Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
2IFYYPRUgO.exe

Overview

General Information

Sample name:2IFYYPRUgO.exe
Analysis ID:1515185
MD5:dd9983e56e44b300e97fbead17bbb8ec
SHA1:bcfc4f542d1824b23b5beefe94e8eaa9d487e037
SHA256:16c9a4debb518681ece83ec9f4eb3edfab08cc4231243db1949a64c80e017aa4
Tags:exeuser-aachum
Infos:

Detection

Tofsee
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Yara detected Tofsee
AI detected suspicious sample
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious New Service Creation
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: Windows Defender Exclusions Added - Registry
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • 2IFYYPRUgO.exe (PID: 1472 cmdline: "C:\Users\user\Desktop\2IFYYPRUgO.exe" MD5: DD9983E56E44B300E97FBEAD17BBB8EC)
    • cmd.exe (PID: 3228 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\chxnvqnu\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6224 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\uscdfbek.exe" C:\Windows\SysWOW64\chxnvqnu\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 2352 cmdline: "C:\Windows\System32\sc.exe" create chxnvqnu binPath= "C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exe /d\"C:\Users\user\Desktop\2IFYYPRUgO.exe\"" type= own start= auto DisplayName= "wifi support" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 2612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 2680 cmdline: "C:\Windows\System32\sc.exe" description chxnvqnu "wifi internet conection" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 4308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6220 cmdline: "C:\Windows\System32\sc.exe" start chxnvqnu MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 5148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 2124 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 2676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 3228 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 1032 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • uscdfbek.exe (PID: 7096 cmdline: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exe /d"C:\Users\user\Desktop\2IFYYPRUgO.exe" MD5: A55CE6DA03E8C8D33F5FBC378D553054)
    • svchost.exe (PID: 940 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
    • WerFault.exe (PID: 1196 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7096 -s 588 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 6616 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 5896 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 7096 -ip 7096 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 3724 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1472 -ip 1472 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
TofseeAccording to PCrisk, Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various account credentials, updating itself, and more.Cyber criminals mainly use this program as an email-oriented tool (they target users' email accounts), however, having Tofsee installed can also lead to many other problems.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee
{"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
SourceRuleDescriptionAuthorStrings
0000000C.00000002.2078985168.0000000002688000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x107b3:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
    0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
    • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
    0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
    • 0x27ab:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
    • 0xf0fc:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
    0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
      Click to see the 24 entries
      SourceRuleDescriptionAuthorStrings
      0.3.2IFYYPRUgO.exe.40e0000.0.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
      • 0xd44:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
      • 0xd695:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
      0.3.2IFYYPRUgO.exe.40e0000.0.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
      • 0xe110:$s2: loader_id
      • 0xe140:$s3: start_srv
      • 0xe170:$s4: lid_file_upd
      • 0xe164:$s5: localcfg
      • 0xe894:$s6: Incorrect respons
      12.2.uscdfbek.exe.2dd0000.2.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
        12.2.uscdfbek.exe.2dd0000.2.raw.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
        • 0x2544:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
        • 0xee95:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
        12.2.uscdfbek.exe.2dd0000.2.raw.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
        • 0x1123e:$s1: n%systemroot%\system32\cmd.exe
        • 0x10310:$s2: loader_id
        • 0x10340:$s3: start_srv
        • 0x10370:$s4: lid_file_upd
        • 0x10364:$s5: localcfg
        • 0x10a94:$s6: Incorrect respons
        • 0x10b74:$s7: mx connect error
        • 0x10af0:$s8: Error sending command (sent = %d/%d)
        • 0x10c28:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
        Click to see the 39 entries

        System Summary

        barindex
        Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exe /d"C:\Users\user\Desktop\2IFYYPRUgO.exe", ParentImage: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exe, ParentProcessId: 7096, ParentProcessName: uscdfbek.exe, ProcessCommandLine: svchost.exe, ProcessId: 940, ProcessName: svchost.exe
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\sc.exe" create chxnvqnu binPath= "C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exe /d\"C:\Users\user\Desktop\2IFYYPRUgO.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create chxnvqnu binPath= "C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exe /d\"C:\Users\user\Desktop\2IFYYPRUgO.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\2IFYYPRUgO.exe", ParentImage: C:\Users\user\Desktop\2IFYYPRUgO.exe, ParentProcessId: 1472, ParentProcessName: 2IFYYPRUgO.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create chxnvqnu binPath= "C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exe /d\"C:\Users\user\Desktop\2IFYYPRUgO.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 2352, ProcessName: sc.exe
        Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 52.101.8.49, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\SysWOW64\svchost.exe, Initiated: true, ProcessId: 940, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49705
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exe /d"C:\Users\user\Desktop\2IFYYPRUgO.exe", ParentImage: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exe, ParentProcessId: 7096, ParentProcessName: uscdfbek.exe, ProcessCommandLine: svchost.exe, ProcessId: 940, ProcessName: svchost.exe
        Source: Registry Key setAuthor: Christian Burkard (Nextron Systems): Data: Details: 0, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 940, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\chxnvqnu
        Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\sc.exe" create chxnvqnu binPath= "C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exe /d\"C:\Users\user\Desktop\2IFYYPRUgO.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create chxnvqnu binPath= "C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exe /d\"C:\Users\user\Desktop\2IFYYPRUgO.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\2IFYYPRUgO.exe", ParentImage: C:\Users\user\Desktop\2IFYYPRUgO.exe, ParentProcessId: 1472, ParentProcessName: 2IFYYPRUgO.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create chxnvqnu binPath= "C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exe /d\"C:\Users\user\Desktop\2IFYYPRUgO.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 2352, ProcessName: sc.exe
        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 6616, ProcessName: svchost.exe
        No Suricata rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: jotunheim.name:443Avira URL Cloud: Label: malware
        Source: vanaheim.cn:443Avira URL Cloud: Label: phishing
        Source: 12.3.uscdfbek.exe.2630000.0.raw.unpackMalware Configuration Extractor: Tofsee {"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
        Source: C:\Users\user\AppData\Local\Temp\uscdfbek.exeJoe Sandbox ML: detected
        Source: 2IFYYPRUgO.exeJoe Sandbox ML: detected

        Compliance

        barindex
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeUnpacked PE file: 0.2.2IFYYPRUgO.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exeUnpacked PE file: 12.2.uscdfbek.exe.400000.0.unpack
        Source: 2IFYYPRUgO.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

        Change of critical system settings

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\chxnvqnuJump to behavior

        Networking

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.8.49 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 94.100.180.31 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 195.58.54.132 443Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 64.233.166.27 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.228.111 25Jump to behavior
        Source: Malware configuration extractorURLs: vanaheim.cn:443
        Source: Malware configuration extractorURLs: jotunheim.name:443
        Source: Joe Sandbox ViewIP Address: 52.101.8.49 52.101.8.49
        Source: Joe Sandbox ViewIP Address: 67.195.228.111 67.195.228.111
        Source: Joe Sandbox ViewIP Address: 94.100.180.31 94.100.180.31
        Source: Joe Sandbox ViewASN Name: URALTRANSCOM-ASUA URALTRANSCOM-ASUA
        Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
        Source: Joe Sandbox ViewASN Name: YAHOO-GQ1US YAHOO-GQ1US
        Source: Joe Sandbox ViewASN Name: MAILRU-ASMailRuRU MAILRU-ASMailRuRU
        Source: global trafficTCP traffic: 192.168.2.5:49705 -> 52.101.8.49:25
        Source: global trafficTCP traffic: 192.168.2.5:49714 -> 67.195.228.111:25
        Source: global trafficTCP traffic: 192.168.2.5:49715 -> 64.233.166.27:25
        Source: global trafficTCP traffic: 192.168.2.5:49718 -> 94.100.180.31:25
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeCode function: 0_2_00402A62 GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,socket,htons,select,recv,htons,htons,htons,GetProcessHeap,HeapAlloc,htons,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree,0_2_00402A62
        Source: global trafficDNS traffic detected: DNS query: microsoft-com.mail.protection.outlook.com
        Source: global trafficDNS traffic detected: DNS query: vanaheim.cn
        Source: global trafficDNS traffic detected: DNS query: yahoo.com
        Source: global trafficDNS traffic detected: DNS query: mta6.am0.yahoodns.net
        Source: global trafficDNS traffic detected: DNS query: google.com
        Source: global trafficDNS traffic detected: DNS query: smtp.google.com
        Source: global trafficDNS traffic detected: DNS query: mail.ru
        Source: global trafficDNS traffic detected: DNS query: mxs.mail.ru
        Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
        Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716

        Spam, unwanted Advertisements and Ransom Demands

        barindex
        Source: Yara matchFile source: 12.2.uscdfbek.exe.2dd0000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.uscdfbek.exe.2610e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.uscdfbek.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.2IFYYPRUgO.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.svchost.exe.2d30000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.uscdfbek.exe.2dd0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.2IFYYPRUgO.exe.40c0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.2IFYYPRUgO.exe.40e0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.svchost.exe.2d30000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.2IFYYPRUgO.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.uscdfbek.exe.2630000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.uscdfbek.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2079103055.0000000002DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.2074120275.0000000002630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.2043185641.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 2IFYYPRUgO.exe PID: 1472, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: uscdfbek.exe PID: 7096, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 940, type: MEMORYSTR

        System Summary

        barindex
        Source: 0.3.2IFYYPRUgO.exe.40e0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.2IFYYPRUgO.exe.40e0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.uscdfbek.exe.2dd0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.uscdfbek.exe.2dd0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.uscdfbek.exe.2610e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.uscdfbek.exe.2610e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.uscdfbek.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.uscdfbek.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.2IFYYPRUgO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.2IFYYPRUgO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 13.2.svchost.exe.2d30000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 13.2.svchost.exe.2d30000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.uscdfbek.exe.2dd0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.uscdfbek.exe.2dd0000.2.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.2IFYYPRUgO.exe.40c0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.2IFYYPRUgO.exe.40c0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.3.2IFYYPRUgO.exe.40e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.2IFYYPRUgO.exe.40e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.2IFYYPRUgO.exe.40c0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.2IFYYPRUgO.exe.40c0e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 13.2.svchost.exe.2d30000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 13.2.svchost.exe.2d30000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.3.uscdfbek.exe.2630000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.3.uscdfbek.exe.2630000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.2IFYYPRUgO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.2IFYYPRUgO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.3.uscdfbek.exe.2630000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.3.uscdfbek.exe.2630000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.uscdfbek.exe.2610e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.uscdfbek.exe.2610e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.uscdfbek.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.uscdfbek.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000002.2078985168.0000000002688000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000002.2079103055.0000000002DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000002.2079103055.0000000002DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000003.2074120275.0000000002630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000003.2074120275.0000000002630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000003.2043185641.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000003.2043185641.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000002.2079068400.000000000263D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeCode function: 0_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,0_2_00408E26
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeCode function: 0_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,0_2_00401280
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\chxnvqnu\Jump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeCode function: 0_2_0040C9130_2_0040C913
        Source: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exeCode function: 12_2_0040C91312_2_0040C913
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_02D3C91313_2_02D3C913
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeCode function: String function: 040C27AB appears 35 times
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeCode function: String function: 0040EE2A appears 40 times
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeCode function: String function: 00402544 appears 53 times
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 7096 -ip 7096
        Source: 2IFYYPRUgO.exe, 00000000.00000002.2079986362.0000000005120000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej%' vs 2IFYYPRUgO.exe
        Source: 2IFYYPRUgO.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: 0.3.2IFYYPRUgO.exe.40e0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.2IFYYPRUgO.exe.40e0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.uscdfbek.exe.2dd0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.uscdfbek.exe.2dd0000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.uscdfbek.exe.2610e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.uscdfbek.exe.2610e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.uscdfbek.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.uscdfbek.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.2IFYYPRUgO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.2IFYYPRUgO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 13.2.svchost.exe.2d30000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 13.2.svchost.exe.2d30000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.uscdfbek.exe.2dd0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.uscdfbek.exe.2dd0000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.2IFYYPRUgO.exe.40c0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.2IFYYPRUgO.exe.40c0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.3.2IFYYPRUgO.exe.40e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.2IFYYPRUgO.exe.40e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.2IFYYPRUgO.exe.40c0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.2IFYYPRUgO.exe.40c0e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 13.2.svchost.exe.2d30000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 13.2.svchost.exe.2d30000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.3.uscdfbek.exe.2630000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.3.uscdfbek.exe.2630000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.2IFYYPRUgO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.2IFYYPRUgO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.3.uscdfbek.exe.2630000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.3.uscdfbek.exe.2630000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.uscdfbek.exe.2610e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.uscdfbek.exe.2610e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.uscdfbek.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.uscdfbek.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000002.2078985168.0000000002688000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000002.2079103055.0000000002DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000002.2079103055.0000000002DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000003.2074120275.0000000002630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000003.2074120275.0000000002630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000003.2043185641.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000003.2043185641.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000002.2079068400.000000000263D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 2IFYYPRUgO.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: classification engineClassification label: mal100.troj.evad.winEXE@31/3@9/5
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeCode function: 0_2_00406A60 lstrcatA,CreateFileA,GetDiskFreeSpaceA,GetLastError,CloseHandle,CloseHandle,CloseHandle,GetLastError,CloseHandle,DeleteFileA,GetLastError,0_2_00406A60
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeCode function: 0_2_0264D741 CreateToolhelp32Snapshot,Module32First,0_2_0264D741
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exeCode function: 12_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,12_2_00409A6B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_02D39A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,13_2_02D39A6B
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:3724:64:WilError_03
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:5896:64:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4068:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2676:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4308:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5148:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6152:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2612:120:WilError_03
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeFile created: C:\Users\user\AppData\Local\Temp\uscdfbek.exeJump to behavior
        Source: 2IFYYPRUgO.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeFile read: C:\Users\user\Desktop\2IFYYPRUgO.exeJump to behavior
        Source: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_12-14971
        Source: unknownProcess created: C:\Users\user\Desktop\2IFYYPRUgO.exe "C:\Users\user\Desktop\2IFYYPRUgO.exe"
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\chxnvqnu\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\uscdfbek.exe" C:\Windows\SysWOW64\chxnvqnu\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create chxnvqnu binPath= "C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exe /d\"C:\Users\user\Desktop\2IFYYPRUgO.exe\"" type= own start= auto DisplayName= "wifi support"
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description chxnvqnu "wifi internet conection"
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start chxnvqnu
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exe C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exe /d"C:\Users\user\Desktop\2IFYYPRUgO.exe"
        Source: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 7096 -ip 7096
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1472 -ip 1472
        Source: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7096 -s 588
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 1032
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\chxnvqnu\Jump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\uscdfbek.exe" C:\Windows\SysWOW64\chxnvqnu\Jump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create chxnvqnu binPath= "C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exe /d\"C:\Users\user\Desktop\2IFYYPRUgO.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description chxnvqnu "wifi internet conection"Jump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start chxnvqnuJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
        Source: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 7096 -ip 7096Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1472 -ip 1472Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7096 -s 588Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 1032Jump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeSection loaded: msvcr100.dllJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeSection loaded: slc.dllJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exeSection loaded: msvcr100.dllJump to behavior
        Source: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: napinsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wshbth.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winrnr.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
        Source: 2IFYYPRUgO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

