1150 1152->1139 1154 278695a-2786969 call 278ec2e 1153->1154 1155 278690d-2786920 ReadFile 1153->1155 1154->1132 1155->1154 1156 2786922-2786958 1155->1156 1156->1132
                                                                      APIs
                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0278677E
                                                                      • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0278679A
                                                                      • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 027867B0
                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 027867BF
                                                                      • GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 027867D3
                                                                      • ReadFile.KERNELBASE(000000FF,?,00000040,02788244,00000000,?,75920F10,00000000), ref: 02786807
                                                                      • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0278681F
                                                                      • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0278683E
                                                                      • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0278685C
                                                                      • ReadFile.KERNEL32(000000FF,?,00000028,02788244,00000000,?,75920F10,00000000), ref: 0278688B
                                                                      • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,75920F10,00000000), ref: 02786906
                                                                      • ReadFile.KERNEL32(000000FF,?,00000000,02788244,00000000,?,75920F10,00000000), ref: 0278691C
                                                                      • CloseHandle.KERNELBASE(000000FF,?,75920F10,00000000), ref: 02786971
                                                                        • Part of subcall function 0278EC2E: GetProcessHeap.KERNEL32(00000000,0278EA27,00000000,0278EA27,00000000), ref: 0278EC41
                                                                        • Part of subcall function 0278EC2E: RtlFreeHeap.NTDLL(00000000), ref: 0278EC48
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                      • String ID:
                                                                      • API String ID: 2622201749-0
                                                                      • Opcode ID: aa5226c654be36033d54768b8aeaee8546e23b12bdfa2df21bcca6271c108a0e
                                                                      • Instruction ID: 7f480686ff1264994820e89621fb2182a9db6b6dc034cb7f003c47d0f0811a46
                                                                      • Opcode Fuzzy Hash: aa5226c654be36033d54768b8aeaee8546e23b12bdfa2df21bcca6271c108a0e
                                                                      • Instruction Fuzzy Hash: 5F7114B1C40219FFDF15AFA8CC85AEEBBB9FB04314F10456AE515A6190E7309E92CF60

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1159 278f315-278f332 1160 278f33b-278f372 call 278ee2a htons socket 1159->1160 1161 278f334-278f336 1159->1161 1165 278f382-278f39b ioctlsocket 1160->1165 1166 278f374-278f37d closesocket 1160->1166 1162 278f424-278f427 1161->1162 1167 278f3aa-278f3f0 connect select 1165->1167 1168 278f39d 1165->1168 1166->1162 1170 278f421 1167->1170 1171 278f3f2-278f401 __WSAFDIsSet 1167->1171 1169 278f39f-278f3a8 closesocket 1168->1169 1172 278f423 1169->1172 1170->1172 1171->1169 1173 278f403-278f416 ioctlsocket call 278f26d 1171->1173 1172->1162 1175 278f41b-278f41f 1173->1175 1175->1172
                                                                      APIs
                                                                      • htons.WS2_32(0278CA1D), ref: 0278F34D
                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 0278F367
                                                                      • closesocket.WS2_32(00000000), ref: 0278F375
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: closesockethtonssocket
                                                                      • String ID: time_cfg
                                                                      • API String ID: 311057483-2401304539
                                                                      • Opcode ID: 3c02a5e7d98d8e2ac09b0e6f019834d7a2735aa8a69660f91378173ca64cb440
                                                                      • Instruction ID: 029859d01bc90392895896c3d1449b70cc83b8933b9f8d14ea42e0b6b2c1edb4
                                                                      • Opcode Fuzzy Hash: 3c02a5e7d98d8e2ac09b0e6f019834d7a2735aa8a69660f91378173ca64cb440
                                                                      • Instruction Fuzzy Hash: 1B317E72990218ABDB11EFA5DC849EF7BBCFF48310F104566F919E3140E7309A518BA1

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1176 278405e-278407b CreateEventA 1177 278407d-2784081 1176->1177 1178 2784084-27840a8 call 2783ecd call 2784000 1176->1178 1183 27840ae-27840be call 278ee2a 1178->1183 1184 2784130-278413e call 278ee2a 1178->1184 1183->1184 1190 27840c0-27840f1 call 278eca5 call 2783f18 call 2783f8c 1183->1190 1189 278413f-2784165 call 2783ecd CreateNamedPipeA 1184->1189 1195 2784188-2784193 ConnectNamedPipe 1189->1195 1196 2784167-2784174 Sleep 1189->1196 1207 27840f3-27840ff 1190->1207 1208 2784127-278412a CloseHandle 1190->1208 1200 27841ab-27841c0 call 2783f8c 1195->1200 1201 2784195-27841a5 GetLastError 1195->1201 1196->1189 1198 2784176-2784182 CloseHandle 1196->1198 1198->1195 1200->1195 1209 27841c2-27841f2 call 2783f18 call 2783f8c 1200->1209 1201->1200 1203 278425e-2784265 DisconnectNamedPipe 1201->1203 1203->1195 1207->1208 1210 2784101-2784121 call 2783f18 ExitProcess 1207->1210 1208->1184 1209->1203 1217 27841f4-2784200 1209->1217 1217->1203 1218 2784202-2784215 call 2783f8c 1217->1218 1218->1203 1221 2784217-278421b 1218->1221 1221->1203 1222 278421d-2784230 call 2783f8c 1221->1222 1222->1203 1225 2784232-2784236 1222->1225 1225->1195 1226 278423c-2784251 call 2783f18 1225->1226 1229 278426a-2784276 CloseHandle * 2 call 278e318 1226->1229 1230 2784253-2784259 1226->1230 1232 278427b 1229->1232 1230->1195 1232->1232
                                                                      APIs
                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 02784070
                                                                      • ExitProcess.KERNEL32 ref: 02784121
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateEventExitProcess
                                                                      • String ID:
                                                                      • API String ID: 2404124870-0
                                                                      • Opcode ID: dd76f79f7855ac196bdaeb0c1ce13ce6cac29d05e284a136444a0e08992146df
                                                                      • Instruction ID: 25cf814ff8d18f8e2faddf4560076df8027c536b1baaf0add7f0cb0be1c3ac3a
                                                                      • Opcode Fuzzy Hash: dd76f79f7855ac196bdaeb0c1ce13ce6cac29d05e284a136444a0e08992146df
                                                                      • Instruction Fuzzy Hash: F25191B1D9021ABBEB21BAA48C89FBF7B7DEF11714F004065F614F6180E7758A11CBA1

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1233 2782d21-2782d44 GetModuleHandleA 1234 2782d5b-2782d69 GetProcAddress 1233->1234 1235 2782d46-2782d52 LoadLibraryA 1233->1235 1236 2782d54-2782d56 1234->1236 1237 2782d6b-2782d7b DnsQuery_A 1234->1237 1235->1234 1235->1236 1238 2782dee-2782df1 1236->1238 1237->1236 1239 2782d7d-2782d88 1237->1239 1240 2782d8a-2782d8b 1239->1240 1241 2782deb 1239->1241 1242 2782d90-2782d95 1240->1242 1241->1238 1243 2782de2-2782de8 1242->1243 1244 2782d97-2782daa GetProcessHeap HeapAlloc 1242->1244 1243->1242 1245 2782dea 1243->1245 1244->1245 1246 2782dac-2782dd9 call 278ee2a lstrcpynA 1244->1246 1245->1241 1249 2782ddb-2782dde 1246->1249 1250 2782de0 1246->1250 1249->1243 1250->1243
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,02782F01,?,027820FF,02792000), ref: 02782D3A
                                                                      • LoadLibraryA.KERNEL32(?), ref: 02782D4A
                                                                      • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 02782D61
                                                                      • DnsQuery_A.DNSAPI(00000000,0000000F,00000000,00000000,?,00000000), ref: 02782D77
                                                                      • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 02782D99
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 02782DA0
                                                                      • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 02782DCB
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcessQuery_lstrcpyn
                                                                      • String ID: DnsQuery_A$dnsapi.dll
                                                                      • API String ID: 233223969-3847274415
                                                                      • Opcode ID: e494084d07aa543453d67a892677b8a2fd18b73cb0938dcada6e033459da9047
                                                                      • Instruction ID: 660e3db477de115205cf9836dda0fea6f6d86970121b980057374e6006ba4140
                                                                      • Opcode Fuzzy Hash: e494084d07aa543453d67a892677b8a2fd18b73cb0938dcada6e033459da9047
                                                                      • Instruction Fuzzy Hash: 68219271D80225BBCB21AF56DC44AAEBFB8FF08751F104412FD05E3101E37099828BE0

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1251 27880c9-27880ed call 2786ec3 1254 27880f9-2788115 call 278704c 1251->1254 1255 27880ef call 2787ee6 1251->1255 1260 278811b-2788121 1254->1260 1261 2788225-278822b 1254->1261 1258 27880f4 1255->1258 1258->1261 1260->1261 1262 2788127-278812a 1260->1262 1263 278826c-2788273 1261->1263 1264 278822d-2788233 1261->1264 1262->1261 1265 2788130-2788167 call 2782544 RegOpenKeyExA 1262->1265 1264->1263 1266 2788235-278823f call 278675c 1264->1266 1272 278816d-278818b RegQueryValueExA 1265->1272 1273 2788216-2788222 call 278ee2a 1265->1273 1269 2788244-278824b 1266->1269 1269->1263 1271 278824d-2788269 call 27824c2 call 278ec2e 1269->1271 1271->1263 1275 278818d-2788191 1272->1275 1276 27881f7-27881fe 1272->1276 1273->1261 1275->1276 1281 2788193-2788196 1275->1281 1279 278820d-2788210 RegCloseKey 1276->1279 1280 2788200-2788206 call 278ec2e 1276->1280 1279->1273 1289 278820c 1280->1289 1281->1276 1285 2788198-27881a8 call 278ebcc 1281->1285 1285->1279 1291 27881aa-27881c2 RegQueryValueExA 1285->1291 1289->1279 1291->1276 1292 27881c4-27881ca 1291->1292 1293 27881cd-27881d2 1292->1293 1293->1293 1294 27881d4-27881e5 call 278ebcc 1293->1294 1294->1279 1297 27881e7-27881f5 call 278ef00 1294->1297 1297->1289
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 0278815F
                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0278A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 02788187
                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0278A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 027881BE
                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 02788210
                                                                        • Part of subcall function 0278675C: SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0278677E
                                                                        • Part of subcall function 0278675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0278679A
                                                                        • Part of subcall function 0278675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 027867B0
                                                                        • Part of subcall function 0278675C: SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 027867BF
                                                                        • Part of subcall function 0278675C: GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 027867D3
                                                                        • Part of subcall function 0278675C: ReadFile.KERNELBASE(000000FF,?,00000040,02788244,00000000,?,75920F10,00000000), ref: 02786807
                                                                        • Part of subcall function 0278675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0278681F
                                                                        • Part of subcall function 0278675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0278683E
                                                                        • Part of subcall function 0278675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0278685C
                                                                        • Part of subcall function 0278EC2E: GetProcessHeap.KERNEL32(00000000,0278EA27,00000000,0278EA27,00000000), ref: 0278EC41
                                                                        • Part of subcall function 0278EC2E: RtlFreeHeap.NTDLL(00000000), ref: 0278EC48
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                      • String ID: C:\Windows\SysWOW64\bazwewbz\wuefhdgm.exe
                                                                      • API String ID: 124786226-3712348508
                                                                      • Opcode ID: 74337b4e1b6239898beaa090de9d5e37c074a4ecf942dac76d856ae83633dd87
                                                                      • Instruction ID: 22f6e0e006cccdebf0387add11a6c83df17a7c5b4fa4eb93eb2f763b66993728
                                                                      • Opcode Fuzzy Hash: 74337b4e1b6239898beaa090de9d5e37c074a4ecf942dac76d856ae83633dd87
                                                                      • Instruction Fuzzy Hash: D6417FB2DC520DBFEB11FBA49D84EBF77ADAB05304F54486AE905A2001E7305A55CB62

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1300 2781ac3-2781adc LoadLibraryA 1301 2781b6b-2781b70 1300->1301 1302 2781ae2-2781af3 GetProcAddress 1300->1302 1303 2781b6a 1302->1303 1304 2781af5-2781b01 1302->1304 1303->1301 1305 2781b1c-2781b27 GetAdaptersAddresses 1304->1305 1306 2781b29-2781b2b 1305->1306 1307 2781b03-2781b12 call 278ebed 1305->1307 1308 2781b5b-2781b5e 1306->1308 1309 2781b2d-2781b32 1306->1309 1307->1306 1318 2781b14-2781b1b 1307->1318 1311 2781b69 1308->1311 1313 2781b60-2781b68 call 278ec2e 1308->1313 1309->1311 1312 2781b34-2781b3b 1309->1312 1311->1303 1315 2781b3d-2781b52 1312->1315 1316 2781b54-2781b59 1312->1316 1313->1311 1315->1315 1315->1316 1316->1308 1316->1312 1318->1305
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02781AD4
                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02781AE9
                                                                      • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02781B20
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AdaptersAddressAddressesLibraryLoadProc
                                                                      • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                      • API String ID: 3646706440-1087626847
                                                                      • Opcode ID: b7a0b61c47ed040b2681e7d6f1112950353eb16af331ff6f9d65a2f215b6d682
                                                                      • Instruction ID: 38267d7247ab3fdc25d20bfd86990ea697f8f3d04efd23240b75c56632a21d77
                                                                      • Opcode Fuzzy Hash: b7a0b61c47ed040b2681e7d6f1112950353eb16af331ff6f9d65a2f215b6d682
                                                                      • Instruction Fuzzy Hash: 8F119672E81238AFDB15ABA9DC85CEEBFBAEB44B10F944055E009E7100E7305A42CB94

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1320 278e3ca-278e3ee RegOpenKeyExA 1321 278e528-278e52d 1320->1321 1322 278e3f4-278e3fb 1320->1322 1323 278e3fe-278e403 1322->1323 1323->1323 1324 278e405-278e40f 1323->1324 1325 278e411-278e413 1324->1325 1326 278e414-278e452 call 278ee08 call 278f1ed RegQueryValueExA 1324->1326 1325->1326 1331 278e458-278e486 call 278f1ed RegQueryValueExA 1326->1331 1332 278e51d-278e527 RegCloseKey 1326->1332 1335 278e488-278e48a 1331->1335 1332->1321 1335->1332 1336 278e490-278e4a1 call 278db2e 1335->1336 1336->1332 1339 278e4a3-278e4a6 1336->1339 1340 278e4a9-278e4d3 call 278f1ed RegQueryValueExA 1339->1340 1343 278e4e8-278e4ea 1340->1343 1344 278e4d5-278e4da 1340->1344 1343->1332 1346 278e4ec-278e516 call 2782544 call 278e332 1343->1346 1344->1343 1345 278e4dc-278e4e6 1344->1345 1345->1340 1345->1343 1346->1332
                                                                      APIs
                                                                      • RegOpenKeyExA.KERNELBASE(80000001,0278E5F2,00000000,00020119,0278E5F2,027922F8), ref: 0278E3E6
                                                                      • RegQueryValueExA.ADVAPI32(0278E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0278E44E
                                                                      • RegQueryValueExA.ADVAPI32(0278E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0278E482
                                                                      • RegQueryValueExA.ADVAPI32(0278E5F2,?,00000000,?,80000001,?), ref: 0278E4CF
                                                                      • RegCloseKey.ADVAPI32(0278E5F2,?,?,?,?,000000C8,000000E4), ref: 0278E520
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: QueryValue$CloseOpen
                                                                      • String ID:
                                                                      • API String ID: 1586453840-0
                                                                      • Opcode ID: 063cc981383481cdfb04b924b430b74cdd71ef9dcd3783b48b84ffb5750830c4
                                                                      • Instruction ID: ff4a27cee9732e969ffd2ea6951b4ab65b8df46030f8a5609709c092fdac9dfa
                                                                      • Opcode Fuzzy Hash: 063cc981383481cdfb04b924b430b74cdd71ef9dcd3783b48b84ffb5750830c4
                                                                      • Instruction Fuzzy Hash: 2441F7B2D4021DAFEF11AFD8DC84DEEBBBDEB08344F544566FA14A2150E3319A558B60

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1351 278f26d-278f303 setsockopt * 5
                                                                      APIs
                                                                      • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0278F2A0
                                                                      • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0278F2C0
                                                                      • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0278F2DD
                                                                      • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0278F2EC
                                                                      • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0278F2FD
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: setsockopt
                                                                      • String ID:
                                                                      • API String ID: 3981526788-0
                                                                      • Opcode ID: 6a433826af33782946d5a7465b2b9ba9a87c77c73ae4d35bb2f318736e7ea3f3
                                                                      • Instruction ID: bfe63e96b519175b7071e7268763550782f27acc10559af7cc21d27cc8ae9fab
                                                                      • Opcode Fuzzy Hash: 6a433826af33782946d5a7465b2b9ba9a87c77c73ae4d35bb2f318736e7ea3f3
                                                                      • Instruction Fuzzy Hash: 2911FBB1A40248BAEB11DE94CD41FAE7FBCEB44751F008066BB04EA1D0E6B19A45CB94

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1352 2781bdf-2781c04 call 2781ac3 1354 2781c09-2781c0b 1352->1354 1355 2781c5a-2781c5e 1354->1355 1356 2781c0d-2781c1d GetComputerNameA 1354->1356 1357 2781c1f-2781c24 1356->1357 1358 2781c45-2781c57 GetVolumeInformationA 1356->1358 1357->1358 1359 2781c26-2781c3b 1357->1359 1358->1355 1359->1359 1360 2781c3d-2781c3f 1359->1360 1360->1358 1361 2781c41-2781c43 1360->1361 1361->1355
                                                                      APIs
                                                                        • Part of subcall function 02781AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02781AD4
                                                                        • Part of subcall function 02781AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02781AE9
                                                                        • Part of subcall function 02781AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02781B20
                                                                      • GetComputerNameA.KERNEL32(?,0000000F), ref: 02781C15
                                                                      • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 02781C51
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                      • String ID: hi_id$localcfg
                                                                      • API String ID: 2794401326-2393279970
                                                                      • Opcode ID: b55c20ec8f58696b57a0cbdf570346cb042babf2d2f20e0000aae3559f40d22d
                                                                      • Instruction ID: 998299a7db7bece04c4bb3da533982527aeb0b0cf0778647ec424c1eb09274d9
                                                                      • Opcode Fuzzy Hash: b55c20ec8f58696b57a0cbdf570346cb042babf2d2f20e0000aae3559f40d22d
                                                                      • Instruction Fuzzy Hash: 930192B6A41218BFEB10EAF8C8C59FFBBBDEB44655F504475E706E3100D2309E4596A1
                                                                      APIs
                                                                        • Part of subcall function 02781AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02781AD4
                                                                        • Part of subcall function 02781AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02781AE9
                                                                        • Part of subcall function 02781AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02781B20
                                                                      • GetComputerNameA.KERNEL32(?,0000000F), ref: 02781BA3
                                                                      • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,02781EFD,00000000,00000000,00000000,00000000), ref: 02781BB8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                      • String ID: localcfg
                                                                      • API String ID: 2794401326-1857712256
                                                                      • Opcode ID: a04a4d437a3c7326f193258d9581dc532384d9d69a5e28d75af6a4b32de27cae
                                                                      • Instruction ID: 8ac600d8151cb8072cbce8cd869f62f61650e89c252d032a50b8103415dbb008
                                                                      • Opcode Fuzzy Hash: a04a4d437a3c7326f193258d9581dc532384d9d69a5e28d75af6a4b32de27cae
                                                                      • Instruction Fuzzy Hash: 6B01ADB7D4010CBFEB01ABE9C8859EFFBBDEB48660F150462AB01F3140D6705E098AA0
                                                                      APIs
                                                                      • inet_addr.WS2_32(00000001), ref: 02782693
                                                                      • gethostbyname.WS2_32(00000001), ref: 0278269F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: gethostbynameinet_addr
                                                                      • String ID: time_cfg
                                                                      • API String ID: 1594361348-2401304539
                                                                      • Opcode ID: 62f8b773567394ee1da71d13b0c3953b868502aa665a1a29d889c824cfed522f
                                                                      • Instruction ID: 3579455a8e33d5ba5669778a1beb12f156b61a822cf49026b7cec49a6e5d2e02
                                                                      • Opcode Fuzzy Hash: 62f8b773567394ee1da71d13b0c3953b868502aa665a1a29d889c824cfed522f
                                                                      • Instruction Fuzzy Hash: 70E0C230B541518FCB10AB28F444BD677E4EF06231F018581F840D3191C730DC818780
                                                                      APIs
                                                                        • Part of subcall function 0278DD05: GetTickCount.KERNEL32 ref: 0278DD0F
                                                                        • Part of subcall function 0278DD05: InterlockedExchange.KERNEL32(027936B4,00000001), ref: 0278DD44
                                                                        • Part of subcall function 0278DD05: GetCurrentThreadId.KERNEL32 ref: 0278DD53
                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,75920F10,?,00000000,?,0278A445), ref: 0278E558
                                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,75920F10,?,00000000,?,0278A445), ref: 0278E583
                                                                      • CloseHandle.KERNEL32(00000000,?,75920F10,?,00000000,?,0278A445), ref: 0278E5B2
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                      • String ID:
                                                                      • API String ID: 3683885500-0
                                                                      • Opcode ID: e66d1ea57bb4758ddfaf95a09c6f1c0617367b5486181081d56408e16f2dc16b
                                                                      • Instruction ID: 7b43a9a22b102fdee465632c68ebf67200cefaf3a8171b9f5d130d2b1bc007a1
                                                                      • Opcode Fuzzy Hash: e66d1ea57bb4758ddfaf95a09c6f1c0617367b5486181081d56408e16f2dc16b
                                                                      • Instruction Fuzzy Hash: 1521D3F2AC03117BF6227A35AC4AFAB3E5DDB55750F100454BE0EA11D3EB61D9208AF1
                                                                      APIs
                                                                      • Sleep.KERNELBASE(000003E8), ref: 027888A5
                                                                        • Part of subcall function 0278F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0278E342,00000000,7508EA50,80000001,00000000,0278E513,?,00000000,00000000,?,000000E4), ref: 0278F089
                                                                        • Part of subcall function 0278F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0278E342,00000000,7508EA50,80000001,00000000,0278E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0278F093
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Time$FileSystem$Sleep
                                                                      • String ID: localcfg$rresolv