        Data Obfuscation

        barindex
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeUnpacked PE file: 0.2.2IFYYPRUgO.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Source: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exeUnpacked PE file: 12.2.uscdfbek.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeUnpacked PE file: 0.2.2IFYYPRUgO.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exeUnpacked PE file: 12.2.uscdfbek.exe.400000.0.unpack
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeCode function: 0_2_02650A29 push 0000002Bh; iretd 0_2_02650A2F
        Source: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exeCode function: 12_2_0269BAC9 push 0000002Bh; iretd 12_2_0269BACF
        Source: 2IFYYPRUgO.exeStatic PE information: section name: .text entropy: 7.790689819243222

        Persistence and Installation Behavior

        barindex
        Source: unknownExecutable created and started: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exe
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeFile created: C:\Users\user\AppData\Local\Temp\uscdfbek.exeJump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exe (copy)Jump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exe (copy)Jump to dropped file
        Source: C:\Windows\SysWOW64\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\chxnvqnuJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create chxnvqnu binPath= "C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exe /d\"C:\Users\user\Desktop\2IFYYPRUgO.exe\"" type= own start= auto DisplayName= "wifi support"

        Hooking and other Techniques for Hiding and Protection

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeFile deleted: c:\users\user\desktop\2ifyyprugo.exeJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00401000
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeCode function: inet_addr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetBestInterface,GetProcessHeap,HeapAlloc,GetAdaptersInfo,HeapReAlloc,GetAdaptersInfo,HeapFree,FreeLibrary,FreeLibrary,13_2_02D3199C
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-16362
        Source: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_12-16303
        Source: C:\Windows\SysWOW64\svchost.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_13-7605
        Source: C:\Windows\SysWOW64\svchost.exeEvaded block: after key decisiongraph_13-6142
        Source: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_12-15354
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-15354
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_13-7324
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_13-7441
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_0-15107
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcessgraph_0-15159
        Source: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_12-14987
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-14934
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeAPI coverage: 5.4 %
        Source: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exeAPI coverage: 3.9 %
        Source: C:\Windows\SysWOW64\svchost.exe TID: 5500Thread sleep count: 40 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exe TID: 5500Thread sleep time: -40000s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeCode function: 0_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,0_2_00401D96
        Source: svchost.exe, 0000000D.00000002.3304379790.0000000003200000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllW
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeAPI call chain: ExitProcess graph end nodegraph_0-15367
        Source: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exeAPI call chain: ExitProcess graph end nodegraph_12-15356

        Anti Debugging

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_13-7667
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_0-16423
        Source: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_12-16364
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeCode function: 0_2_0264D01E push dword ptr fs:[00000030h]0_2_0264D01E
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeCode function: 0_2_040C092B mov eax, dword ptr fs:[00000030h]0_2_040C092B
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeCode function: 0_2_040C0D90 mov eax, dword ptr fs:[00000030h]0_2_040C0D90
        Source: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exeCode function: 12_2_0261092B mov eax, dword ptr fs:[00000030h]12_2_0261092B
        Source: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exeCode function: 12_2_02610D90 mov eax, dword ptr fs:[00000030h]12_2_02610D90
        Source: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exeCode function: 12_2_026980BE push dword ptr fs:[00000030h]12_2_026980BE
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeCode function: 0_2_0040EBCC GetProcessHeap,RtlAllocateHeap,0_2_0040EBCC
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exeCode function: 12_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,12_2_00409A6B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_02D39A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,13_2_02D39A6B

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.8.49 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 94.100.180.31 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 195.58.54.132 443Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 64.233.166.27 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.228.111 25Jump to behavior
        Source: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 2D30000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2D30000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2D30000Jump to behavior
        Source: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2EC8008Jump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\chxnvqnu\Jump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\uscdfbek.exe" C:\Windows\SysWOW64\chxnvqnu\Jump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create chxnvqnu binPath= "C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exe /d\"C:\Users\user\Desktop\2IFYYPRUgO.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description chxnvqnu "wifi internet conection"Jump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start chxnvqnuJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
        Source: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 7096 -ip 7096Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1472 -ip 1472Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7096 -s 588Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 1032Jump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeCode function: 0_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00406EDD
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeCode function: 0_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,0_2_0040405E
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeCode function: 0_2_0040EC54 GetSystemTimeAsFileTime,GetVolumeInformationA,GetTickCount,0_2_0040EC54
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeCode function: 0_2_0040B211 FileTimeToSystemTime,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,SystemTimeToFileTime,FileTimeToSystemTime,GetTimeZoneInformation,wsprintfA,0_2_0040B211
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeCode function: 0_2_00409326 GetVersionExA,GetModuleHandleA,GetModuleFileNameA,wsprintfA,wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,0_2_00409326

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: 12.2.uscdfbek.exe.2dd0000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.uscdfbek.exe.2610e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.uscdfbek.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.2IFYYPRUgO.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.svchost.exe.2d30000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.uscdfbek.exe.2dd0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.2IFYYPRUgO.exe.40c0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.2IFYYPRUgO.exe.40e0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.svchost.exe.2d30000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.2IFYYPRUgO.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.uscdfbek.exe.2630000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.uscdfbek.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2079103055.0000000002DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.2074120275.0000000002630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.2043185641.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 2IFYYPRUgO.exe PID: 1472, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: uscdfbek.exe PID: 7096, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 940, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Source: Yara matchFile source: 12.2.uscdfbek.exe.2dd0000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.uscdfbek.exe.2610e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.uscdfbek.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.2IFYYPRUgO.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.svchost.exe.2d30000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.uscdfbek.exe.2dd0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.2IFYYPRUgO.exe.40c0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.2IFYYPRUgO.exe.40e0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.svchost.exe.2d30000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.2IFYYPRUgO.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.uscdfbek.exe.2630000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.uscdfbek.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2079103055.0000000002DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.2074120275.0000000002630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.2043185641.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 2IFYYPRUgO.exe PID: 1472, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: uscdfbek.exe PID: 7096, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 940, type: MEMORYSTR
        Source: C:\Users\user\Desktop\2IFYYPRUgO.exeCode function: 0_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,0_2_004088B0
        Source: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exeCode function: 12_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,12_2_004088B0
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_02D388B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,13_2_02D388B0
        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire Infrastructure1
        Valid Accounts
        41
        Native API
        1
        DLL Side-Loading
        1
        DLL Side-Loading
        3
        Disable or Modify Tools
        OS Credential Dumping2
        System Time Discovery
        Remote Services1
        Archive Collected Data
        1
        Ingress Tool Transfer
        Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts2
        Command and Scripting Interpreter
        1
        Valid Accounts
        1
        Valid Accounts
        1
        Deobfuscate/Decode Files or Information
        LSASS Memory1
        Account Discovery
        Remote Desktop ProtocolData from Removable Media12
        Encrypted Channel
        Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts3
        Service Execution
        14
        Windows Service
        1
        Access Token Manipulation
        3
        Obfuscated Files or Information
        Security Account Manager1
        File and Directory Discovery
        SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Application Layer Protocol
        Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook14
        Windows Service
        22
        Software Packing
        NTDS15
        System Information Discovery
        Distributed Component Object ModelInput Capture112
        Application Layer Protocol
        Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script412
        Process Injection
        1
        DLL Side-Loading
        LSA Secrets111
        Security Software Discovery
        SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        File Deletion
        Cached Domain Credentials11
        Virtualization/Sandbox Evasion
        VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
        Masquerading
        DCSync1
        Process Discovery
        Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        Valid Accounts
        Proc Filesystem1
        System Owner/User Discovery
        Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
        Virtualization/Sandbox Evasion
        /etc/passwd and /etc/shadow1
        System Network Configuration Discovery
        Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
        Access Token Manipulation
        Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd412
        Process Injection
        Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1515185 Sample: 2IFYYPRUgO.exe Startdate: 21/09/2024 Architecture: WINDOWS Score: 100 57 yahoo.com 2->57 59 vanaheim.cn 2->59 61 6 other IPs or domains 2->61 71 Found malware configuration 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 Antivirus detection for URL or domain 2->75 77 8 other signatures 2->77 8 uscdfbek.exe 2->8         started        11 2IFYYPRUgO.exe 2 2->11         started        14 svchost.exe 3 6 2->14         started        signatures3 process4 file5 79 Detected unpacking (changes PE section rights) 8->79 81 Detected unpacking (overwrites its own PE header) 8->81 83 Found API chain indicative of debugger detection 8->83 89 3 other signatures 8->89 16 svchost.exe 1 8->16         started        20 WerFault.exe 2 8->20         started        49 C:\Users\user\AppData\Local\...\uscdfbek.exe, PE32 11->49 dropped 85 Uses netsh to modify the Windows network and firewall settings 11->85 87 Modifies the windows firewall 11->87 22 cmd.exe 1 11->22         started        25 netsh.exe 2 11->25         started        27 cmd.exe 2 11->27         started        33 4 other processes 11->33 29 WerFault.exe 2 14->29         started        31 WerFault.exe 2 14->31         started        signatures6 process7 dnsIp8 51 mta6.am0.yahoodns.net 67.195.228.111, 25 YAHOO-GQ1US United States 16->51 53 vanaheim.cn 195.58.54.132, 443, 49706, 49716 URALTRANSCOM-ASUA Russian Federation 16->53 55 3 other IPs or domains 16->55 63 System process connects to network (likely due to code injection or exploit) 16->63 65 Found API chain indicative of debugger detection 16->65 67 Deletes itself after installation 16->67 69 Adds extensions / path to Windows Defender exclusion list (Registry) 16->69 47 C:\Windows\SysWOW64\...\uscdfbek.exe (copy), PE32 22->47 dropped 35 conhost.exe 22->35         started        37 conhost.exe 25->37         started        39 conhost.exe 27->39         started        41 conhost.exe 33->41         started        43 conhost.exe 33->43         started        45 conhost.exe 33->45         started        file9 signatures10 process11