                                                                      • API String ID: 1561729337-486471987
                                                                      • Opcode ID: 3b0be8bfb05bb357e193c38a70b128c36299e23bfb04b8969bb32d822008eb9b
                                                                      • Instruction ID: 67b394e87302917e5dd9ccc5b2129b064811dba9142b693032d4021727241c27
                                                                      • Opcode Fuzzy Hash: 3b0be8bfb05bb357e193c38a70b128c36299e23bfb04b8969bb32d822008eb9b
                                                                      • Instruction Fuzzy Hash: 2721D731AC83057AF715F7656C4AB6E3ADBAB11724FD04819FD04950C2EBB1459089B3
                                                                      APIs
                                                                      • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,027922F8,027842B6,00000000,00000001,027922F8,00000000,?,027898FD), ref: 02784021
                                                                      • GetLastError.KERNEL32(?,027898FD,00000001,00000100,027922F8,0278A3C7), ref: 0278402C
                                                                      • Sleep.KERNEL32(000001F4,?,027898FD,00000001,00000100,027922F8,0278A3C7), ref: 02784046
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateErrorFileLastSleep
                                                                      • String ID:
                                                                      • API String ID: 408151869-0
                                                                      • Opcode ID: ed9e71ea978efb84af901d2f25a33cc8c32da50dd5e5816baf26a1341398b231
                                                                      • Instruction ID: a719d5171d6f9bc880225363ef123fab9c6af477d2e9ac6dfee5f9e43b2ff454
                                                                      • Opcode Fuzzy Hash: ed9e71ea978efb84af901d2f25a33cc8c32da50dd5e5816baf26a1341398b231
                                                                      • Instruction Fuzzy Hash: 64F0A7326D02026AD7312A38AC59B1B3265EB81728F268B64F3B5F20D0C7B044829B14
                                                                      APIs
                                                                      • GetEnvironmentVariableA.KERNEL32(0278DC19,?,00000104), ref: 0278DB7F
                                                                      • lstrcpyA.KERNEL32(?,027928F8), ref: 0278DBA4
                                                                      • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000080,00000000), ref: 0278DBC2
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateEnvironmentFileVariablelstrcpy
                                                                      • String ID:
                                                                      • API String ID: 2536392590-0
                                                                      • Opcode ID: f8144a358539f04e898a0ed648f3b667d8116d7eafc73a1e4c35646a5c346090
                                                                      • Instruction ID: 6a4eedc5dd3d215b82891c52f01ca08862f0b9f98c29976ff600357d946fb357
                                                                      • Opcode Fuzzy Hash: f8144a358539f04e898a0ed648f3b667d8116d7eafc73a1e4c35646a5c346090
                                                                      • Instruction Fuzzy Hash: 9EF09070590309ABEF219F64DC89FD93B69AB00318F104594BB51A40D0D7F2D555CB10
                                                                      APIs
                                                                      • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0278EC5E
                                                                      • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0278EC72
                                                                      • GetTickCount.KERNEL32 ref: 0278EC78
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Time$CountFileInformationSystemTickVolume
                                                                      • String ID:
                                                                      • API String ID: 1209300637-0
                                                                      • Opcode ID: 04eacb30b39b773a1e2ee310b0da672ce72980a71a64a675736d1bf37d566c8d
                                                                      • Instruction ID: 686678ae5b72d4a9a1920c5e4c93bd2ae7fa3c9392e30016cdc49f6979683771
                                                                      • Opcode Fuzzy Hash: 04eacb30b39b773a1e2ee310b0da672ce72980a71a64a675736d1bf37d566c8d
                                                                      • Instruction Fuzzy Hash: 39E09AF5C60204BFE701ABB4DC4AE6B77BCEB08314F504A50B915D6090DA709A258B60
                                                                      APIs
                                                                      • gethostname.WS2_32(?,00000080), ref: 027830D8
                                                                      • gethostbyname.WS2_32(?), ref: 027830E2
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: gethostbynamegethostname
                                                                      • String ID:
                                                                      • API String ID: 3961807697-0
                                                                      • Opcode ID: 99bd763834fa2a32c48b90fa8f9077d280b5e078b7e31eb33624b0aeb9cfd2d7
                                                                      • Instruction ID: 5734f604ffe2e8c7c0d288ee155f77bfd7bbd8636e7b6c5cfa9785eb72e8e73d
                                                                      • Opcode Fuzzy Hash: 99bd763834fa2a32c48b90fa8f9077d280b5e078b7e31eb33624b0aeb9cfd2d7
                                                                      • Instruction Fuzzy Hash: BEE09272D40219ABCF10EBA8EC89F9B77ECFF04308F084461F905E3280EA34E5058BA0
                                                                      APIs
                                                                        • Part of subcall function 0278EBA0: GetProcessHeap.KERNEL32(00000000,00000000,0278EC0A,00000000,80000001,?,0278DB55,7FFF0001), ref: 0278EBAD
                                                                        • Part of subcall function 0278EBA0: HeapSize.KERNEL32(00000000,?,0278DB55,7FFF0001), ref: 0278EBB4
                                                                      • GetProcessHeap.KERNEL32(00000000,0278EA27,00000000,0278EA27,00000000), ref: 0278EC41
                                                                      • RtlFreeHeap.NTDLL(00000000), ref: 0278EC48
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$Process$FreeSize
                                                                      • String ID:
                                                                      • API String ID: 1305341483-0
                                                                      • Opcode ID: a63da22e0e277acee7688927bda09d5bef05ec74dd03a79f54a8ae09b5d08933
                                                                      • Instruction ID: bfbff413e12619d123572b9ca7b5332b55297ec6faa37b693f10cd75319d1c35
                                                                      • Opcode Fuzzy Hash: a63da22e0e277acee7688927bda09d5bef05ec74dd03a79f54a8ae09b5d08933
                                                                      • Instruction Fuzzy Hash: 51C01232CD73306BC5523A51B80CF9F6B599F46611F094809F50566044877058414AE1
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0278EBFE,7FFF0001,?,0278DB55,7FFF0001), ref: 0278EBD3
                                                                      • RtlAllocateHeap.NTDLL(00000000,?,0278DB55,7FFF0001), ref: 0278EBDA
                                                                        • Part of subcall function 0278EB74: GetProcessHeap.KERNEL32(00000000,00000000,0278EC28,00000000,?,0278DB55,7FFF0001), ref: 0278EB81
                                                                        • Part of subcall function 0278EB74: HeapSize.KERNEL32(00000000,?,0278DB55,7FFF0001), ref: 0278EB88
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocateSize
                                                                      • String ID:
                                                                      • API String ID: 2559512979-0
                                                                      • Opcode ID: e0816d31f4b4ccf961f93ec210532b281cf314c7b8412e5180db5c93e3f5c530
                                                                      • Instruction ID: be9753c508c6c2eba1e28c5a1722780abe2a0dec67f5e16db6b1188e6bee31ac
                                                                      • Opcode Fuzzy Hash: e0816d31f4b4ccf961f93ec210532b281cf314c7b8412e5180db5c93e3f5c530
                                                                      • Instruction Fuzzy Hash: FEC080325C432067C60137E47C0CF9E3E94DF04362F044414F505C1154C73048518F95
                                                                      APIs
                                                                      • recv.WS2_32(000000C8,?,00000000,0278CA44), ref: 0278F476
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: recv
                                                                      • String ID:
                                                                      • API String ID: 1507349165-0
                                                                      • Opcode ID: 15145421b0c86e3efe41141e75ac99e8595260dde416496ce26021ae827c6ffb
                                                                      • Instruction ID: 43ee714b25d20f7f3d6c165692dc773d9a53231d4ae64b77597f1bd59933fac3
                                                                      • Opcode Fuzzy Hash: 15145421b0c86e3efe41141e75ac99e8595260dde416496ce26021ae827c6ffb
                                                                      • Instruction Fuzzy Hash: 59F01C7324155EAB9B11AE9ADC84CAB3BAEFB892507444522FA18D7110D631E8218BA1
                                                                      APIs
                                                                      • closesocket.WS2_32(00000000), ref: 02781992
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: closesocket
                                                                      • String ID:
                                                                      • API String ID: 2781271927-0
                                                                      • Opcode ID: 305b7f274e190ae89ccd47594ace0ee1aa4f90ed198fed2e10708cb2607b852c
                                                                      • Instruction ID: 5217583be70e07139d9324178a4b6c07b782ee4c09b9bc3b8fe1760aa75eb9d4
                                                                      • Opcode Fuzzy Hash: 305b7f274e190ae89ccd47594ace0ee1aa4f90ed198fed2e10708cb2607b852c
                                                                      • Instruction Fuzzy Hash: 75D012265886316A52113759BC0447FBB9CDF45662751941BFC4CC0150D734C8428796
                                                                      APIs
                                                                      • lstrcmpiA.KERNEL32(80000011,00000000), ref: 0278DDB5
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcmpi
                                                                      • String ID:
                                                                      • API String ID: 1586166983-0
                                                                      • Opcode ID: 6bdbb1c806b664c7086614e4e21af42538039a910bf7be90f760ce96e6df0c32
                                                                      • Instruction ID: 418b7583741ed72bb9b64460745f23208c1af0d56b93a0619f2b4f8fda4a4d89
                                                                      • Opcode Fuzzy Hash: 6bdbb1c806b664c7086614e4e21af42538039a910bf7be90f760ce96e6df0c32
                                                                      • Instruction Fuzzy Hash: 01F0FE31644302ABCB30AE7A9844656B7E5AB46329F15492BE55992280E730D855CB71
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,02789816,EntryPoint), ref: 0278638F
                                                                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,02789816,EntryPoint), ref: 027863A9
                                                                      • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 027863CA
                                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 027863EB
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                      • String ID:
                                                                      • API String ID: 1965334864-0
                                                                      • Opcode ID: 76bc46bb0f73cb8319e6989d41ec167b33b1f4d7f609d648d2c80366d68dad3b
                                                                      • Instruction ID: 78a3001fd3a607dea1c17c00e1f8b313d8b8a984e8770e2a6722284cb3ade134
                                                                      • Opcode Fuzzy Hash: 76bc46bb0f73cb8319e6989d41ec167b33b1f4d7f609d648d2c80366d68dad3b
                                                                      • Instruction Fuzzy Hash: AC11A3B2A80219BFEB11AF65DC49F9B3BACEF047A4F004424F918E7280D770DC108BA0
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(ntdll.dll,00000000,02781839,02789646), ref: 02781012
                                                                      • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 027810C2
                                                                      • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 027810E1
                                                                      • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 02781101
                                                                      • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 02781121
                                                                      • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 02781140
                                                                      • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 02781160
                                                                      • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 02781180
                                                                      • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0278119F
                                                                      • GetProcAddress.KERNEL32(00000000,NtClose), ref: 027811BF
                                                                      • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 027811DF
                                                                      • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 027811FE
                                                                      • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0278121A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressProc$LibraryLoad
                                                                      • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                      • API String ID: 2238633743-3228201535
                                                                      • Opcode ID: 83a832b35bf3fb0e159f986739103d4ce9d0495d5d661a77d250131180bc335a
                                                                      • Instruction ID: f843ee8894355dd6ed26414fa4dc3815f2e949be4e6227e5e5875a3ebfe5e972
                                                                      • Opcode Fuzzy Hash: 83a832b35bf3fb0e159f986739103d4ce9d0495d5d661a77d250131180bc335a
                                                                      • Instruction Fuzzy Hash: 3C512571AC6702AEEB11EBADAC4476237E4674837CF548B96D829D21D0D7B0C4A3CF52
                                                                      APIs
                                                                      • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0278B2B3
                                                                      • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0278B2C2
                                                                      • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0278B2D0
                                                                      • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0278B2E1
                                                                      • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0278B31A
                                                                      • GetTimeZoneInformation.KERNEL32(?), ref: 0278B329
                                                                      • wsprintfA.USER32 ref: 0278B3B7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                      • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                      • API String ID: 766114626-2976066047
                                                                      • Opcode ID: 7e364d67b40c7ac1326dd6b790ed0244ef466387fb21f675e24e45dd7dacf41c
                                                                      • Instruction ID: ab29276ed4a9203574ab43b55f4d8d953c780d3513c78242d91c1256cff81998
                                                                      • Opcode Fuzzy Hash: 7e364d67b40c7ac1326dd6b790ed0244ef466387fb21f675e24e45dd7dacf41c
                                                                      • Instruction Fuzzy Hash: BC516BB2E5131DAACF10DFD4E9889EFBBB9FF4A308F114469E611B6150D3344A89CB90
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                      • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                      • API String ID: 2400214276-165278494
                                                                      • Opcode ID: ad5a36bf356b9f2635808ece776dff60d52cebccb706114f374e1085e319269c
                                                                      • Instruction ID: 2486ea615151879239a06f304f04e2d00c9faf5b56178371bf736bcfc581e8bf
                                                                      • Opcode Fuzzy Hash: ad5a36bf356b9f2635808ece776dff60d52cebccb706114f374e1085e319269c
                                                                      • Instruction Fuzzy Hash: C8612CB2A90318AFEF60AFA4DC45FEA77E9FF08300F148469F969D2151DB7199508F50
                                                                      APIs
                                                                      • wsprintfA.USER32 ref: 0278A7FB
                                                                      • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0278A87E
                                                                      • send.WS2_32(00000000,?,00000000,00000000), ref: 0278A893
                                                                      • wsprintfA.USER32 ref: 0278A8AF
                                                                      • send.WS2_32(00000000,.,00000005,00000000), ref: 0278A8D2
                                                                      • wsprintfA.USER32 ref: 0278A8E2
                                                                      • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0278A97C
                                                                      • wsprintfA.USER32 ref: 0278A9B9
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: wsprintf$send$lstrlenrecv
                                                                      • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                      • API String ID: 3650048968-2394369944
                                                                      • Opcode ID: 8d93729614a32f1d0baffe3220af607f15f3abf60f73eb2deaf6b5213c66eedf
                                                                      • Instruction ID: f023fc3a68658d182070cde6dbd41739737ca03c46b879cf9e255f895142b6a7
                                                                      • Opcode Fuzzy Hash: 8d93729614a32f1d0baffe3220af607f15f3abf60f73eb2deaf6b5213c66eedf
                                                                      • Instruction Fuzzy Hash: 19A13B72DC4305ABEF22BA54DC89FAE3F6AEB00308F144467F906B6090EB719955CB59
                                                                      APIs
                                                                      • ShellExecuteExW.SHELL32(?), ref: 0278139A
                                                                      • lstrlenW.KERNEL32(-00000003), ref: 02781571
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExecuteShelllstrlen
                                                                      • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDGu$uac$useless$wusa.exe
                                                                      • API String ID: 1628651668-3716895483
                                                                      • Opcode ID: fc191f300d8a4b99cca93bfdc146d7f6693b33f76a2d52d54b258d8690d7b53d
                                                                      • Instruction ID: 5b2ee149f910a4ee0e4b651e53de62aa53f7b688ee8cc924a9512de67c75af0f
                                                                      • Opcode Fuzzy Hash: fc191f300d8a4b99cca93bfdc146d7f6693b33f76a2d52d54b258d8690d7b53d
                                                                      • Instruction Fuzzy Hash: 8AF18EB56883419FD720EF64C888B6BB7E5FB88304F448D2DF99A97280D774D846CB52
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7591F380), ref: 02782A83
                                                                      • HeapAlloc.KERNEL32(00000000,?,7591F380), ref: 02782A86
                                                                      • socket.WS2_32(00000002,00000002,00000011), ref: 02782AA0
                                                                      • htons.WS2_32(00000000), ref: 02782ADB
                                                                      • select.WS2_32 ref: 02782B28
                                                                      • recv.WS2_32(?,00000000,00001000,00000000), ref: 02782B4A
                                                                      • htons.WS2_32(?), ref: 02782B71
                                                                      • htons.WS2_32(?), ref: 02782B8C
                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02782BFB
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                      • String ID:
                                                                      • API String ID: 1639031587-0
                                                                      • Opcode ID: 181dff274111ee0fcbbf9254d6bd5aedb7921aa77c474af67324bc1f467d1541
                                                                      • Instruction ID: 1428b7c9a85cf875298926d3faffa85537f52966e326a43ccf43e6ce05ff9940
                                                                      • Opcode Fuzzy Hash: 181dff274111ee0fcbbf9254d6bd5aedb7921aa77c474af67324bc1f467d1541
                                                                      • Instruction Fuzzy Hash: AA61DFB1985344AFD720AF65DC08B3BBBE8FF88756F004809FE4997152D7B0D8418BA2
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,75920F10,?,75920F10,00000000), ref: 027870C2
                                                                      • RegEnumValueA.ADVAPI32(75920F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,75920F10,00000000), ref: 0278719E
                                                                      • RegCloseKey.ADVAPI32(75920F10,?,75920F10,00000000), ref: 027871B2
                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 02787208
                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 02787291
                                                                      • ___ascii_stricmp.LIBCMT ref: 027872C2
                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 027872D0
                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 02787314
                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0278738D
                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 027873D8
                                                                        • Part of subcall function 0278F1A5: lstrlenA.KERNEL32(000000C8,000000E4,027922F8,000000C8,02787150,?), ref: 0278F1AD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                      • String ID: $"
                                                                      • API String ID: 4293430545-3817095088
                                                                      • Opcode ID: a2945cc3fc535bea8c11b37fbd3cbd638ba3afed8fa898ab31aba5def27063f3
                                                                      • Instruction ID: 9069a8ae4b976cbdd2a7a464dda8fbbe92af8ba55c8b7970cf583e10c1f5dbfe
                                                                      • Opcode Fuzzy Hash: a2945cc3fc535bea8c11b37fbd3cbd638ba3afed8fa898ab31aba5def27063f3
                                                                      • Instruction Fuzzy Hash: FCB19476D84209ABDF19BFA4DC48BEFB7B9AF04314F200465F501E6190EB719A44CB61
                                                                      APIs
                                                                      • GetLocalTime.KERNEL32(?), ref: 0278AD98
                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 0278ADA6
                                                                        • Part of subcall function 0278AD08: gethostname.WS2_32(?,00000080), ref: 0278AD1C
                                                                        • Part of subcall function 0278AD08: lstrlenA.KERNEL32(00000000), ref: 0278AD60
                                                                        • Part of subcall function 0278AD08: lstrlenA.KERNEL32(00000000), ref: 0278AD69
                                                                        • Part of subcall function 0278AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0278AD7F
                                                                        • Part of subcall function 027830B5: gethostname.WS2_32(?,00000080), ref: 027830D8
                                                                        • Part of subcall function 027830B5: gethostbyname.WS2_32(?), ref: 027830E2
                                                                      • wsprintfA.USER32 ref: 0278AEA5
                                                                        • Part of subcall function 0278A7A3: inet_ntoa.WS2_32(?), ref: 0278A7A9
                                                                      • wsprintfA.USER32 ref: 0278AE4F
                                                                      • wsprintfA.USER32 ref: 0278AE5E
                                                                        • Part of subcall function 0278EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0278EF92
                                                                        • Part of subcall function 0278EF7C: lstrlenA.KERNEL32(?), ref: 0278EF99
                                                                        • Part of subcall function 0278EF7C: lstrlenA.KERNEL32(00000000), ref: 0278EFA0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                      • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                      • API String ID: 3631595830-1816598006
                                                                      • Opcode ID: 602290d42e7350694ff3c8d25136a7f025862caa3c23b75b74b2bae4a1c02438
                                                                      • Instruction ID: c552d82dd698fb35549e749a6f2c2ef28d1e8fdc14a6df10f40b70e623b0d293