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand
        SourceDetectionScannerLabelLink
        2IFYYPRUgO.exe100%Joe Sandbox ML
        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\uscdfbek.exe100%Joe Sandbox ML
        No Antivirus matches
        No Antivirus matches
        SourceDetectionScannerLabelLink
        jotunheim.name:443100%Avira URL Cloudmalware
        vanaheim.cn:443100%Avira URL Cloudphishing
        NameIPActiveMaliciousAntivirus DetectionReputation
        mta6.am0.yahoodns.net
        67.195.228.111
        truetrue
          unknown
          mxs.mail.ru
          94.100.180.31
          truetrue
            unknown
            microsoft-com.mail.protection.outlook.com
            52.101.8.49
            truetrue
              unknown
              vanaheim.cn
              195.58.54.132
              truetrue
                unknown
                smtp.google.com
                64.233.166.27
                truefalse
                  unknown
                  google.com
                  unknown
                  unknowntrue
                    unknown
                    yahoo.com
                    unknown
                    unknowntrue
                      unknown
                      mail.ru
                      unknown
                      unknowntrue
                        unknown
                        NameMaliciousAntivirus DetectionReputation
                        vanaheim.cn:443true
                        • Avira URL Cloud: phishing
                        unknown
                        jotunheim.name:443true
                        • Avira URL Cloud: malware
                        unknown
                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs
                        IPDomainCountryFlagASNASN NameMalicious
                        195.58.54.132
                        vanaheim.cnRussian Federation
                        41082URALTRANSCOM-ASUAtrue
                        52.101.8.49
                        microsoft-com.mail.protection.outlook.comUnited States
                        8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                        64.233.166.27
                        smtp.google.comUnited States
                        15169GOOGLEUSfalse
                        67.195.228.111
                        mta6.am0.yahoodns.netUnited States
                        36647YAHOO-GQ1UStrue
                        94.100.180.31
                        mxs.mail.ruRussian Federation
                        47764MAILRU-ASMailRuRUtrue
                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1515185
                        Start date and time:2024-09-21 23:38:06 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 5m 43s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:23
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:2IFYYPRUgO.exe
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@31/3@9/5
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 99%
                        • Number of executed functions: 61
                        • Number of non-executed functions: 259
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                        • Excluded IPs from analysis (whitelisted): 20.76.201.171, 20.112.250.133, 20.70.246.20, 20.236.44.162, 20.231.239.246
                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, microsoft.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtEnumerateKey calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: 2IFYYPRUgO.exe
                        TimeTypeDescription
                        17:39:44API Interceptor13x Sleep call for process: svchost.exe modified
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        195.58.54.132H3nfKrgQbi.exeGet hashmaliciousTofseeBrowse
                          52.101.8.49RSno9EH0K9.exeGet hashmaliciousTofseeBrowse
                            Uc84uB877e.exeGet hashmaliciousTofseeBrowse
                              vekvtia.exeGet hashmaliciousTofseeBrowse
                                Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                  .exeGet hashmaliciousUnknownBrowse
                                    ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                      kPl1mZTpru.exeGet hashmaliciousTofseeBrowse
                                        Wc4SadetF5.exeGet hashmaliciousTofseeBrowse
                                          L7iza9mNDI.exeGet hashmaliciousTofseeBrowse
                                            file.exeGet hashmaliciousTofseeBrowse
                                              67.195.228.111RSno9EH0K9.exeGet hashmaliciousTofseeBrowse
                                                file.exeGet hashmaliciousPhorpiexBrowse
                                                  gEkl9O5tiu.exeGet hashmaliciousPhorpiexBrowse
                                                    file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                      .exeGet hashmaliciousUnknownBrowse
                                                        file.exeGet hashmaliciousTofseeBrowse
                                                          .exeGet hashmaliciousUnknownBrowse
                                                            Update-KB7390-x86.exeGet hashmaliciousUnknownBrowse
                                                              Update-KB6734-x86.exeGet hashmaliciousUnknownBrowse
                                                                Update-KB5058-x86.exeGet hashmaliciousUnknownBrowse
                                                                  94.100.180.31H3nfKrgQbi.exeGet hashmaliciousTofseeBrowse
                                                                    2FnvReiPU6.exeGet hashmaliciousTofseeBrowse
                                                                      qkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                                        vekvtia.exeGet hashmaliciousTofseeBrowse
                                                                          UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                            igvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                              fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                  setup.exeGet hashmaliciousTofseeBrowse
                                                                                    m4Jp2TLBHJ.exeGet hashmaliciousTofseeBrowse
                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      mxs.mail.ruH3nfKrgQbi.exeGet hashmaliciousTofseeBrowse
                                                                                      • 94.100.180.31
                                                                                      2FnvReiPU6.exeGet hashmaliciousTofseeBrowse
                                                                                      • 94.100.180.31
                                                                                      874A7cigvX.exeGet hashmaliciousTofseeBrowse
                                                                                      • 217.69.139.150
                                                                                      RSno9EH0K9.exeGet hashmaliciousTofseeBrowse
                                                                                      • 217.69.139.150
                                                                                      ODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                                                                                      • 217.69.139.150
                                                                                      Uc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                                      • 217.69.139.150
                                                                                      qkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                                                      • 94.100.180.31
                                                                                      vekvtia.exeGet hashmaliciousTofseeBrowse
                                                                                      • 94.100.180.31
                                                                                      knkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                      • 217.69.139.150
                                                                                      foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                      • 217.69.139.150
                                                                                      mta6.am0.yahoodns.netqkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                                                      • 98.136.96.74
                                                                                      vekvtia.exeGet hashmaliciousTofseeBrowse
                                                                                      • 67.195.204.79
                                                                                      knkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                      • 98.136.96.75
                                                                                      foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                      • 98.136.96.76
                                                                                      UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                      • 67.195.204.77
                                                                                      SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                      • 67.195.228.106
                                                                                      .exeGet hashmaliciousUnknownBrowse
                                                                                      • 98.136.96.76
                                                                                      Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                      • 67.195.204.73
                                                                                      ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                      • 67.195.204.74
                                                                                      rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                      • 98.136.96.74
                                                                                      vanaheim.cnH3nfKrgQbi.exeGet hashmaliciousTofseeBrowse
                                                                                      • 195.58.54.132
                                                                                      874A7cigvX.exeGet hashmaliciousTofseeBrowse
                                                                                      • 77.232.41.29
                                                                                      RSno9EH0K9.exeGet hashmaliciousTofseeBrowse
                                                                                      • 77.232.41.29
                                                                                      ODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                                                                                      • 77.232.41.29
                                                                                      Uc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                                      • 77.232.41.29
                                                                                      qkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                                                      • 77.232.41.29
                                                                                      vekvtia.exeGet hashmaliciousTofseeBrowse
                                                                                      • 77.232.41.29
                                                                                      knkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                      • 77.232.41.29
                                                                                      foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                      • 77.232.41.29
                                                                                      UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                      • 77.232.41.29
                                                                                      microsoft-com.mail.protection.outlook.comH3nfKrgQbi.exeGet hashmaliciousTofseeBrowse
                                                                                      • 52.101.42.0
                                                                                      2FnvReiPU6.exeGet hashmaliciousTofseeBrowse
                                                                                      • 52.101.11.9
                                                                                      874A7cigvX.exeGet hashmaliciousTofseeBrowse
                                                                                      • 52.101.42.0
                                                                                      RSno9EH0K9.exeGet hashmaliciousTofseeBrowse
                                                                                      • 52.101.8.49
                                                                                      ODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                                                                                      • 52.101.11.0
                                                                                      Uc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                                      • 52.101.8.49
                                                                                      qkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                                                      • 52.101.42.0
                                                                                      vekvtia.exeGet hashmaliciousTofseeBrowse
                                                                                      • 52.101.8.49
                                                                                      knkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                      • 52.101.11.0
                                                                                      foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                      • 52.101.40.26
                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      URALTRANSCOM-ASUAH3nfKrgQbi.exeGet hashmaliciousTofseeBrowse
                                                                                      • 195.58.54.132
                                                                                      cQOoKCZyG3.elfGet hashmaliciousMiraiBrowse
                                                                                      • 91.215.129.108
                                                                                      09M6JXwjtO.elfGet hashmaliciousMiraiBrowse
                                                                                      • 195.133.84.147
                                                                                      Pb0GaINSjK.elfGet hashmaliciousMiraiBrowse
                                                                                      • 194.87.3.81
                                                                                      QN5PrDr5St.elfGet hashmaliciousUnknownBrowse
                                                                                      • 195.133.84.180
                                                                                      8dToMPcvO1.elfGet hashmaliciousMiraiBrowse
                                                                                      • 91.215.129.145
                                                                                      wsskM49eA3.elfGet hashmaliciousUnknownBrowse
                                                                                      • 195.133.89.28
                                                                                      quhEKAdhFU.elfGet hashmaliciousMiraiBrowse
                                                                                      • 91.215.129.137
                                                                                      5z7qDyLr2T.elfGet hashmaliciousMiraiBrowse
                                                                                      • 91.215.129.142
                                                                                      NwB5j32x4j.elfGet hashmaliciousMiraiBrowse
                                                                                      • 91.215.129.123
                                                                                      YAHOO-GQ1UShttps://nke.pages.dev/account/js-reporting/?crumb=uZ4.07kERLI&message=javascript_not_enabled&ref=/account/challenge/passwordGet hashmaliciousHTMLPhisherBrowse
                                                                                      • 67.195.160.106
                                                                                      http://opm.pages.dev/account/js-reporting?crumb=uZ4.07kERLI&message=javascript_not_enabled&ref=/account/challenge/passwordGet hashmaliciousHTMLPhisherBrowse
                                                                                      • 74.6.160.106
                                                                                      http://jss.pages.dev/account/js-reporting?crumb=uZ4.07kERLI&message=javascript_not_enabled&ref=/account/challenge/passwordGet hashmaliciousHTMLPhisherBrowse
                                                                                      • 74.6.160.106
                                                                                      Play_VM-NowXuerebjAudiowav012.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                      • 98.137.11.163
                                                                                      RSno9EH0K9.exeGet hashmaliciousTofseeBrowse
                                                                                      • 67.195.228.111
                                                                                      ODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                                                                                      • 67.195.228.109
                                                                                      Uc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                                      • 67.195.228.109
                                                                                      mpsl.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                      • 67.195.2.108
                                                                                      154.213.187.80-x86-2024-09-01T00_09_56.elfGet hashmaliciousMiraiBrowse
                                                                                      • 98.137.238.184
                                                                                      teste.x86.elfGet hashmaliciousMirai, Moobot, OkiruBrowse
                                                                                      • 98.137.238.174
                                                                                      MICROSOFT-CORP-MSN-AS-BLOCKUS6b58b6.msiGet hashmaliciousPureLog StealerBrowse
                                                                                      • 20.103.202.45
                                                                                      http://is.gd/EmlK8CGet hashmaliciousUnknownBrowse
                                                                                      • 150.171.27.10
                                                                                      H3nfKrgQbi.exeGet hashmaliciousTofseeBrowse
                                                                                      • 52.101.42.0
                                                                                      Ordem de Compra 457525.xlsGet hashmaliciousUnknownBrowse
                                                                                      • 13.107.246.60
                                                                                      Copy0761000025.xlsmGet hashmaliciousUnknownBrowse
                                                                                      • 13.107.253.72
                                                                                      rPO767575.cmdGet hashmaliciousDBatLoaderBrowse
                                                                                      • 13.107.137.11
                                                                                      160eb3d41a49c24b1ba025424b781ddf3acb8979ffb90269b6a0f701be0c3dfa.25.xlsGet hashmaliciousUnknownBrowse
                                                                                      • 13.107.246.60
                                                                                      160eb3d41a49c24b1ba025424b781ddf3acb8979ffb90269b6a0f701be0c3dfa.24.xlsGet hashmaliciousUnknownBrowse
                                                                                      • 13.107.246.60
                                                                                      8zzBr1gT31.elfGet hashmaliciousMiraiBrowse
                                                                                      • 22.112.76.125
                                                                                      160eb3d41a49c24b1ba025424b781ddf3acb8979ffb90269b6a0f701be0c3dfa.23.xlsGet hashmaliciousUnknownBrowse
                                                                                      • 13.107.246.60
                                                                                      MAILRU-ASMailRuRUH3nfKrgQbi.exeGet hashmaliciousTofseeBrowse
                                                                                      • 94.100.180.31
                                                                                      8zzBr1gT31.elfGet hashmaliciousMiraiBrowse
                                                                                      • 5.61.23.57
                                                                                      2FnvReiPU6.exeGet hashmaliciousTofseeBrowse
                                                                                      • 94.100.180.31
                                                                                      OuZGkt7xKK.exeGet hashmaliciousCoinhive, XmrigBrowse
                                                                                      • 178.237.20.50
                                                                                      OuZGkt7xKK.exeGet hashmaliciousCoinhive, XmrigBrowse
                                                                                      • 178.237.20.50
                                                                                      874A7cigvX.exeGet hashmaliciousTofseeBrowse
                                                                                      • 217.69.139.150
                                                                                      RSno9EH0K9.exeGet hashmaliciousTofseeBrowse
                                                                                      • 217.69.139.150
                                                                                      ODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                                                                                      • 217.69.139.150
                                                                                      Uc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                                      • 217.69.139.150
                                                                                      qkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                                                      • 94.100.180.31
                                                                                      No context
                                                                                      No context
                                                                                      Process:C:\Users\user\Desktop\2IFYYPRUgO.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):14320128
                                                                                      Entropy (8bit):5.252062721995976
                                                                                      Encrypted:false
                                                                                      SSDEEP:98304:VxTETETETETETETETETETETETETETETETETETETETETETETETETETETETETETETq:
                                                                                      MD5:A55CE6DA03E8C8D33F5FBC378D553054
                                                                                      SHA1:E6D20B374498308D5A1BABD42B8B14526504F643
                                                                                      SHA-256:195F171362E94C1846B0A6A8A368EE09599C069542CE6162E898F05D6D12CDA5
                                                                                      SHA-512:13976E704D1CD3D1FCDD13FB69A43708F7CEC1B4F19E05CBB0FE489E7F03FF7FAC908E2D30D8431E04D01AB2854DE27F3D061ADBC3E69FF322BD9BF14DF9B092
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......AvW...9}..9}..9}ja.}..9}ja.}..9}ja.}i.9}.o.}..9}..8}..9}ja.}..9}ja.}..9}ja.}..9}Rich..9}........................PE..L....m.e............................-j............@..................................r......................................4...x.......(............................................................O..@...............,............................text............................... ..`.data...........^..................@....rsrc...(........X...*..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                      Process:C:\Windows\SysWOW64\cmd.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):14320128
                                                                                      Entropy (8bit):5.252062721995976
                                                                                      Encrypted:false
                                                                                      SSDEEP:98304:VxTETETETETETETETETETETETETETETETETETETETETETETETETETETETETETETq:
                                                                                      MD5:A55CE6DA03E8C8D33F5FBC378D553054
                                                                                      SHA1:E6D20B374498308D5A1BABD42B8B14526504F643
                                                                                      SHA-256:195F171362E94C1846B0A6A8A368EE09599C069542CE6162E898F05D6D12CDA5
                                                                                      SHA-512:13976E704D1CD3D1FCDD13FB69A43708F7CEC1B4F19E05CBB0FE489E7F03FF7FAC908E2D30D8431E04D01AB2854DE27F3D061ADBC3E69FF322BD9BF14DF9B092
                                                                                      Malicious:true
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......AvW...9}..9}..9}ja.}..9}ja.}..9}ja.}i.9}.o.}..9}..8}..9}ja.}..9}ja.}..9}ja.}..9}Rich..9}........................PE..L....m.e............................-j............@..................................r......................................4...x.......(............................................................O..@...............,............................text............................... ..`.data...........^..................@....rsrc...(........X...*..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                      Process:C:\Windows\SysWOW64\netsh.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):3773
                                                                                      Entropy (8bit):4.7109073551842435
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
                                                                                      MD5:DA3247A302D70819F10BCEEBAF400503
                                                                                      SHA1:2857AA198EE76C86FC929CC3388A56D5FD051844
                                                                                      SHA-256:5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
                                                                                      SHA-512:48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
                                                                                      Malicious:false
                                                                                      Preview:..A specified value is not valid.....Usage: add rule name=<string>.. dir=in|out.. action=allow|block|bypass.. [program=<program path>].. [service=<service short name>|any].. [description=<string>].. [enable=yes|no (default=yes)].. [profile=public|private|domain|any[,...]].. [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|.. <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)].. [remoteport=0-65535|<port range>[,...]|any (default=any)].. [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|.. tcp|udp|any (default=any)].. [interfacetype=wireless|lan|ras|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes|deferapp|deferuser|no (default=no)].. [security=authenticate|authenc|authdynenc|authnoencap|
                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Entropy (8bit):6.79756115920307
                                                                                      TrID:
                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                      File name:2IFYYPRUgO.exe
                                                                                      File size:457'728 bytes
                                                                                      MD5:dd9983e56e44b300e97fbead17bbb8ec
                                                                                      SHA1:bcfc4f542d1824b23b5beefe94e8eaa9d487e037
                                                                                      SHA256:16c9a4debb518681ece83ec9f4eb3edfab08cc4231243db1949a64c80e017aa4
                                                                                      SHA512:02663157f5a109a122897fb0ac32eda38a9ed5d289b70ef1541e3ca800e02a41d471879e04d1bd59eb2110e4a0f8cd7851e3bacba04147ffa488997e8a100457
                                                                                      SSDEEP:6144:XZBpoyz+AlKudZ10mVtZ4ELIgjdo7d5UNo4MaGSlrLo5FXCnFk:Xruyz+PMZ10mVrLL/27gWxerCSC
                                                                                      TLSH:A3A48FE342B1BC55F9224E72AE1EE6ED357FF5608D5467271218AA2F24703F2D163B20
                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......AvW...9}..9}..9}ja.}..9}ja.}..9}ja.}i.9}.o.}..9}..8}..9}ja.}..9}ja.}..9}ja.}..9}Rich..9}........................PE..L....m.e...
                                                                                      Icon Hash:512549454545510d
                                                                                      Entrypoint:0x406a2d
                                                                                      Entrypoint Section:.text
                                                                                      Digitally signed:false
                                                                                      Imagebase:0x400000
                                                                                      Subsystem:windows gui
                                                                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                      DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                      Time Stamp:0x65146D04 [Wed Sep 27 17:57:24 2023 UTC]
                                                                                      TLS Callbacks:
                                                                                      CLR (.Net) Version:
                                                                                      OS Version Major:5
                                                                                      OS Version Minor:1
                                                                                      File Version Major:5
                                                                                      File Version Minor:1
                                                                                      Subsystem Version Major:5
                                                                                      Subsystem Version Minor:1
                                                                                      Import Hash:de80f36f2a6fc0a853a31d1d9771ee6a
                                                                                      Instruction
                                                                                      call 00007F81DCF512F7h
                                                                                      jmp 00007F81DCF4E11Eh
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      call 00007F81DCF4E2CCh
                                                                                      xchg cl, ch
                                                                                      jmp 00007F81DCF4E2B4h
                                                                                      call 00007F81DCF4E2C3h
                                                                                      fxch st(0), st(1)
                                                                                      jmp 00007F81DCF4E2ABh
                                                                                      fabs
                                                                                      fld1
                                                                                      mov ch, cl
                                                                                      xor cl, cl
                                                                                      jmp 00007F81DCF4E2A1h
                                                                                      mov byte ptr [ebp-00000090h], FFFFFFFEh
                                                                                      fabs
                                                                                      fxch st(0), st(1)
                                                                                      fabs
                                                                                      fxch st(0), st(1)
                                                                                      fpatan
                                                                                      or cl, cl
                                                                                      je 00007F81DCF4E296h
                                                                                      fldpi
                                                                                      fsubrp st(1), st(0)
                                                                                      or ch, ch
                                                                                      je 00007F81DCF4E294h
                                                                                      fchs
                                                                                      ret
                                                                                      fabs
                                                                                      fld st(0), st(0)
                                                                                      fld st(0), st(0)
                                                                                      fld1
                                                                                      fsubrp st(1), st(0)
                                                                                      fxch st(0), st(1)
                                                                                      fld1
                                                                                      faddp st(1), st(0)
                                                                                      fmulp st(1), st(0)
                                                                                      ftst
                                                                                      wait
                                                                                      fstsw word ptr [ebp-000000A0h]
                                                                                      wait
                                                                                      test byte ptr [ebp-0000009Fh], 00000001h
                                                                                      jne 00007F81DCF4E297h
                                                                                      xor ch, ch
                                                                                      fsqrt
                                                                                      ret
                                                                                      pop eax
                                                                                      jmp 00007F81DCF4E8BFh
                                                                                      fstp st(0)
                                                                                      fld tbyte ptr [00401C0Ah]
                                                                                      ret
                                                                                      fstp st(0)
                                                                                      or cl, cl
                                                                                      je 00007F81DCF4E29Dh
                                                                                      fstp st(0)
                                                                                      fldpi
                                                                                      or ch, ch
                                                                                      je 00007F81DCF4E294h
                                                                                      fchs
                                                                                      ret
                                                                                      fstp st(0)
                                                                                      fldz
                                                                                      or ch, ch
                                                                                      je 00007F81DCF4E289h
                                                                                      fchs
                                                                                      ret
                                                                                      fstp st(0)
                                                                                      jmp 00007F81DCF4E895h
                                                                                      fstp st(0)
                                                                                      mov cl, ch
                                                                                      jmp 00007F81DCF4E292h
                                                                                      call 00007F81DCF4E25Eh
                                                                                      jmp 00007F81DCF4E8A0h
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      push ebp
                                                                                      mov ebp, esp
                                                                                      add esp, 00000000h
                                                                                      Programming Language:
                                                                                      • [C++] VS2010 build 30319
                                                                                      • [ASM] VS2010 build 30319
                                                                                      • [ C ] VS2010 build 30319
                                                                                      • [IMP] VS2008 SP1 build 30729
                                                                                      • [RES] VS2010 build 30319
                                                                                      • [LNK] VS2010 build 30319
                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x3cb340x78.text
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x205a0000x2d128.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x3cbac0x1c.text
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x4fc00x40.text
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x10000x22c.text
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      .text0x10000x3c7f20x3c80059f998286ded174d4f6304fa98088344False0.8747054170971075data7.790689819243222IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                      .data0x3e0000x201b0e40x5e00c449db746c9c294bd509845dcac67ff3unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                      .rsrc0x205a0000x2d1280x2d2009701c279f67eb0d3033f3dfb832b2d0cFalse0.4509716932132964data5.182893258769138IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                      PAMIYUYOVELURASEYOKODIJEBAWABIBO0x2081ac80x1e31ASCII text, with very long lines (7729), with no line terminatorsTamilIndia0.5899857678871782
                                                                                      PAMIYUYOVELURASEYOKODIJEBAWABIBO0x2081ac80x1e31ASCII text, with very long lines (7729), with no line terminatorsTamilSri Lanka0.5899857678871782
                                                                                      ZEZEJEFIJICEDORIJ0x20807580x136fASCII text, with very long lines (4975), with no line terminatorsTamilIndia0.5917587939698492
                                                                                      ZEZEJEFIJICEDORIJ0x20807580x136fASCII text, with very long lines (4975), with no line terminatorsTamilSri Lanka0.5917587939698492
                                                                                      RT_CURSOR0x20839380xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.26439232409381663
                                                                                      RT_CURSOR0x20847e00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.3686823104693141
                                                                                      RT_CURSOR0x20850880x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.49060693641618497
                                                                                      RT_ICON0x205ad500xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTamilIndia0.43336886993603413
                                                                                      RT_ICON0x205ad500xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTamilSri Lanka0.43336886993603413
                                                                                      RT_ICON0x205bbf80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTamilIndia0.5397111913357401
                                                                                      RT_ICON0x205bbf80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTamilSri Lanka0.5397111913357401
                                                                                      RT_ICON0x205c4a00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilIndia0.6059907834101382
                                                                                      RT_ICON0x205c4a00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilSri Lanka0.6059907834101382
                                                                                      RT_ICON0x205cb680x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTamilIndia0.6770231213872833
                                                                                      RT_ICON0x205cb680x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTamilSri Lanka0.6770231213872833
                                                                                      RT_ICON0x205d0d00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TamilIndia0.33184647302904563
                                                                                      RT_ICON0x205d0d00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TamilSri Lanka0.33184647302904563
                                                                                      RT_ICON0x205f6780x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TamilIndia0.4075984990619137
                                                                                      RT_ICON0x205f6780x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TamilSri Lanka0.4075984990619137
                                                                                      RT_ICON0x20607200x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TamilIndia0.47295081967213115
                                                                                      RT_ICON0x20607200x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TamilSri Lanka0.47295081967213115
                                                                                      RT_ICON0x20610a80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TamilIndia0.5531914893617021
                                                                                      RT_ICON0x20610a80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TamilSri Lanka0.5531914893617021
                                                                                      RT_ICON0x20615880xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilIndia0.3662046908315565
                                                                                      RT_ICON0x20615880xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilSri Lanka0.3662046908315565
                                                                                      RT_ICON0x20624300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilIndia0.45216606498194944
                                                                                      RT_ICON0x20624300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilSri Lanka0.45216606498194944
                                                                                      RT_ICON0x2062cd80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilIndia0.4573732718894009
                                                                                      RT_ICON0x2062cd80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilSri Lanka0.4573732718894009
                                                                                      RT_ICON0x20633a00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilIndia0.4588150289017341
                                                                                      RT_ICON0x20633a00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilSri Lanka0.4588150289017341
                                                                                      RT_ICON0x20639080x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilIndia0.2697095435684647
                                                                                      RT_ICON0x20639080x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilSri Lanka0.2697095435684647
                                                                                      RT_ICON0x2065eb00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilIndia0.3074577861163227
                                                                                      RT_ICON0x2065eb00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilSri Lanka0.3074577861163227
                                                                                      RT_ICON0x2066f580x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilIndia0.35726950354609927
                                                                                      RT_ICON0x2066f580x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilSri Lanka0.35726950354609927
                                                                                      RT_ICON0x20674280xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilIndia0.5671641791044776
                                                                                      RT_ICON0x20674280xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilSri Lanka0.5671641791044776
                                                                                      RT_ICON0x20682d00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilIndia0.5478339350180506
                                                                                      RT_ICON0x20682d00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilSri Lanka0.5478339350180506
                                                                                      RT_ICON0x2068b780x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilIndia0.6105491329479769
                                                                                      RT_ICON0x2068b780x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilSri Lanka0.6105491329479769
                                                                                      RT_ICON0x20690e00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilIndia0.4632780082987552
                                                                                      RT_ICON0x20690e00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilSri Lanka0.4632780082987552
                                                                                      RT_ICON0x206b6880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilIndia0.4875703564727955
                                                                                      RT_ICON0x206b6880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilSri Lanka0.4875703564727955
                                                                                      RT_ICON0x206c7300x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilIndia0.4930327868852459
                                                                                      RT_ICON0x206c7300x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilSri Lanka0.4930327868852459
                                                                                      RT_ICON0x206d0b80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilIndia0.449468085106383
                                                                                      RT_ICON0x206d0b80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilSri Lanka0.449468085106383
                                                                                      RT_ICON0x206d5880xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilIndia0.39152452025586354
                                                                                      RT_ICON0x206d5880xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilSri Lanka0.39152452025586354
                                                                                      RT_ICON0x206e4300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilIndia0.5144404332129964
                                                                                      RT_ICON0x206e4300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilSri Lanka0.5144404332129964
                                                                                      RT_ICON0x206ecd80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilIndia0.5783410138248848
                                                                                      RT_ICON0x206ecd80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilSri Lanka0.5783410138248848
                                                                                      RT_ICON0x206f3a00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilIndia0.5823699421965318
                                                                                      RT_ICON0x206f3a00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilSri Lanka0.5823699421965318
                                                                                      RT_ICON0x206f9080x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilIndia0.3878630705394191
                                                                                      RT_ICON0x206f9080x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilSri Lanka0.3878630705394191
                                                                                      RT_ICON0x2071eb00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilIndia0.42964352720450283
                                                                                      RT_ICON0x2071eb00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilSri Lanka0.42964352720450283
                                                                                      RT_ICON0x2072f580x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilIndia0.4151639344262295
                                                                                      RT_ICON0x2072f580x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilSri Lanka0.4151639344262295
                                                                                      RT_ICON0x20738e00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilIndia0.48847517730496454
                                                                                      RT_ICON0x20738e00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilSri Lanka0.48847517730496454
                                                                                      RT_ICON0x2073dc00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilIndia0.48933901918976547