                                                                      • Opcode Fuzzy Hash: 602290d42e7350694ff3c8d25136a7f025862caa3c23b75b74b2bae4a1c02438
                                                                      • Instruction Fuzzy Hash: 0E41EDB294034CABEF26FFA1DC49EEE3BADFB08304F14482AB91592151EB71D5558F60
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(iphlpapi.dll,759223A0,?,000DBBA0,?,00000000,02782F0F,?,027820FF,02792000), ref: 02782E01
                                                                      • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,02782F0F,?,027820FF,02792000), ref: 02782E11
                                                                      • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 02782E2E
                                                                      • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,02782F0F,?,027820FF,02792000), ref: 02782E4C
                                                                      • HeapAlloc.KERNEL32(00000000,?,00000000,02782F0F,?,027820FF,02792000), ref: 02782E4F
                                                                      • htons.WS2_32(00000035), ref: 02782E88
                                                                      • inet_addr.WS2_32(?), ref: 02782E93
                                                                      • gethostbyname.WS2_32(?), ref: 02782EA6
                                                                      • GetProcessHeap.KERNEL32(00000000,?,?,00000000,02782F0F,?,027820FF,02792000), ref: 02782EE3
                                                                      • HeapFree.KERNEL32(00000000,?,00000000,02782F0F,?,027820FF,02792000), ref: 02782EE6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                      • String ID: GetNetworkParams$iphlpapi.dll
                                                                      • API String ID: 929413710-2099955842
                                                                      • Opcode ID: 9dd68a7e83e5b322bc066d47139778391872bf59a2a9fd4ab7fe77dfab42aada
                                                                      • Instruction ID: d264ffe087f8c6b6d20bd740e96fc80d05cc96c86784fe7acfb5580955a78324
                                                                      • Opcode Fuzzy Hash: 9dd68a7e83e5b322bc066d47139778391872bf59a2a9fd4ab7fe77dfab42aada
                                                                      • Instruction Fuzzy Hash: 1131F433E8034AABDF10ABB8984CB6F7BB8AF04326F144555FD14E3291DB30C5428B58
                                                                      APIs
                                                                      • GetVersionExA.KERNEL32(?,?,02789DD7,?,00000022,?,?,00000000,00000001), ref: 02789340
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,02789DD7,?,00000022,?,?,00000000,00000001), ref: 0278936E
                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,02789DD7,?,00000022,?,?,00000000,00000001), ref: 02789375
                                                                      • wsprintfA.USER32 ref: 027893CE
                                                                      • wsprintfA.USER32 ref: 0278940C
                                                                      • wsprintfA.USER32 ref: 0278948D
                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 027894F1
                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 02789526
                                                                      • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 02789571
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                      • String ID: runas
                                                                      • API String ID: 3696105349-4000483414
                                                                      • Opcode ID: e3fb6f2079a17a953d0e670be98eb676eba1b75e425a542932d9988c6327d97a
                                                                      • Instruction ID: f560d3f499ea22a67de6ec50bb15d95ed2c5ae37e37b7ce279583aaba1f68f6c
                                                                      • Opcode Fuzzy Hash: e3fb6f2079a17a953d0e670be98eb676eba1b75e425a542932d9988c6327d97a
                                                                      • Instruction Fuzzy Hash: 70A19FB29C0248EFEB21AFA0CC49FEE3BADEB04741F104026FA05A2251D771D555CFA1
                                                                      APIs
                                                                      • wsprintfA.USER32 ref: 0278B467
                                                                        • Part of subcall function 0278EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0278EF92
                                                                        • Part of subcall function 0278EF7C: lstrlenA.KERNEL32(?), ref: 0278EF99
                                                                        • Part of subcall function 0278EF7C: lstrlenA.KERNEL32(00000000), ref: 0278EFA0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$wsprintf
                                                                      • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                      • API String ID: 1220175532-2340906255
                                                                      • Opcode ID: 9da28072a57cb6508f41dcc9b58f0b999c0ab1befe9a35e021c3cf75f243f7b6
                                                                      • Instruction ID: e993bed9f8f102cbcdb622a30a37ca271a07cd23f9fe61b0d1b9b65fc9f8ffee
                                                                      • Opcode Fuzzy Hash: 9da28072a57cb6508f41dcc9b58f0b999c0ab1befe9a35e021c3cf75f243f7b6
                                                                      • Instruction Fuzzy Hash: 6D414FF25812197FEF02BAA4DCC5CFF7F6DEF4A648F140425FA05A2000DB31AA148BA1
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 02782078
                                                                      • GetTickCount.KERNEL32 ref: 027820D4
                                                                      • GetTickCount.KERNEL32 ref: 027820DB
                                                                      • GetTickCount.KERNEL32 ref: 0278212B
                                                                      • GetTickCount.KERNEL32 ref: 02782132
                                                                      • GetTickCount.KERNEL32 ref: 02782142
                                                                        • Part of subcall function 0278F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0278E342,00000000,7508EA50,80000001,00000000,0278E513,?,00000000,00000000,?,000000E4), ref: 0278F089
                                                                        • Part of subcall function 0278F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0278E342,00000000,7508EA50,80000001,00000000,0278E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0278F093
                                                                        • Part of subcall function 0278E854: lstrcpyA.KERNEL32(00000001,?,?,0278D8DF,00000001,localcfg,except_info,00100000,02790264), ref: 0278E88B
                                                                        • Part of subcall function 0278E854: lstrlenA.KERNEL32(00000001,?,0278D8DF,00000001,localcfg,except_info,00100000,02790264), ref: 0278E899
                                                                        • Part of subcall function 02781C5F: wsprintfA.USER32 ref: 02781CE1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                      • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                      • API String ID: 3976553417-1522128867
                                                                      • Opcode ID: 945a7dadd80a57d5765c6d6d0cff7a5b04f9b344056ee2c165f342ff4e5f6518
                                                                      • Instruction ID: f4c38e528d983eee755f36722ff84c5e956a3f3d631a1edb7a423f6c080c46c2
                                                                      • Opcode Fuzzy Hash: 945a7dadd80a57d5765c6d6d0cff7a5b04f9b344056ee2c165f342ff4e5f6518
                                                                      • Instruction Fuzzy Hash: 95512370EC5385AEE729FF34ED49B673BE5AB00315F11481EEE05C6193DBB490AACA11
                                                                      APIs
                                                                        • Part of subcall function 0278A4C7: GetTickCount.KERNEL32 ref: 0278A4D1
                                                                        • Part of subcall function 0278A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0278A4FA
                                                                      • GetTickCount.KERNEL32 ref: 0278C31F
                                                                      • GetTickCount.KERNEL32 ref: 0278C32B
                                                                      • GetTickCount.KERNEL32 ref: 0278C363
                                                                      • GetTickCount.KERNEL32 ref: 0278C378
                                                                      • GetTickCount.KERNEL32 ref: 0278C44D
                                                                      • InterlockedIncrement.KERNEL32(0278C4E4), ref: 0278C4AE
                                                                      • CreateThread.KERNEL32(00000000,00000000,0278B535,00000000,?,0278C4E0), ref: 0278C4C1
                                                                      • CloseHandle.KERNEL32(00000000,?,0278C4E0,02793588,02788810), ref: 0278C4CC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                      • String ID: localcfg
                                                                      • API String ID: 1553760989-1857712256
                                                                      • Opcode ID: 0e2c65c642e51c2c66b817074fecfe09bcdb8240c17547d91a49dcdf6ee8b958
                                                                      • Instruction ID: 7ffae6886f7370753727f4202a6376e1a209cca37df66e2ff5b9edbcfc6ba75e
                                                                      • Opcode Fuzzy Hash: 0e2c65c642e51c2c66b817074fecfe09bcdb8240c17547d91a49dcdf6ee8b958
                                                                      • Instruction Fuzzy Hash: FD518BB1A80B418FC729AF69C58462ABBE9FB48304B505D3ED18BC7A90D774F845CB24
                                                                      APIs
                                                                      • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0278BE4F
                                                                      • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0278BE5B
                                                                      • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0278BE67
                                                                      • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0278BF6A
                                                                      • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0278BF7F
                                                                      • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0278BF94
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcmpi
                                                                      • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                      • API String ID: 1586166983-1625972887
                                                                      • Opcode ID: fae312d843ff7d99aa7ce4872d0a39c7f83ea505fd2471a4e83105079fed2afa
                                                                      • Instruction ID: 1f9d62bd323899a2f3d8f9ce6b4eedc097bb1ebcedd232200c3a7f0569785020
                                                                      • Opcode Fuzzy Hash: fae312d843ff7d99aa7ce4872d0a39c7f83ea505fd2471a4e83105079fed2afa
                                                                      • Instruction Fuzzy Hash: CC51E371A8031AEFDF11AF69D884B6EBBA9AF0634CF006055E945EB210D730E955CF90
                                                                      APIs
                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,75918A60,?,?,?,?,02789A60,?,?,02789E9D), ref: 02786A7D
                                                                      • GetDiskFreeSpaceA.KERNEL32(02789E9D,02789A60,?,?,?,027922F8,?,?,?,02789A60,?,?,02789E9D), ref: 02786ABB
                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,02789A60,?,?,02789E9D), ref: 02786B40
                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02789A60,?,?,02789E9D), ref: 02786B4E
                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02789A60,?,?,02789E9D), ref: 02786B5F
                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,02789A60,?,?,02789E9D), ref: 02786B6F
                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02789A60,?,?,02789E9D), ref: 02786B7D
                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,02789A60,?,?,02789E9D), ref: 02786B80
                                                                      • GetLastError.KERNEL32(?,?,?,02789A60,?,?,02789E9D,?,?,?,?,?,02789E9D,?,00000022,?), ref: 02786B96
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                      • String ID:
                                                                      • API String ID: 3188212458-0
                                                                      • Opcode ID: ab2e37e49f25115f41fefe419ea8bfe7714268e3886dccb28524175e87798842
                                                                      • Instruction ID: 8c95dfd2258e808b291e84b29cfcfee72f74b450efdf315c91d4058948f51095