                                                                                      RT_ICON0x2073dc00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilSri Lanka0.48933901918976547
                                                                                      RT_ICON0x2074c680x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilIndia0.46886281588447654
                                                                                      RT_ICON0x2074c680x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilSri Lanka0.46886281588447654
                                                                                      RT_ICON0x20755100x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilIndia0.434971098265896
                                                                                      RT_ICON0x20755100x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilSri Lanka0.434971098265896
                                                                                      RT_ICON0x2075a780x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilIndia0.27977178423236515
                                                                                      RT_ICON0x2075a780x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilSri Lanka0.27977178423236515
                                                                                      RT_ICON0x20780200x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilIndia0.2903377110694184
                                                                                      RT_ICON0x20780200x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilSri Lanka0.2903377110694184
                                                                                      RT_ICON0x20790c80x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilIndia0.31024590163934423
                                                                                      RT_ICON0x20790c80x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilSri Lanka0.31024590163934423
                                                                                      RT_ICON0x2079a500x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilIndia0.3377659574468085
                                                                                      RT_ICON0x2079a500x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilSri Lanka0.3377659574468085
                                                                                      RT_ICON0x2079f200xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTamilIndia0.3829957356076759
                                                                                      RT_ICON0x2079f200xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTamilSri Lanka0.3829957356076759
                                                                                      RT_ICON0x207adc80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTamilIndia0.5424187725631769
                                                                                      RT_ICON0x207adc80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTamilSri Lanka0.5424187725631769
                                                                                      RT_ICON0x207b6700x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilIndia0.6215437788018433
                                                                                      RT_ICON0x207b6700x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilSri Lanka0.6215437788018433
                                                                                      RT_ICON0x207bd380x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTamilIndia0.6596820809248555
                                                                                      RT_ICON0x207bd380x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTamilSri Lanka0.6596820809248555
                                                                                      RT_ICON0x207c2a00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600TamilIndia0.5139004149377593
                                                                                      RT_ICON0x207c2a00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600TamilSri Lanka0.5139004149377593
                                                                                      RT_ICON0x207e8480x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224TamilIndia0.5382270168855535
                                                                                      RT_ICON0x207e8480x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224TamilSri Lanka0.5382270168855535
                                                                                      RT_ICON0x207f8f00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400TamilIndia0.5217213114754098
                                                                                      RT_ICON0x207f8f00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400TamilSri Lanka0.5217213114754098
                                                                                      RT_ICON0x20802780x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088TamilIndia0.5815602836879432
                                                                                      RT_ICON0x20802780x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088TamilSri Lanka0.5815602836879432
                                                                                      RT_STRING0x20858780x506dataTamilIndia0.44712286158631415
                                                                                      RT_STRING0x20858780x506dataTamilSri Lanka0.44712286158631415
                                                                                      RT_STRING0x2085d800x6fadataTamilIndia0.4232922732362822
                                                                                      RT_STRING0x2085d800x6fadataTamilSri Lanka0.4232922732362822
                                                                                      RT_STRING0x20864800x2ccdataTamilIndia0.48463687150837986
                                                                                      RT_STRING0x20864800x2ccdataTamilSri Lanka0.48463687150837986
                                                                                      RT_STRING0x20867500x606dataTamilIndia0.4383916990920882
                                                                                      RT_STRING0x20867500x606dataTamilSri Lanka0.4383916990920882
                                                                                      RT_STRING0x2086d580x3ccdataTamilIndia0.45267489711934156
                                                                                      RT_STRING0x2086d580x3ccdataTamilSri Lanka0.45267489711934156
                                                                                      RT_ACCELERATOR0x20839000x38dataTamilIndia0.9107142857142857
                                                                                      RT_ACCELERATOR0x20839000x38dataTamilSri Lanka0.9107142857142857
                                                                                      RT_GROUP_CURSOR0x20855f00x30data0.9375
                                                                                      RT_GROUP_ICON0x206d5200x68dataTamilIndia0.7115384615384616
                                                                                      RT_GROUP_ICON0x206d5200x68dataTamilSri Lanka0.7115384615384616
                                                                                      RT_GROUP_ICON0x20615100x76dataTamilIndia0.6610169491525424
                                                                                      RT_GROUP_ICON0x20615100x76dataTamilSri Lanka0.6610169491525424
                                                                                      RT_GROUP_ICON0x20673c00x68dataTamilIndia0.7115384615384616
                                                                                      RT_GROUP_ICON0x20673c00x68dataTamilSri Lanka0.7115384615384616
                                                                                      RT_GROUP_ICON0x2073d480x76dataTamilIndia0.6779661016949152
                                                                                      RT_GROUP_ICON0x2073d480x76dataTamilSri Lanka0.6779661016949152
                                                                                      RT_GROUP_ICON0x20806e00x76dataTamilIndia0.6864406779661016
                                                                                      RT_GROUP_ICON0x20806e00x76dataTamilSri Lanka0.6864406779661016
                                                                                      RT_GROUP_ICON0x2079eb80x68dataTamilIndia0.7019230769230769
                                                                                      RT_GROUP_ICON0x2079eb80x68dataTamilSri Lanka0.7019230769230769
                                                                                      RT_VERSION0x20856200x258data0.5466666666666666
                                                                                      DLLImport
                                                                                      KERNEL32.dllGetCommState, InterlockedDecrement, GetCurrentProcess, InterlockedCompareExchange, SetVolumeMountPointW, CreateHardLinkA, GetModuleHandleW, CreateNamedPipeW, EnumCalendarInfoExW, GetNumberFormatA, CreateActCtxW, TlsSetValue, LoadLibraryW, GetLocaleInfoW, GetCalendarInfoA, CreateEventA, GetFileAttributesA, GetTimeFormatW, GetModuleFileNameW, FindNextVolumeMountPointW, GetTempPathW, GetShortPathNameA, CreateJobObjectA, VerifyVersionInfoW, InterlockedExchange, GlobalUnfix, GetLogicalDriveStringsA, GetLastError, GetCurrentDirectoryW, GetProcAddress, GetLongPathNameA, PeekConsoleInputW, EnumSystemCodePagesW, GetConsoleDisplayMode, InterlockedIncrement, LoadModule, GetProcessVersion, SetThreadPriorityBoost, LoadLibraryA, InterlockedExchangeAdd, CreateFileMappingA, LocalAlloc, GetFileType, FoldStringW, SetEnvironmentVariableA, EnumDateFormatsA, GetProcessShutdownParameters, LoadLibraryExA, GetFileTime, WaitForDebugEvent, OpenEventW, SetFileShortNameA, GetVersionExA, GetDiskFreeSpaceExW, GetWindowsDirectoryW, LocalFree, LCMapStringW, CommConfigDialogW, CloseHandle, GetStringTypeW, MultiByteToWideChar, CreateFileW, WriteConsoleW, RaiseException, GetConsoleAliasExesLengthA, SetEndOfFile, GetConsoleAliasExesA, EnumCalendarInfoA, GlobalMemoryStatus, SetComputerNameA, SetDefaultCommConfigA, HeapSize, FlushFileBuffers, SetStdHandle, IsValidCodePage, HeapAlloc, HeapReAlloc, ExitProcess, DecodePointer, GetCommandLineW, HeapSetInformation, GetStartupInfoW, IsProcessorFeaturePresent, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, EncodePointer, TerminateProcess, WriteFile, HeapCreate, HeapFree, SetFilePointer, TlsAlloc, TlsGetValue, TlsFree, SetLastError, GetCurrentThreadId, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, Sleep, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, RtlUnwind, GetCPInfo, GetACP, GetOEMCP
                                                                                      USER32.dllSetCaretPos, GetMenuStringA, LoadMenuA, InsertMenuItemW, GetMenu, DrawStateA, GetWindowLongW, GetSysColor, CharUpperA
                                                                                      GDI32.dllGetBkMode, GetCharWidthFloatA, CreateDCA, GetCharWidth32W, GetTextCharset, GetCharWidthI
                                                                                      WINHTTP.dllWinHttpConnect
                                                                                      MSIMG32.dllGradientFill
                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                      TamilIndia
                                                                                      TamilSri Lanka
                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Sep 21, 2024 23:39:02.473570108 CEST4970525192.168.2.552.101.8.49
                                                                                      Sep 21, 2024 23:39:03.472750902 CEST4970525192.168.2.552.101.8.49
                                                                                      Sep 21, 2024 23:39:05.472611904 CEST4970525192.168.2.552.101.8.49
                                                                                      Sep 21, 2024 23:39:05.605484009 CEST49706443192.168.2.5195.58.54.132
                                                                                      Sep 21, 2024 23:39:05.605581045 CEST44349706195.58.54.132192.168.2.5
                                                                                      Sep 21, 2024 23:39:05.605674028 CEST49706443192.168.2.5195.58.54.132
                                                                                      Sep 21, 2024 23:39:09.472651005 CEST4970525192.168.2.552.101.8.49
                                                                                      Sep 21, 2024 23:39:17.472599983 CEST4970525192.168.2.552.101.8.49
                                                                                      Sep 21, 2024 23:39:22.489459991 CEST4971425192.168.2.567.195.228.111
                                                                                      Sep 21, 2024 23:39:23.503974915 CEST4971425192.168.2.567.195.228.111
                                                                                      Sep 21, 2024 23:39:25.519751072 CEST4971425192.168.2.567.195.228.111
                                                                                      Sep 21, 2024 23:39:29.519551992 CEST4971425192.168.2.567.195.228.111
                                                                                      Sep 21, 2024 23:39:37.519494057 CEST4971425192.168.2.567.195.228.111
                                                                                      Sep 21, 2024 23:39:42.523720980 CEST4971525192.168.2.564.233.166.27
                                                                                      Sep 21, 2024 23:39:43.535243988 CEST4971525192.168.2.564.233.166.27
                                                                                      Sep 21, 2024 23:39:45.550699949 CEST4971525192.168.2.564.233.166.27
                                                                                      Sep 21, 2024 23:39:45.598509073 CEST49706443192.168.2.5195.58.54.132
                                                                                      Sep 21, 2024 23:39:45.598679066 CEST44349706195.58.54.132192.168.2.5
                                                                                      Sep 21, 2024 23:39:45.598758936 CEST49706443192.168.2.5195.58.54.132
                                                                                      Sep 21, 2024 23:39:45.707660913 CEST49716443192.168.2.5195.58.54.132
                                                                                      Sep 21, 2024 23:39:45.707722902 CEST44349716195.58.54.132192.168.2.5
                                                                                      Sep 21, 2024 23:39:45.707787991 CEST49716443192.168.2.5195.58.54.132
                                                                                      Sep 21, 2024 23:39:49.550853014 CEST4971525192.168.2.564.233.166.27
                                                                                      Sep 21, 2024 23:39:57.550699949 CEST4971525192.168.2.564.233.166.27
                                                                                      Sep 21, 2024 23:40:02.550321102 CEST4971825192.168.2.594.100.180.31
                                                                                      Sep 21, 2024 23:40:03.550775051 CEST4971825192.168.2.594.100.180.31
                                                                                      Sep 21, 2024 23:40:05.550801039 CEST4971825192.168.2.594.100.180.31
                                                                                      Sep 21, 2024 23:40:09.551445961 CEST4971825192.168.2.594.100.180.31
                                                                                      Sep 21, 2024 23:40:17.550873995 CEST4971825192.168.2.594.100.180.31
                                                                                      Sep 21, 2024 23:40:25.707107067 CEST49716443192.168.2.5195.58.54.132
                                                                                      Sep 21, 2024 23:40:25.707246065 CEST44349716195.58.54.132192.168.2.5
                                                                                      Sep 21, 2024 23:40:25.707345009 CEST49716443192.168.2.5195.58.54.132
                                                                                      Sep 21, 2024 23:40:25.817904949 CEST49719443192.168.2.5195.58.54.132
                                                                                      Sep 21, 2024 23:40:25.817971945 CEST44349719195.58.54.132192.168.2.5
                                                                                      Sep 21, 2024 23:40:25.818249941 CEST49719443192.168.2.5195.58.54.132
                                                                                      Sep 21, 2024 23:41:05.022113085 CEST4972125192.168.2.552.101.8.49
                                                                                      Sep 21, 2024 23:41:06.019473076 CEST4972125192.168.2.552.101.8.49
                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Sep 21, 2024 23:39:02.445681095 CEST6115453192.168.2.51.1.1.1
                                                                                      Sep 21, 2024 23:39:02.472946882 CEST53611541.1.1.1192.168.2.5
                                                                                      Sep 21, 2024 23:39:05.433093071 CEST6148553192.168.2.51.1.1.1
                                                                                      Sep 21, 2024 23:39:05.601131916 CEST53614851.1.1.1192.168.2.5
                                                                                      Sep 21, 2024 23:39:22.473198891 CEST5438053192.168.2.51.1.1.1
                                                                                      Sep 21, 2024 23:39:22.480446100 CEST53543801.1.1.1192.168.2.5
                                                                                      Sep 21, 2024 23:39:22.481208086 CEST5837553192.168.2.51.1.1.1
                                                                                      Sep 21, 2024 23:39:22.488739967 CEST53583751.1.1.1192.168.2.5
                                                                                      Sep 21, 2024 23:39:42.505295992 CEST5398553192.168.2.51.1.1.1
                                                                                      Sep 21, 2024 23:39:42.513012886 CEST53539851.1.1.1192.168.2.5
                                                                                      Sep 21, 2024 23:39:42.513850927 CEST5920453192.168.2.51.1.1.1
                                                                                      Sep 21, 2024 23:39:42.523092985 CEST53592041.1.1.1192.168.2.5
                                                                                      Sep 21, 2024 23:40:02.533337116 CEST5335753192.168.2.51.1.1.1
                                                                                      Sep 21, 2024 23:40:02.540895939 CEST53533571.1.1.1192.168.2.5
                                                                                      Sep 21, 2024 23:40:02.541579008 CEST5100853192.168.2.51.1.1.1
                                                                                      Sep 21, 2024 23:40:02.549489021 CEST53510081.1.1.1192.168.2.5
                                                                                      Sep 21, 2024 23:41:04.778850079 CEST6268253192.168.2.51.1.1.1
                                                                                      Sep 21, 2024 23:41:05.021414995 CEST53626821.1.1.1192.168.2.5
                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                      Sep 21, 2024 23:39:02.445681095 CEST192.168.2.51.1.1.10xc85cStandard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                      Sep 21, 2024 23:39:05.433093071 CEST192.168.2.51.1.1.10xdb84Standard query (0)vanaheim.cnA (IP address)IN (0x0001)false
                                                                                      Sep 21, 2024 23:39:22.473198891 CEST192.168.2.51.1.1.10x9676Standard query (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                      Sep 21, 2024 23:39:22.481208086 CEST192.168.2.51.1.1.10x3742Standard query (0)mta6.am0.yahoodns.netA (IP address)IN (0x0001)false
                                                                                      Sep 21, 2024 23:39:42.505295992 CEST192.168.2.51.1.1.10x5c83Standard query (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                      Sep 21, 2024 23:39:42.513850927 CEST192.168.2.51.1.1.10x2afcStandard query (0)smtp.google.comA (IP address)IN (0x0001)false
                                                                                      Sep 21, 2024 23:40:02.533337116 CEST192.168.2.51.1.1.10x823bStandard query (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                      Sep 21, 2024 23:40:02.541579008 CEST192.168.2.51.1.1.10x4c24Standard query (0)mxs.mail.ruA (IP address)IN (0x0001)false
                                                                                      Sep 21, 2024 23:41:04.778850079 CEST192.168.2.51.1.1.10x6605Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                      Sep 21, 2024 23:39:02.472946882 CEST1.1.1.1192.168.2.50xc85cNo error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false
                                                                                      Sep 21, 2024 23:39:02.472946882 CEST1.1.1.1192.168.2.50xc85cNo error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false
                                                                                      Sep 21, 2024 23:39:02.472946882 CEST1.1.1.1192.168.2.50xc85cNo error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false
                                                                                      Sep 21, 2024 23:39:02.472946882 CEST1.1.1.1192.168.2.50xc85cNo error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false
                                                                                      Sep 21, 2024 23:39:05.601131916 CEST1.1.1.1192.168.2.50xdb84No error (0)vanaheim.cn195.58.54.132A (IP address)IN (0x0001)false
                                                                                      Sep 21, 2024 23:39:22.480446100 CEST1.1.1.1192.168.2.50x9676No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                      Sep 21, 2024 23:39:22.480446100 CEST1.1.1.1192.168.2.50x9676No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                      Sep 21, 2024 23:39:22.480446100 CEST1.1.1.1192.168.2.50x9676No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                      Sep 21, 2024 23:39:22.488739967 CEST1.1.1.1192.168.2.50x3742No error (0)mta6.am0.yahoodns.net67.195.228.111A (IP address)IN (0x0001)false
                                                                                      Sep 21, 2024 23:39:22.488739967 CEST1.1.1.1192.168.2.50x3742No error (0)mta6.am0.yahoodns.net98.136.96.91A (IP address)IN (0x0001)false
                                                                                      Sep 21, 2024 23:39:22.488739967 CEST1.1.1.1192.168.2.50x3742No error (0)mta6.am0.yahoodns.net67.195.204.73A (IP address)IN (0x0001)false
                                                                                      Sep 21, 2024 23:39:22.488739967 CEST1.1.1.1192.168.2.50x3742No error (0)mta6.am0.yahoodns.net98.136.96.76A (IP address)IN (0x0001)false
                                                                                      Sep 21, 2024 23:39:22.488739967 CEST1.1.1.1192.168.2.50x3742No error (0)mta6.am0.yahoodns.net67.195.204.74A (IP address)IN (0x0001)false
                                                                                      Sep 21, 2024 23:39:22.488739967 CEST1.1.1.1192.168.2.50x3742No error (0)mta6.am0.yahoodns.net67.195.204.72A (IP address)IN (0x0001)false
                                                                                      Sep 21, 2024 23:39:22.488739967 CEST1.1.1.1192.168.2.50x3742No error (0)mta6.am0.yahoodns.net67.195.228.110A (IP address)IN (0x0001)false
                                                                                      Sep 21, 2024 23:39:22.488739967 CEST1.1.1.1192.168.2.50x3742No error (0)mta6.am0.yahoodns.net98.136.96.77A (IP address)IN (0x0001)false
                                                                                      Sep 21, 2024 23:39:42.513012886 CEST1.1.1.1192.168.2.50x5c83No error (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                      Sep 21, 2024 23:39:42.523092985 CEST1.1.1.1192.168.2.50x2afcNo error (0)smtp.google.com64.233.166.27A (IP address)IN (0x0001)false
                                                                                      Sep 21, 2024 23:39:42.523092985 CEST1.1.1.1192.168.2.50x2afcNo error (0)smtp.google.com74.125.71.27A (IP address)IN (0x0001)false
                                                                                      Sep 21, 2024 23:39:42.523092985 CEST1.1.1.1192.168.2.50x2afcNo error (0)smtp.google.com74.125.71.26A (IP address)IN (0x0001)false
                                                                                      Sep 21, 2024 23:39:42.523092985 CEST1.1.1.1192.168.2.50x2afcNo error (0)smtp.google.com74.125.133.26A (IP address)IN (0x0001)false
                                                                                      Sep 21, 2024 23:39:42.523092985 CEST1.1.1.1192.168.2.50x2afcNo error (0)smtp.google.com74.125.133.27A (IP address)IN (0x0001)false
                                                                                      Sep 21, 2024 23:40:02.540895939 CEST1.1.1.1192.168.2.50x823bNo error (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                      Sep 21, 2024 23:40:02.549489021 CEST1.1.1.1192.168.2.50x4c24No error (0)mxs.mail.ru94.100.180.31A (IP address)IN (0x0001)false
                                                                                      Sep 21, 2024 23:40:02.549489021 CEST1.1.1.1192.168.2.50x4c24No error (0)mxs.mail.ru217.69.139.150A (IP address)IN (0x0001)false
                                                                                      Sep 21, 2024 23:41:05.021414995 CEST1.1.1.1192.168.2.50x6605No error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false
                                                                                      Sep 21, 2024 23:41:05.021414995 CEST1.1.1.1192.168.2.50x6605No error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false
                                                                                      Sep 21, 2024 23:41:05.021414995 CEST1.1.1.1192.168.2.50x6605No error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false
                                                                                      Sep 21, 2024 23:41:05.021414995 CEST1.1.1.1192.168.2.50x6605No error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false

                                                                                      Click to jump to process

                                                                                      Click to jump to process

                                                                                      Click to dive into process behavior distribution

                                                                                      Click to jump to process

                                                                                      Target ID:0
                                                                                      Start time:17:38:57
                                                                                      Start date:21/09/2024
                                                                                      Path:C:\Users\user\Desktop\2IFYYPRUgO.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\Desktop\2IFYYPRUgO.exe"
                                                                                      Imagebase:0x400000
                                                                                      File size:457'728 bytes
                                                                                      MD5 hash:DD9983E56E44B300E97FBEAD17BBB8EC
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                      • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000003.2043185641.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000003.2043185641.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000003.2043185641.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2079068400.000000000263D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      Target ID:2
                                                                                      Start time:17:38:57
                                                                                      Start date:21/09/2024
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\chxnvqnu\
                                                                                      Imagebase:0x790000
                                                                                      File size:236'544 bytes
                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Target ID:3
                                                                                      Start time:17:38:57
                                                                                      Start date:21/09/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Target ID:4
                                                                                      Start time:17:38:58
                                                                                      Start date:21/09/2024
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\uscdfbek.exe" C:\Windows\SysWOW64\chxnvqnu\
                                                                                      Imagebase:0x790000
                                                                                      File size:236'544 bytes
                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Target ID:5
                                                                                      Start time:17:38:58
                                                                                      Start date:21/09/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Target ID:6
                                                                                      Start time:17:38:58
                                                                                      Start date:21/09/2024
                                                                                      Path:C:\Windows\SysWOW64\sc.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\sc.exe" create chxnvqnu binPath= "C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exe /d\"C:\Users\user\Desktop\2IFYYPRUgO.exe\"" type= own start= auto DisplayName= "wifi support"
                                                                                      Imagebase:0x400000
                                                                                      File size:61'440 bytes
                                                                                      MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:moderate
                                                                                      Has exited:true

                                                                                      Target ID:7
                                                                                      Start time:17:38:59
                                                                                      Start date:21/09/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Target ID:8
                                                                                      Start time:17:38:59
                                                                                      Start date:21/09/2024
                                                                                      Path:C:\Windows\SysWOW64\sc.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\sc.exe" description chxnvqnu "wifi internet conection"
                                                                                      Imagebase:0x400000
                                                                                      File size:61'440 bytes
                                                                                      MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:moderate
                                                                                      Has exited:true

                                                                                      Target ID:9
                                                                                      Start time:17:38:59
                                                                                      Start date:21/09/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Target ID:10
                                                                                      Start time:17:39:00
                                                                                      Start date:21/09/2024
                                                                                      Path:C:\Windows\SysWOW64\sc.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\sc.exe" start chxnvqnu
                                                                                      Imagebase:0x400000
                                                                                      File size:61'440 bytes
                                                                                      MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:moderate
                                                                                      Has exited:true

                                                                                      Target ID:11
                                                                                      Start time:17:39:00
                                                                                      Start date:21/09/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Target ID:12
                                                                                      Start time:17:39:00
                                                                                      Start date:21/09/2024
                                                                                      Path:C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exe /d"C:\Users\user\Desktop\2IFYYPRUgO.exe"
                                                                                      Imagebase:0x400000
                                                                                      File size:14'320'128 bytes
                                                                                      MD5 hash:A55CE6DA03E8C8D33F5FBC378D553054
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000C.00000002.2078985168.0000000002688000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2079103055.0000000002DD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2079103055.0000000002DD0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000002.2079103055.0000000002DD0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000003.2074120275.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000003.2074120275.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000003.2074120275.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: unknown
                                                                                      • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: ditekSHen
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      Target ID:13
                                                                                      Start time:17:39:00
                                                                                      Start date:21/09/2024
                                                                                      Path:C:\Windows\SysWOW64\svchost.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:svchost.exe
                                                                                      Imagebase:0x6c0000
                                                                                      File size:46'504 bytes
                                                                                      MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                      Reputation:high
                                                                                      Has exited:false