                                                                      • Opcode Fuzzy Hash: ab2e37e49f25115f41fefe419ea8bfe7714268e3886dccb28524175e87798842
                                                                      • Instruction Fuzzy Hash: 753192B2D8124DBFDB01BFA48844EDE7F7EEF44314F248866E651A3241D73099668F61
                                                                      APIs
                                                                      • GetUserNameA.ADVAPI32(?,0278D7C3), ref: 02786F7A
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0278D7C3), ref: 02786FC1
                                                                      • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 02786FE8
                                                                      • LocalFree.KERNEL32(00000120), ref: 0278701F
                                                                      • wsprintfA.USER32 ref: 02787036
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                      • String ID: /%d$|
                                                                      • API String ID: 676856371-4124749705
                                                                      • Opcode ID: 2f8b5872ede5e0607ffd9fc8bf32912df585262d41c0da017a88a9b32eec98aa
                                                                      • Instruction ID: 27366ce964aec55d4be236fd19977e86afb3ca4917b8ed41cd6ebada33d58226
                                                                      • Opcode Fuzzy Hash: 2f8b5872ede5e0607ffd9fc8bf32912df585262d41c0da017a88a9b32eec98aa
                                                                      • Instruction Fuzzy Hash: 5F311876940208BBDB01EFA8D849ADE7BBCEF05354F148066F959DB200EB35D6088B94
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,027922F8,000000E4,02786DDC,000000C8), ref: 02786CE7
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 02786CEE
                                                                      • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02786D14
                                                                      • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02786D2B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                      • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                      • API String ID: 1082366364-3395550214
                                                                      • Opcode ID: 892a3a4fe3393eb02803a709fd72fc6c13ac76aa2e9c37faaa4ed76038a05c71
                                                                      • Instruction ID: 8c59f528ac806ec56774345c02e0ccb4ea140d5cdea788272ba63906bcf85429
                                                                      • Opcode Fuzzy Hash: 892a3a4fe3393eb02803a709fd72fc6c13ac76aa2e9c37faaa4ed76038a05c71
                                                                      • Instruction Fuzzy Hash: 7621F3A2AC53547AFF227637ACCDF6B3E9D8B42744F098444FC04A6182EBA5844686B5
                                                                      APIs
                                                                      • CreateProcessA.KERNEL32(00000000,02789947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,027922F8), ref: 027897B1
                                                                      • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,027922F8), ref: 027897EB
                                                                      • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,027922F8), ref: 027897F9
                                                                      • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,027922F8), ref: 02789831
                                                                      • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,027922F8), ref: 0278984E
                                                                      • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,027922F8), ref: 0278985B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                      • String ID: D
                                                                      • API String ID: 2981417381-2746444292
                                                                      • Opcode ID: 604ba01952b6de1de627452906800328e8734ebd583c2f78a06989c027f89352
                                                                      • Instruction ID: 5fcdc2b6efa995b8cfe5c7c7a2f184553e3ed22f9739fe1ab5acaa01d3a9a51f
                                                                      • Opcode Fuzzy Hash: 604ba01952b6de1de627452906800328e8734ebd583c2f78a06989c027f89352
                                                                      • Instruction Fuzzy Hash: 5C211D71D8121ABBDB21AFA1DC49FEF7BBCEF05654F004461BA19E1150EB309654CEA0
                                                                      APIs
                                                                        • Part of subcall function 0278DD05: GetTickCount.KERNEL32 ref: 0278DD0F
                                                                        • Part of subcall function 0278DD05: InterlockedExchange.KERNEL32(027936B4,00000001), ref: 0278DD44
                                                                        • Part of subcall function 0278DD05: GetCurrentThreadId.KERNEL32 ref: 0278DD53
                                                                        • Part of subcall function 0278DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0278DDB5
                                                                      • lstrcpynA.KERNEL32(?,02781E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0278EAAA,?,?), ref: 0278E8DE
                                                                      • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0278EAAA,?,?,00000001,?,02781E84,?), ref: 0278E935
                                                                      • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0278EAAA,?,?,00000001,?,02781E84,?,0000000A), ref: 0278E93D
                                                                      • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0278EAAA,?,?,00000001,?,02781E84,?), ref: 0278E94F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                      • String ID: flags_upd$localcfg
                                                                      • API String ID: 204374128-3505511081
                                                                      • Opcode ID: 527cb19ba0f7746ce4d0d4ecdf898cd188ce2aa6e9ce2c52c3cd226b1e7f51d6
                                                                      • Instruction ID: 0a9d70ab612850e1dee67f2a0798664b53118049d1e04a40798a75d02bdab5b8
                                                                      • Opcode Fuzzy Hash: 527cb19ba0f7746ce4d0d4ecdf898cd188ce2aa6e9ce2c52c3cd226b1e7f51d6
                                                                      • Instruction Fuzzy Hash: 37511D72D4020AAFDB11EFA8C984DAEBBF9FF48304F14456AE405A7250E775EA158F60
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Code
                                                                      • String ID:
                                                                      • API String ID: 3609698214-0
                                                                      • Opcode ID: b629d72d5284b9d2d9cfa025d6bfb1a6d03f2150343a860a3df02c18ba4dbc84
                                                                      • Instruction ID: b0a19ab1e8a0fb79272739730230ccfc22e8002655bbc1040fe30accd610c896
                                                                      • Opcode Fuzzy Hash: b629d72d5284b9d2d9cfa025d6bfb1a6d03f2150343a860a3df02c18ba4dbc84
                                                                      • Instruction Fuzzy Hash: 9E219076986215FFDB117BB4ED89DAF3FADDB04364B108815F602E1080EB31EA11DA74
                                                                      APIs
                                                                      • GetTempPathA.KERNEL32(00000400,?,00000000,027922F8), ref: 0278907B
                                                                      • wsprintfA.USER32 ref: 027890E9
                                                                      • CreateFileA.KERNEL32(027922F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0278910E
                                                                      • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 02789122
                                                                      • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0278912D
                                                                      • CloseHandle.KERNEL32(00000000), ref: 02789134
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                      • String ID:
                                                                      • API String ID: 2439722600-0
                                                                      • Opcode ID: 05016cd430bf0129aca9ca4028d0beb0238e28bf179ee38a25b41865998a0d78
                                                                      • Instruction ID: 7a307235ea76371efb6209530cd3d3e380f5bf802a09806f1199c3f316ffa9f9
                                                                      • Opcode Fuzzy Hash: 05016cd430bf0129aca9ca4028d0beb0238e28bf179ee38a25b41865998a0d78
                                                                      • Instruction Fuzzy Hash: EB1187F2AC02147BFB257676DC0DEAF366FDFC4701F00C465BB0AA5140EA704A128A64
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 0278DD0F
                                                                      • GetCurrentThreadId.KERNEL32 ref: 0278DD20
                                                                      • GetTickCount.KERNEL32 ref: 0278DD2E
                                                                      • Sleep.KERNEL32(00000000,?,75920F10,?,00000000,0278E538,?,75920F10,?,00000000,?,0278A445), ref: 0278DD3B
                                                                      • InterlockedExchange.KERNEL32(027936B4,00000001), ref: 0278DD44
                                                                      • GetCurrentThreadId.KERNEL32 ref: 0278DD53
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                      • String ID:
                                                                      • API String ID: 3819781495-0
                                                                      • Opcode ID: 8bdee18c0a2ef84cb406f4ccc97ac51b43df508ddab4c258a2f2d1819eb33d12
                                                                      • Instruction ID: 3215e054907aa6197062688ce58264c02a98f6df45ccf48cd6ee13b2ab950c55
                                                                      • Opcode Fuzzy Hash: 8bdee18c0a2ef84cb406f4ccc97ac51b43df508ddab4c258a2f2d1819eb33d12
                                                                      • Instruction Fuzzy Hash: 2FF082739D83049FDB906B7AA888B297BB9E745312F008856E509C2281E7305467CF72
                                                                      APIs
                                                                      • gethostname.WS2_32(?,00000080), ref: 0278AD1C
                                                                      • lstrlenA.KERNEL32(00000000), ref: 0278AD60
                                                                      • lstrlenA.KERNEL32(00000000), ref: 0278AD69
                                                                      • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0278AD7F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$gethostnamelstrcpy
                                                                      • String ID: LocalHost
                                                                      • API String ID: 3695455745-3154191806
                                                                      • Opcode ID: 44f70945f0e692890b10a9e60783020fb292bc619806af4b7d102f9144bb21e3
                                                                      • Instruction ID: a828bc381aaec37a41d3210657786d113ed86a892feaf5c5d8e15f40ead1b26a
                                                                      • Opcode Fuzzy Hash: 44f70945f0e692890b10a9e60783020fb292bc619806af4b7d102f9144bb21e3
                                                                      • Instruction Fuzzy Hash: 1501F520CC42895DDF32663E9848BB53F66AB8670AF505097E4C0DB11DFF64808787B2
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 02784BDD
                                                                      • GetTickCount.KERNEL32 ref: 02784BEC
                                                                      • Sleep.KERNEL32(00000000,?,%FROM_EMAIL,02785D02,00000000,?,0278B85C,?,00000080,?,00000000,00000000,?,%FROM_EMAIL), ref: 02784BF9
                                                                      • InterlockedExchange.KERNEL32(02C1B160,00000001), ref: 02784C02
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                      • String ID: %FROM_EMAIL
                                                                      • API String ID: 2207858713-2903620461
                                                                      • Opcode ID: 9352bc32f6fa63a3a8b7561b06a5aaa473ae63f4f995d7c088ae53c5dde8d293
                                                                      • Instruction ID: 219c75db32ad4e1cae7679c0e70ae83f2e43aceed8b99e9bca82871fdca3e257
                                                                      • Opcode Fuzzy Hash: 9352bc32f6fa63a3a8b7561b06a5aaa473ae63f4f995d7c088ae53c5dde8d293
                                                                      • Instruction Fuzzy Hash: E4E0CD376D131557C71037BE5C84F56779CDB45361F064472F708D2140C5E6946241B5
                                                                      APIs
                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,027898FD,00000001,00000100,027922F8,0278A3C7), ref: 02784290