                                                                                      Target ID:14
                                                                                      Start time:17:39:00
                                                                                      Start date:21/09/2024
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                      Imagebase:0x7ff7e52b0000
                                                                                      File size:55'320 bytes
                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Target ID:15
                                                                                      Start time:17:39:00
                                                                                      Start date:21/09/2024
                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 7096 -ip 7096
                                                                                      Imagebase:0x100000
                                                                                      File size:483'680 bytes
                                                                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      Target ID:16
                                                                                      Start time:17:39:00
                                                                                      Start date:21/09/2024
                                                                                      Path:C:\Windows\SysWOW64\netsh.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                                      Imagebase:0x1080000
                                                                                      File size:82'432 bytes
                                                                                      MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      Target ID:17
                                                                                      Start time:17:39:00
                                                                                      Start date:21/09/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      Target ID:18
                                                                                      Start time:17:39:00
                                                                                      Start date:21/09/2024
                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1472 -ip 1472
                                                                                      Imagebase:0x100000
                                                                                      File size:483'680 bytes
                                                                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      Target ID:19
                                                                                      Start time:17:39:00
                                                                                      Start date:21/09/2024
                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7096 -s 588
                                                                                      Imagebase:0x100000
                                                                                      File size:483'680 bytes
                                                                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      Target ID:20
                                                                                      Start time:17:39:00
                                                                                      Start date:21/09/2024
                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 1032
                                                                                      Imagebase:0x100000
                                                                                      File size:483'680 bytes
                                                                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      Reset < >