                                                                      • CloseHandle.KERNEL32(0278A3C7), ref: 027843AB
                                                                      • CloseHandle.KERNEL32(00000001), ref: 027843AE
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseHandle$CreateEvent
                                                                      • String ID:
                                                                      • API String ID: 1371578007-0
                                                                      • Opcode ID: f9ab18204e088d4fb5a92803502663966be79fb6eff29c3954e38a8bedb958ef
                                                                      • Instruction ID: 27ee121ae3e18fb2737802d6e680692a8fa80a0624978cdf9dfe9a92bc43e5cf
                                                                      • Opcode Fuzzy Hash: f9ab18204e088d4fb5a92803502663966be79fb6eff29c3954e38a8bedb958ef
                                                                      • Instruction Fuzzy Hash: C34189B1C8020ABADB22BBA5DD89FAFBFB9EF41324F104555F614B2180D7748651CBA0
                                                                      APIs
                                                                      • IsBadReadPtr.KERNEL32(?,00000014), ref: 0278609C
                                                                      • LoadLibraryA.KERNEL32(?,?,027864CF,00000000), ref: 027860C3
                                                                      • GetProcAddress.KERNEL32(?,00000014), ref: 0278614A
                                                                      • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0278619E
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Read$AddressLibraryLoadProc
                                                                      • String ID:
                                                                      • API String ID: 2438460464-0
                                                                      • Opcode ID: e569700ada756262bcfcbcfc7535d8cd39538fdb6062b93f3c5f1ed11af27c43
                                                                      • Instruction ID: 0e9068ec1ca42eed11b750763c58c465d1f7b71d84c412c7cd5c9d12d3f374bd
                                                                      • Opcode Fuzzy Hash: e569700ada756262bcfcbcfc7535d8cd39538fdb6062b93f3c5f1ed11af27c43
                                                                      • Instruction Fuzzy Hash: EA414971E9020ABFDB14EF58C884B79B7B9EF04358F248169E815E7292E730E955CB90
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0f3363b31bfe67e9e02e43dba86e7cea58f49f365378502bd4918db28bd91039
                                                                      • Instruction ID: 3c11910484ce6ce2896a562fd130e5242cb86105feba2444adc1a43305394560
                                                                      • Opcode Fuzzy Hash: 0f3363b31bfe67e9e02e43dba86e7cea58f49f365378502bd4918db28bd91039
                                                                      • Instruction Fuzzy Hash: 0C31A072A80308ABDB21AFA9CC85BBEB7F4FF48702F108456ED04E6242E374D641CB55
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 0278272E
                                                                      • htons.WS2_32(00000001), ref: 02782752
                                                                      • htons.WS2_32(0000000F), ref: 027827D5
                                                                      • htons.WS2_32(00000001), ref: 027827E3
                                                                      • sendto.WS2_32(?,02792BF8,00000009,00000000,00000010,00000010), ref: 02782802
                                                                        • Part of subcall function 0278EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0278EBFE,7FFF0001,?,0278DB55,7FFF0001), ref: 0278EBD3
                                                                        • Part of subcall function 0278EBCC: RtlAllocateHeap.NTDLL(00000000,?,0278DB55,7FFF0001), ref: 0278EBDA
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                      • String ID:
                                                                      • API String ID: 1128258776-0
                                                                      • Opcode ID: d9dc47aa10342436f570654099cad92a0933e6781f463286ec750b90b6b1cded
                                                                      • Instruction ID: cba2da7e23afb512a6ff477613a19c42776212539ff872bfd592dd5d8085a8e4
                                                                      • Opcode Fuzzy Hash: d9dc47aa10342436f570654099cad92a0933e6781f463286ec750b90b6b1cded
                                                                      • Instruction Fuzzy Hash: 373126346C0382AFD710BF75D881AA577A0EF19328B19845DED558B313E6329493CB50
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,027922F8), ref: 0278915F
                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 02789166
                                                                      • CharToOemA.USER32(?,?), ref: 02789174
                                                                      • wsprintfA.USER32 ref: 027891A9
                                                                        • Part of subcall function 02789064: GetTempPathA.KERNEL32(00000400,?,00000000,027922F8), ref: 0278907B
                                                                        • Part of subcall function 02789064: wsprintfA.USER32 ref: 027890E9
                                                                        • Part of subcall function 02789064: CreateFileA.KERNEL32(027922F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0278910E
                                                                        • Part of subcall function 02789064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 02789122
                                                                        • Part of subcall function 02789064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0278912D
                                                                        • Part of subcall function 02789064: CloseHandle.KERNEL32(00000000), ref: 02789134
                                                                      • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 027891E1
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                      • String ID:
                                                                      • API String ID: 3857584221-0
                                                                      • Opcode ID: 029e2e72e133c0002ec18020f8ede405e01fb658278d3f83f51d49bdedc738d6
                                                                      • Instruction ID: 28aa7ede52c37c4e2e532736a8a1a74034378001014ee7d2040f5977c43c9771
                                                                      • Opcode Fuzzy Hash: 029e2e72e133c0002ec18020f8ede405e01fb658278d3f83f51d49bdedc738d6
                                                                      • Instruction Fuzzy Hash: 550152F7D80258BBEB21A6619D4DFEF7B7CDB95701F000492BB49E2040D67096958F70
                                                                      APIs
                                                                      • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,02782491,?,?,?,0278E844,-00000030,?,?,?,00000001), ref: 02782429
                                                                      • lstrlenA.KERNEL32(?,?,02782491,?,?,?,0278E844,-00000030,?,?,?,00000001,02781E3D,00000001,localcfg,lid_file_upd), ref: 0278243E
                                                                      • lstrcmpiA.KERNEL32(?,?), ref: 02782452
                                                                      • lstrlenA.KERNEL32(?,?,02782491,?,?,?,0278E844,-00000030,?,?,?,00000001,02781E3D,00000001,localcfg,lid_file_upd), ref: 02782467
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$lstrcmpi
                                                                      • String ID: localcfg
                                                                      • API String ID: 1808961391-1857712256
                                                                      • Opcode ID: 7ba272c3479ea1dbbf42ee03e3c6e85bdf155e92197ef2afd09202bfd503bc05
                                                                      • Instruction ID: b4e57a26d18b7cc5c50b1a53800ecc8d943fe819e0a113d421318dd5a28d413b
                                                                      • Opcode Fuzzy Hash: 7ba272c3479ea1dbbf42ee03e3c6e85bdf155e92197ef2afd09202bfd503bc05
                                                                      • Instruction Fuzzy Hash: 6C011A72600258AFCF11FF69CC849DE7BA9EF44395B01C425EC59A7202E330EE518AA4
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: wsprintf
                                                                      • String ID: %u.%u.%u.%u.%s$localcfg
                                                                      • API String ID: 2111968516-120809033
                                                                      • Opcode ID: f41890d17e3496cdf4e96706b605197264a5131c02a74a0c21e043d375f1229d
                                                                      • Instruction ID: 0e5a98abd7f57369c98f1e0d34a7d270cbed417fc17a7ef67cf6f92e4fce7aee
                                                                      • Opcode Fuzzy Hash: f41890d17e3496cdf4e96706b605197264a5131c02a74a0c21e043d375f1229d
                                                                      • Instruction Fuzzy Hash: 14419C729042989FDB22EF798C44BEE3BE99F49310F240056FDA4D3141E634DA05CFA0
                                                                      APIs
                                                                        • Part of subcall function 0278DD05: GetTickCount.KERNEL32 ref: 0278DD0F
                                                                        • Part of subcall function 0278DD05: InterlockedExchange.KERNEL32(027936B4,00000001), ref: 0278DD44
                                                                        • Part of subcall function 0278DD05: GetCurrentThreadId.KERNEL32 ref: 0278DD53
                                                                      • lstrcmpA.KERNEL32(75920F18,00000000,?,75920F10,00000000,?,02785EC1), ref: 0278E693
                                                                      • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,75920F10,00000000,?,02785EC1), ref: 0278E6E9
                                                                      • lstrcmpA.KERNEL32(89ABCDEF,00000008,?,75920F10,00000000,?,02785EC1), ref: 0278E722
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                      • String ID: 89ABCDEF
                                                                      • API String ID: 3343386518-71641322
                                                                      • Opcode ID: 34a76be5095d5047ae60df3a90621f3fe2a9ff85f7f39ec03604d4cce6505a59
                                                                      • Instruction ID: c1424c1115de9bca9125079859baeac9e1f99e3c23ee36022b8c254d6981eef7
                                                                      • Opcode Fuzzy Hash: 34a76be5095d5047ae60df3a90621f3fe2a9ff85f7f39ec03604d4cce6505a59
                                                                      • Instruction Fuzzy Hash: 3B31CD31A80706EBCF31AF65D888B6A77E4FB01724F10882AF95587592E770E884CB91
                                                                      APIs
                                                                      • RegCreateKeyExA.ADVAPI32(80000001,0278E2A3,00000000,00000000,00000000,00020106,00000000,0278E2A3,00000000,000000E4), ref: 0278E0B2
                                                                      • RegSetValueExA.ADVAPI32(0278E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,027922F8), ref: 0278E127
                                                                      • RegDeleteValueA.ADVAPI32(0278E2A3,?,?,?,?,?,000000C8,027922F8), ref: 0278E158
                                                                      • RegCloseKey.ADVAPI32(0278E2A3,?,?,?,?,000000C8,027922F8,?,?,?,?,?,?,?,?,0278E2A3), ref: 0278E161
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Value$CloseCreateDelete
                                                                      • String ID:
                                                                      • API String ID: 2667537340-0
                                                                      • Opcode ID: 1b27eafc3e707b2432273df8926bd835b04f2e46dd34846679b23adfaadaa690
                                                                      • Instruction ID: 6c77c1d6d65aac7f092233941276fc8ed02373d5940356e81c3dd47f8f3bf547
                                                                      • Opcode Fuzzy Hash: 1b27eafc3e707b2432273df8926bd835b04f2e46dd34846679b23adfaadaa690
                                                                      • Instruction Fuzzy Hash: C3217172E40219BBDF21AEA8DC89EEF7FB9EF09750F108061F904E6150E7318A55CB91
                                                                      APIs
                                                                      • WriteFile.KERNEL32(00000000,00000000,0278A3C7,00000000,00000000,000007D0,00000001), ref: 02783F44
                                                                      • GetLastError.KERNEL32 ref: 02783F4E
                                                                      • WaitForSingleObject.KERNEL32(00000004,?), ref: 02783F5F
                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 02783F72
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                      • String ID:
                                                                      • API String ID: 3373104450-0
                                                                      • Opcode ID: 05fdffb23758aab9b20a1ea206326036adfeb6afdabe94986f6142ebbb5ed34d
                                                                      • Instruction ID: 62f3b4e7dcabcd562342cb0c00306df7ed2fec8296a2f717ee4efa8894844128
                                                                      • Opcode Fuzzy Hash: 05fdffb23758aab9b20a1ea206326036adfeb6afdabe94986f6142ebbb5ed34d
                                                                      • Instruction Fuzzy Hash: 0201E572951219ABDF01EE98DD84BEF7BBCEB04756F104465FA01E2040D734DA258BB2
                                                                      APIs
                                                                      • ReadFile.KERNEL32(00000000,00000000,0278A3C7,00000000,00000000,000007D0,00000001), ref: 02783FB8
                                                                      • GetLastError.KERNEL32 ref: 02783FC2
                                                                      • WaitForSingleObject.KERNEL32(00000004,?), ref: 02783FD3
                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 02783FE6
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                      • String ID:
                                                                      • API String ID: 888215731-0
                                                                      • Opcode ID: ca6105fbcd84cec39f64aebc947b982d09e057501a0ca92aa80665ffec56ad63
                                                                      • Instruction ID: 564f5e5e6bbe3d90e088e5228cdbcb0e1015fed4e261bd2353235681b816b47f
                                                                      • Opcode Fuzzy Hash: ca6105fbcd84cec39f64aebc947b982d09e057501a0ca92aa80665ffec56ad63
                                                                      • Instruction Fuzzy Hash: F401E97296021AABDF11EF98D945BEE7B7CEB04755F004451F902E2040DB70DA65CBB1
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 0278A4D1
                                                                      • GetTickCount.KERNEL32 ref: 0278A4E4
                                                                      • Sleep.KERNEL32(00000000,?,0278C2E9,0278C4E0,00000000,localcfg,?,0278C4E0,02793588,02788810), ref: 0278A4F1
                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 0278A4FA
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                      • String ID:
                                                                      • API String ID: 2207858713-0
                                                                      • Opcode ID: 8589642f376a8ed5afbb3a3103345c190a3e0e338ae19d04c6b0b23b49dc3d24
                                                                      • Instruction ID: 17fdd98222987da25c20524fbd9c70880c7c327aaa7115f4ca5f6bffb9419160
                                                                      • Opcode Fuzzy Hash: 8589642f376a8ed5afbb3a3103345c190a3e0e338ae19d04c6b0b23b49dc3d24
                                                                      • Instruction Fuzzy Hash: AEE07D332C031557CF0037ADAC84F6A33C8EB49771F014432FF08E3140D62AA46281B2
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 02784E9E
                                                                      • GetTickCount.KERNEL32 ref: 02784EAD
                                                                      • Sleep.KERNEL32(0000000A,?,00000001), ref: 02784EBA
                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 02784EC3
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                      • String ID:
                                                                      • API String ID: 2207858713-0
                                                                      • Opcode ID: b8ff62e8eb42b777b0ee27fc1b88991b27df2f66b506a7aba3f4ebdee7d45bf9
                                                                      • Instruction ID: 3603bbc6744850164f25b144bb14c35124ad743fbd2e0ec5caefc8f7b0cfcd11
                                                                      • Opcode Fuzzy Hash: b8ff62e8eb42b777b0ee27fc1b88991b27df2f66b506a7aba3f4ebdee7d45bf9
                                                                      • Instruction Fuzzy Hash: A5E0863369131557D61036BEAC84F5766499B45371F010931E609D2180D6A6946345B1
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 02783103
                                                                      • GetTickCount.KERNEL32 ref: 0278310F
                                                                      • Sleep.KERNEL32(00000000), ref: 0278311C
                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 02783128
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                      • String ID:
                                                                      • API String ID: 2207858713-0
                                                                      • Opcode ID: cb4d152b4a72e3851998e4dbdc8d1127478143604bb646591823d6c723ef5f15
                                                                      • Instruction ID: fa4323f042f96b2714bdc758e79b73b5928ee1dd776cb289b1b3bdfee6c6645b
                                                                      • Opcode Fuzzy Hash: cb4d152b4a72e3851998e4dbdc8d1127478143604bb646591823d6c723ef5f15
                                                                      • Instruction Fuzzy Hash: 50E0C231A90315ABDB007B7DAD44F696A5ADF84F61F014871F205E6090C66048228971
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick
                                                                      • String ID: localcfg
                                                                      • API String ID: 536389180-1857712256
                                                                      • Opcode ID: bd903e8525bdb99013477e1f2b2c2c0e16fb1d974c8e9672b9906f7275a4e033
                                                                      • Instruction ID: a0071f51b0c81385e2036ac7b58232e7657d48681769dd2d52e2d47673643ee2
                                                                      • Opcode Fuzzy Hash: bd903e8525bdb99013477e1f2b2c2c0e16fb1d974c8e9672b9906f7275a4e033
                                                                      • Instruction Fuzzy Hash: 19212C32A9061DAFCB10FF7AC8C465A77B9FF24314B654599D401DB201EB30E951CB71
                                                                      APIs
                                                                      Strings
                                                                      • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0278C057
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTickwsprintf
                                                                      • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                      • API String ID: 2424974917-1012700906
                                                                      • Opcode ID: 26baacb566564c53aba323cbce445e823a68884c4aef6d8353fa10693081f008
                                                                      • Instruction ID: cc23ae49e33369cdd03517cc7b5c8ae7fc42f335cad67cd88dc719b5aba05292
                                                                      • Opcode Fuzzy Hash: 26baacb566564c53aba323cbce445e823a68884c4aef6d8353fa10693081f008
                                                                      • Instruction Fuzzy Hash: 21119772500200FFDB429AA9DD44E567FA6FF88318B34819CF6188E126D633D863EB50
                                                                      APIs
                                                                        • Part of subcall function 027830FA: GetTickCount.KERNEL32 ref: 02783103
                                                                        • Part of subcall function 027830FA: InterlockedExchange.KERNEL32(?,00000001), ref: 02783128
                                                                      • GetCurrentThreadId.KERNEL32 ref: 02783929
                                                                      • GetCurrentThreadId.KERNEL32 ref: 02783939
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                      • String ID: %FROM_EMAIL
                                                                      • API String ID: 3716169038-2903620461
                                                                      • Opcode ID: d3d111fad18be27dd3e7613f518123a2f3396e056e94240f26866810fa5f872f
                                                                      • Instruction ID: d35d1fff6a8114219cc1c780ab57e23db4a44043f29a6a96ad93345076ecfe91
                                                                      • Opcode Fuzzy Hash: d3d111fad18be27dd3e7613f518123a2f3396e056e94240f26866810fa5f872f
                                                                      • Instruction Fuzzy Hash: E4114C71980214EFDB21EF19D485A5CF3F5FB05B1AF10899EEC4497281D774AA81CFA0
                                                                      APIs
                                                                      • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0278BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0278ABB9
                                                                      • InterlockedIncrement.KERNEL32(02793640), ref: 0278ABE1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: IncrementInterlockedlstrcpyn
                                                                      • String ID: %FROM_EMAIL
                                                                      • API String ID: 224340156-2903620461
                                                                      • Opcode ID: 63b2f1f8792a6f214615312c5ab3ccc0f73e4357d0e7dd8883c547392b9e8d89
                                                                      • Instruction ID: e198c9ea5a8ca3e4198032a2ef7018d8ce008ca5fc32b950349fac211e28c3e8
                                                                      • Opcode Fuzzy Hash: 63b2f1f8792a6f214615312c5ab3ccc0f73e4357d0e7dd8883c547392b9e8d89
                                                                      • Instruction Fuzzy Hash: 9501BC719883C4AFEB12DF18D885F967FA6AF15354F144886F9808B203C3B0E995CBA1
                                                                      APIs
                                                                      • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 027826C3
                                                                      • inet_ntoa.WS2_32(?), ref: 027826E4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: gethostbyaddrinet_ntoa
                                                                      • String ID: localcfg
                                                                      • API String ID: 2112563974-1857712256
                                                                      • Opcode ID: e6ebd1dc27a98f795027b8f682929d65dd49c8bef62131705a2df7a24d4d007a
                                                                      • Instruction ID: 27c6a133ea2f92c765274594ca92b6de91ea2786d67f3851d85e4b6846dac745
                                                                      • Opcode Fuzzy Hash: e6ebd1dc27a98f795027b8f682929d65dd49c8bef62131705a2df7a24d4d007a
                                                                      • Instruction Fuzzy Hash: E3F082762982087BEB007EA0EC09AAA379CDF05651F148421F908DA090DB71D9508798
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(ntdll.dll,0278EB54,_alldiv,0278F0B7,80000001,00000000,00989680,00000000,?,?,?,0278E342,00000000,7508EA50,80000001,00000000), ref: 0278EAF2
                                                                      • GetProcAddress.KERNEL32(76E80000,00000000), ref: 0278EB07
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressLibraryLoadProc
                                                                      • String ID: ntdll.dll
                                                                      • API String ID: 2574300362-2227199552
                                                                      • Opcode ID: babe5993afb2f6a25cc20c15ad8d47edc71d4e8e638c684330d1ee74337026f1
                                                                      • Instruction ID: 787987fc38d6a608b9a2bf5932d1c23836e0d4faf82a270a04f29064322f53ee
                                                                      • Opcode Fuzzy Hash: babe5993afb2f6a25cc20c15ad8d47edc71d4e8e638c684330d1ee74337026f1
                                                                      • Instruction Fuzzy Hash: E7D0C975AD03029BDF125FA9AA0BE0A7AE8AB40701B80C855B40AD1200E730D425DA00
                                                                      APIs
                                                                        • Part of subcall function 02782D21: GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,02782F01,?,027820FF,02792000), ref: 02782D3A
                                                                        • Part of subcall function 02782D21: LoadLibraryA.KERNEL32(?), ref: 02782D4A
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02782F73
                                                                      • HeapFree.KERNEL32(00000000), ref: 02782F7A
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.3322693743.0000000002780000.00000040.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_2780000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                      • String ID:
                                                                      • API String ID: 1017166417-0
                                                                      • Opcode ID: 430ba8a9a7062cb95210c8bbc5abad67c87bac171660c09eb928bce5b6ee1271
                                                                      • Instruction ID: 59f975d0060c0d99fdb138d7308d63efaa253cec55ae27a18042668ed3e0cc5e
                                                                      • Opcode Fuzzy Hash: 430ba8a9a7062cb95210c8bbc5abad67c87bac171660c09eb928bce5b6ee1271
                                                                      • Instruction Fuzzy Hash: 9C51907194024A9FDF02AF64D888AF9B7B6FF06305F1045A9EC96D7211E7329A19CF90