                                                                                        Execution Graph

                                                                                        Execution Coverage:3.6%
                                                                                        Dynamic/Decrypted Code Coverage:31%
                                                                                        Signature Coverage:25.4%
                                                                                        Total number of Nodes:1562
                                                                                        Total number of Limit Nodes:18
                                                                                        execution_graph 14876 40c0005 14881 40c092b GetPEB 14876->14881 14878 40c0030 14883 40c003c 14878->14883 14882 40c0972 14881->14882 14882->14878 14884 40c0049 14883->14884 14898 40c0e0f SetErrorMode SetErrorMode 14884->14898 14889 40c0265 14890 40c02ce VirtualProtect 14889->14890 14892 40c030b 14890->14892 14891 40c0439 VirtualFree 14894 40c04be 14891->14894 14897 40c05f4 LoadLibraryA 14891->14897 14892->14891 14893 40c04e3 LoadLibraryA 14893->14894 14894->14893 14894->14897 14896 40c08c7 14897->14896 14899 40c0223 14898->14899 14900 40c0d90 14899->14900 14901 40c0dad 14900->14901 14902 40c0dbb GetPEB 14901->14902 14903 40c0238 VirtualAlloc 14901->14903 14902->14903 14903->14889 14904 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 15022 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14904->15022 14906 409a95 14907 409aa3 GetModuleHandleA GetModuleFileNameA 14906->14907 14913 40a3c7 14906->14913 14921 409ac4 14907->14921 14908 40a41c CreateThread WSAStartup 15191 40e52e 14908->15191 16069 40405e CreateEventA 14908->16069 14910 409afd GetCommandLineA 14919 409b22 14910->14919 14911 40a406 DeleteFileA 14911->14913 14914 40a40d 14911->14914 14912 40a445 15210 40eaaf 14912->15210 14913->14908 14913->14911 14913->14914 14916 40a3ed GetLastError 14913->14916 14914->14908 14916->14914 14918 40a3f8 Sleep 14916->14918 14917 40a44d 15214 401d96 14917->15214 14918->14911 14924 409c0c 14919->14924 14933 409b47 14919->14933 14921->14910 14922 40a457 15262 4080c9 14922->15262 15023 4096aa 14924->15023 14930 40a1d2 14940 40a1e3 GetCommandLineA 14930->14940 14931 409c39 14934 40a167 GetModuleHandleA GetModuleFileNameA 14931->14934 15029 404280 CreateEventA 14931->15029 14936 409b96 lstrlenA 14933->14936 14939 409b58 14933->14939 14937 409c05 ExitProcess 14934->14937 14938 40a189 14934->14938 14936->14939 14938->14937 14948 40a1b2 GetDriveTypeA 14938->14948 14939->14937 14946 40675c 21 API calls 14939->14946 14965 40a205 14940->14965 14949 409be3 14946->14949 14948->14937 14950 40a1c5 14948->14950 14949->14937 15128 406a60 CreateFileA 14949->15128 15172 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 14950->15172 14956 40a491 14957 40a49f GetTickCount 14956->14957 14959 40a4be Sleep 14956->14959 14964 40a4b7 GetTickCount 14956->14964 15308 40c913 14956->15308 14957->14956 14957->14959 14959->14956 14961 409ca0 GetTempPathA 14962 409e3e 14961->14962 14963 409cba 14961->14963 14968 409e6b GetEnvironmentVariableA 14962->14968 14972 409e04 14962->14972 15084 4099d2 lstrcpyA 14963->15084 14964->14959 14969 40a285 lstrlenA 14965->14969 14981 40a239 14965->14981 14968->14972 14973 409e7d 14968->14973 14969->14981 15167 40ec2e 14972->15167 14974 4099d2 16 API calls 14973->14974 14975 409e9d 14974->14975 14975->14972 14980 409eb0 lstrcpyA lstrlenA 14975->14980 14978 409d5f 15147 406cc9 14978->15147 14979 40a3c2 15184 4098f2 14979->15184 14984 409ef4 14980->14984 15180 406ec3 14981->15180 14988 406dc2 6 API calls 14984->14988 14989 409f03 14984->14989 14985 40a39d StartServiceCtrlDispatcherA 14985->14979 14987 40a35f 14987->14979 14987->14987 14993 40a37b 14987->14993 14988->14989 14991 409f32 RegOpenKeyExA 14989->14991 14990 409cf6 15091 409326 14990->15091 14992 409f48 RegSetValueExA RegCloseKey 14991->14992 14996 409f70 14991->14996 14992->14996 14993->14985 15002 409f9d GetModuleHandleA GetModuleFileNameA 14996->15002 14997 409e0c DeleteFileA 14997->14962 14998 409dde GetFileAttributesExA 14998->14997 15000 409df7 14998->15000 15000->14972 15001 409dff 15000->15001 15157 4096ff 15001->15157 15004 409fc2 15002->15004 15005 40a093 15002->15005 15004->15005 15010 409ff1 GetDriveTypeA 15004->15010 15006 40a103 CreateProcessA 15005->15006 15009 40a0a4 wsprintfA 15005->15009 15007 40a13a 15006->15007 15008 40a12a DeleteFileA 15006->15008 15007->14972 15015 4096ff 3 API calls 15007->15015 15008->15007 15163 402544 15009->15163 15010->15005 15013 40a00d 15010->15013 15017 40a02d lstrcatA 15013->15017 15015->14972 15018 40a046 15017->15018 15019 40a052 lstrcatA 15018->15019 15020 40a064 lstrcatA 15018->15020 15019->15020 15020->15005 15021 40a081 lstrcatA 15020->15021 15021->15005 15022->14906 15024 4096b9 15023->15024 15411 4073ff 15024->15411 15026 4096e2 15027 4096f7 15026->15027 15431 40704c 15026->15431 15027->14930 15027->14931 15030 4042a5 15029->15030 15036 40429d 15029->15036 15456 403ecd 15030->15456 15032 4042b0 15460 404000 15032->15460 15035 4043c1 CloseHandle 15035->15036 15036->14934 15056 40675c 15036->15056 15037 4042ce 15466 403f18 WriteFile 15037->15466 15042 4043ba CloseHandle 15042->15035 15043 404318 15044 403f18 4 API calls 15043->15044 15045 404331 15044->15045 15046 403f18 4 API calls 15045->15046 15047 40434a 15046->15047 15474 40ebcc GetProcessHeap RtlAllocateHeap 15047->15474 15050 403f18 4 API calls 15051 404389 15050->15051 15052 40ec2e codecvt 4 API calls 15051->15052 15053 40438f 15052->15053 15054 403f8c 4 API calls 15053->15054 15055 40439f CloseHandle CloseHandle 15054->15055 15055->15036 15057 406784 CreateFileA 15056->15057 15058 40677a SetFileAttributesA 15056->15058 15059 4067a4 CreateFileA 15057->15059 15060 4067b5 15057->15060 15058->15057 15059->15060 15061 4067c5 15060->15061 15062 4067ba SetFileAttributesA 15060->15062 15063 406977 15061->15063 15064 4067cf GetFileSize 15061->15064 15062->15061 15063->14934 15063->14961 15063->14962 15065 4067e5 15064->15065 15083 406965 15064->15083 15066 4067ed ReadFile 15065->15066 15065->15083 15068 406811 SetFilePointer 15066->15068 15066->15083 15067 40696e CloseHandle 15067->15063 15069 40682a ReadFile 15068->15069 15068->15083 15070 406848 SetFilePointer 15069->15070 15069->15083 15071 406867 15070->15071 15070->15083 15072 4068d5 15071->15072 15073 406878 ReadFile 15071->15073 15072->15067 15075 40ebcc 4 API calls 15072->15075 15074 4068d0 15073->15074 15077 406891 15073->15077 15074->15072 15076 4068f8 15075->15076 15078 406900 SetFilePointer 15076->15078 15076->15083 15077->15073 15077->15074 15079 40695a 15078->15079 15080 40690d ReadFile 15078->15080 15082 40ec2e codecvt 4 API calls 15079->15082 15080->15079 15081 406922 15080->15081 15081->15067 15082->15083 15083->15067 15085 4099eb 15084->15085 15086 409a2f lstrcatA 15085->15086 15087 40ee2a 15086->15087 15088 409a4b lstrcatA 15087->15088 15089 406a60 13 API calls 15088->15089 15090 409a60 15089->15090 15090->14962 15090->14990 15141 406dc2 15090->15141 15480 401910 15091->15480 15094 40934a GetModuleHandleA GetModuleFileNameA 15096 40937f 15094->15096 15097 4093a4 15096->15097 15098 4093d9 15096->15098 15099 4093c3 wsprintfA 15097->15099 15100 409401 wsprintfA 15098->15100 15102 409415 15099->15102 15100->15102 15101 4094a0 15482 406edd 15101->15482 15102->15101 15105 406cc9 5 API calls 15102->15105 15104 4094ac 15106 40962f 15104->15106 15107 4094e8 RegOpenKeyExA 15104->15107 15111 409439 15105->15111 15112 409646 15106->15112 15510 401820 15106->15510 15109 409502 15107->15109 15110 4094fb 15107->15110 15114 40951f RegQueryValueExA 15109->15114 15110->15106 15116 40958a 15110->15116 15495 40ef1e lstrlenA 15111->15495 15121 4095d6 15112->15121 15490 4091eb 15112->15490 15118 409530 15114->15118 15119 409539 15114->15119 15116->15112 15117 409593 15116->15117 15117->15121 15497 40f0e4 15117->15497 15122 40956e RegCloseKey 15118->15122 15123 409556 RegQueryValueExA 15119->15123 15120 409462 15124 40947e wsprintfA 15120->15124 15121->14997 15121->14998 15122->15110 15123->15118 15123->15122 15124->15101 15126 4095bb 15126->15121 15504 4018e0 15126->15504 15129 406b8c GetLastError 15128->15129 15130 406a8f GetDiskFreeSpaceA 15128->15130 15139 406b86 15129->15139 15131 406ac5 15130->15131 15140 406ad7 15130->15140 15558 40eb0e 15131->15558 15135 406b56 CloseHandle 15138 406b65 GetLastError CloseHandle 15135->15138 15135->15139 15136 406b36 GetLastError CloseHandle 15137 406b7f DeleteFileA 15136->15137 15137->15139 15138->15137 15139->14937 15552 406987 15140->15552 15142 406dd7 15141->15142 15146 406e24 15141->15146 15143 406cc9 5 API calls 15142->15143 15144 406ddc 15143->15144 15145 406e02 GetVolumeInformationA 15144->15145 15144->15146 15145->15146 15146->14978 15148 406cdc GetModuleHandleA GetProcAddress 15147->15148 15149 406dbe lstrcpyA lstrcatA lstrcatA 15147->15149 15150 406d12 GetSystemDirectoryA 15148->15150 15151 406cfd 15148->15151 15149->14990 15152 406d27 GetWindowsDirectoryA 15150->15152 15153 406d1e 15150->15153 15151->15150 15154 406d8b 15151->15154 15155 406d42 15152->15155 15153->15152 15153->15154 15154->15149 15156 40ef1e lstrlenA 15155->15156 15156->15154 15158 402544 15157->15158 15159 40972d RegOpenKeyExA 15158->15159 15160 409740 15159->15160 15161 409765 15159->15161 15162 40974f RegDeleteValueA RegCloseKey 15160->15162 15161->14972 15162->15161 15164 402554 lstrcatA 15163->15164 15165 40ee2a 15164->15165 15166 40a0ec lstrcatA 15165->15166 15166->15006 15168 40ec37 15167->15168 15169 40a15d 15167->15169 15566 40eba0 15168->15566 15169->14934 15169->14937 15173 402544 15172->15173 15174 40919e wsprintfA 15173->15174 15175 4091bb 15174->15175 15569 409064 GetTempPathA 15175->15569 15178 4091d5 ShellExecuteA 15179 4091e7 15178->15179 15179->14937 15181 406ed5 15180->15181 15182 406ecc 15180->15182 15181->14987 15183 406e36 2 API calls 15182->15183 15183->15181 15185 4098f6 15184->15185 15186 404280 30 API calls 15185->15186 15187 409904 Sleep 15185->15187 15188 409915 15185->15188 15186->15185 15187->15185 15187->15188 15190 409947 15188->15190 15576 40977c 15188->15576 15190->14913 15598 40dd05 GetTickCount 15191->15598 15193 40e538 15605 40dbcf 15193->15605 15195 40e544 15196 40e555 GetFileSize 15195->15196 15201 40e5b8 15195->15201 15197 40e5b1 CloseHandle 15196->15197 15198 40e566 15196->15198 15197->15201 15615 40db2e 15198->15615 15624 40e3ca RegOpenKeyExA 15201->15624 15202 40e576 ReadFile 15202->15197 15203 40e58d 15202->15203 15619 40e332 15203->15619 15206 40e5f2 15208 40e3ca 19 API calls 15206->15208 15209 40e629 15206->15209 15208->15209 15209->14912 15211 40eabe 15210->15211 15213 40eaba 15210->15213 15212 40dd05 6 API calls 15211->15212 15211->15213 15212->15213 15213->14917 15215 40ee2a 15214->15215 15216 401db4 GetVersionExA 15215->15216 15217 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 15216->15217 15219 401e24 15217->15219 15220 401e16 GetCurrentProcess 15217->15220 15677 40e819 15219->15677 15220->15219 15222 401e3d 15223 40e819 11 API calls 15222->15223 15224 401e4e 15223->15224 15225 401e77 15224->15225 15684 40df70 15224->15684 15693 40ea84 15225->15693 15228 401e6c 15230 40df70 12 API calls 15228->15230 15230->15225 15231 40e819 11 API calls 15232 401e93 15231->15232 15697 40199c inet_addr LoadLibraryA 15232->15697 15235 40e819 11 API calls 15236 401eb9 15235->15236 15237 401ed8 15236->15237 15238 40f04e 4 API calls 15236->15238 15239 40e819 11 API calls 15237->15239 15240 401ec9 15238->15240 15241 401eee 15239->15241 15243 40ea84 30 API calls 15240->15243 15242 401f0a 15241->15242 15710 401b71 15241->15710 15245 40e819 11 API calls 15242->15245 15243->15237 15247 401f23 15245->15247 15246 401efd 15248 40ea84 30 API calls 15246->15248 15249 401f3f 15247->15249 15714 401bdf 15247->15714 15248->15242 15251 40e819 11 API calls 15249->15251 15253 401f5e 15251->15253 15254 401f77 15253->15254 15256 40ea84 30 API calls 15253->15256 15721 4030b5 15254->15721 15255 40ea84 30 API calls 15255->15249 15256->15254 15259 406ec3 2 API calls 15261 401f8e GetTickCount 15259->15261 15261->14922 15263 406ec3 2 API calls 15262->15263 15264 4080eb 15263->15264 15265 4080f9 15264->15265 15266 4080ef 15264->15266 15268 40704c 16 API calls 15265->15268 15769 407ee6 15266->15769 15271 408110 15268->15271 15269 408269 CreateThread 15287 405e6c 15269->15287 16098 40877e 15269->16098 15270 40675c 21 API calls 15277 408244 15270->15277 15272 408156 RegOpenKeyExA 15271->15272 15273 4080f4 15271->15273 15272->15273 15274 40816d RegQueryValueExA 15272->15274 15273->15269 15273->15270 15275 4081f7 15274->15275 15276 40818d 15274->15276 15278 40820d RegCloseKey 15275->15278 15280 40ec2e codecvt 4 API calls 15275->15280 15276->15275 15281 40ebcc 4 API calls 15276->15281 15277->15269 15279 40ec2e codecvt 4 API calls 15277->15279 15278->15273 15279->15269 15286 4081dd 15280->15286 15282 4081a0 15281->15282 15282->15278 15283 4081aa RegQueryValueExA 15282->15283 15283->15275 15284 4081c4 15283->15284 15285 40ebcc 4 API calls 15284->15285 15285->15286 15286->15278 15837 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15287->15837 15289 405e71 15838 40e654 15289->15838 15291 405ec1 15292 403132 15291->15292 15293 40df70 12 API calls 15292->15293 15294 40313b 15293->15294 15295 40c125 15294->15295 15849 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15295->15849 15297 40c12d 15298 40e654 13 API calls 15297->15298 15299 40c2bd 15298->15299 15300 40e654 13 API calls 15299->15300 15301 40c2c9 15300->15301 15302 40e654 13 API calls 15301->15302 15303 40a47a 15302->15303 15304 408db1 15303->15304 15305 408dbc 15304->15305 15306 40e654 13 API calls 15305->15306 15307 408dec Sleep 15306->15307 15307->14956 15309 40c92f 15308->15309 15310 40c93c 15309->15310 15850 40c517 15309->15850 15312 40ca2b 15310->15312 15313 40e819 11 API calls 15310->15313 15312->14956 15314 40c96a 15313->15314 15315 40e819 11 API calls 15314->15315 15316 40c97d 15315->15316 15317 40e819 11 API calls 15316->15317 15318 40c990 15317->15318 15319 40c9aa 15318->15319 15320 40ebcc 4 API calls 15318->15320 15319->15312 15867 402684 15319->15867 15320->15319 15325 40ca26 15874 40c8aa 15325->15874 15328 40ca44 15329 40ca4b closesocket 15328->15329 15330 40ca83 15328->15330 15329->15325 15331 40ea84 30 API calls 15330->15331 15332 40caac 15331->15332 15333 40f04e 4 API calls 15332->15333 15334 40cab2 15333->15334 15335 40ea84 30 API calls 15334->15335 15336 40caca 15335->15336 15337 40ea84 30 API calls 15336->15337 15338 40cad9 15337->15338 15882 40c65c 15338->15882 15341 40cb60 closesocket 15341->15312 15343 40dad2 closesocket 15344 40e318 23 API calls 15343->15344 15344->15312 15345 40df4c 20 API calls 15358 40cb70 15345->15358 15350 40c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15350->15358 15351 40e654 13 API calls 15351->15358 15354 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15354->15358 15358->15343 15358->15345 15358->15350 15358->15351 15358->15354 15359 40ea84 30 API calls 15358->15359 15360 40d569 closesocket Sleep 15358->15360 15361 40d815 wsprintfA 15358->15361 15362 40cc1c GetTempPathA 15358->15362 15363 407ead 6 API calls 15358->15363 15364 40c517 23 API calls 15358->15364 15366 40e8a1 30 API calls 15358->15366 15368 40cfe3 GetSystemDirectoryA 15358->15368 15369 40cfad GetEnvironmentVariableA 15358->15369 15370 40675c 21 API calls 15358->15370 15371 40d027 GetSystemDirectoryA 15358->15371 15372 40d105 lstrcatA 15358->15372 15373 40ef1e lstrlenA 15358->15373 15374 40cc9f CreateFileA 15358->15374 15375 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15358->15375 15377 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15358->15377 15378 40d15b CreateFileA 15358->15378 15383 40d149 SetFileAttributesA 15358->15383 15384 40d36e GetEnvironmentVariableA 15358->15384 15385 40d1bf SetFileAttributesA 15358->15385 15387 40d22d GetEnvironmentVariableA 15358->15387 15388 40d3af lstrcatA 15358->15388 15390 40d3f2 CreateFileA 15358->15390 15392 407fcf 64 API calls 15358->15392 15398 40d4b1 CreateProcessA 15358->15398 15399 40d3e0 SetFileAttributesA 15358->15399 15400 40d26e lstrcatA 15358->15400 15403 40d2b1 CreateFileA 15358->15403 15404 407ee6 64 API calls 15358->15404 15405 40d452 SetFileAttributesA 15358->15405 15408 40d29f SetFileAttributesA 15358->15408 15410 40d31d SetFileAttributesA 15358->15410 15890 40c75d 15358->15890 15902 407e2f 15358->15902 15924 407ead 15358->15924 15934 4031d0 15358->15934 15951 403c09 15358->15951 15961 403a00 15358->15961 15965 40e7b4 15358->15965 15968 40c06c 15358->15968 15974 406f5f GetUserNameA 15358->15974 15985 40e854 15358->15985 15995 407dd6 15358->15995 15359->15358 15929 40e318 15360->15929 15361->15358 15362->15358 15363->15358 15364->15358 15366->15358 15367 40d582 ExitProcess 15368->15358 15369->15358 15370->15358 15371->15358 15372->15358 15373->15358 15374->15358 15376 40ccc6 WriteFile 15374->15376 15375->15358 15380 40cdcc CloseHandle 15376->15380 15381 40cced CloseHandle 15376->15381 15377->15358 15378->15358 15379 40d182 WriteFile CloseHandle 15378->15379 15379->15358 15380->15358 15386 40cd2f 15381->15386 15382 40cd16 wsprintfA 15382->15386 15383->15378 15384->15358 15385->15358 15386->15382 15911 407fcf 15386->15911 15387->15358 15388->15358 15388->15390 15390->15358 15393 40d415 WriteFile CloseHandle 15390->15393 15392->15358 15393->15358 15394 40cd81 WaitForSingleObject CloseHandle CloseHandle 15396 40f04e 4 API calls 15394->15396 15395 40cda5 15397 407ee6 64 API calls 15395->15397 15396->15395 15401 40cdbd DeleteFileA 15397->15401 15398->15358 15402 40d4e8 CloseHandle CloseHandle 15398->15402 15399->15390 15400->15358 15400->15403 15401->15358 15402->15358 15403->15358 15406 40d2d8 WriteFile CloseHandle 15403->15406 15404->15358 15405->15358 15406->15358 15408->15403 15410->15358 15412 40741b 15411->15412 15413 406dc2 6 API calls 15412->15413 15414 40743f 15413->15414 15415 407469 RegOpenKeyExA 15414->15415 15417 4077f9 15415->15417 15427 407487 ___ascii_stricmp 15415->15427 15416 407703 RegEnumKeyA 15418 407714 RegCloseKey 15416->15418 15416->15427 15417->15026 15418->15417 15419 40f1a5 lstrlenA 15419->15427 15420 4074d2 RegOpenKeyExA 15420->15427 15421 40772c 15423 407742 RegCloseKey 15421->15423 15424 40774b 15421->15424 15422 407521 RegQueryValueExA 15422->15427 15423->15424 15425 4077ec RegCloseKey 15424->15425 15425->15417 15426 4076e4 RegCloseKey 15426->15427 15427->15416 15427->15419 15427->15420 15427->15421 15427->15422 15427->15426 15429 40777e GetFileAttributesExA 15427->15429 15430 407769 15427->15430 15428 4077e3 RegCloseKey 15428->15425 15429->15430 15430->15428 15432 407073 15431->15432 15433 4070b9 RegOpenKeyExA 15432->15433 15434 4070d0 15433->15434 15448 4071b8 15433->15448 15435 406dc2 6 API calls 15434->15435 15438 4070d5 15435->15438 15436 40719b RegEnumValueA 15437 4071af RegCloseKey 15436->15437 15436->15438 15437->15448 15438->15436 15440 4071d0 15438->15440 15454 40f1a5 lstrlenA 15438->15454 15441 407205 RegCloseKey 15440->15441 15442 407227 15440->15442 15441->15448 15443 4072b8 ___ascii_stricmp 15442->15443 15444 40728e RegCloseKey 15442->15444 15445 4072cd RegCloseKey 15443->15445 15446 4072dd 15443->15446 15444->15448 15445->15448 15447 407311 RegCloseKey 15446->15447 15450 407335 15446->15450 15447->15448 15448->15027 15449 4073d5 RegCloseKey 15451 4073e4 15449->15451 15450->15449 15452 40737e GetFileAttributesExA 15450->15452 15453 407397 15450->15453 15452->15453 15453->15449 15455 40f1c3 15454->15455 15455->15438 15457 403edc 15456->15457 15459 403ee2 15456->15459 15458 406dc2 6 API calls 15457->15458 15458->15459 15459->15032 15461 40400b CreateFileA 15460->15461 15462 40402c GetLastError 15461->15462 15464 404052 15461->15464 15463 404037 15462->15463 15462->15464 15463->15464 15465 404041 Sleep 15463->15465 15464->15035 15464->15036 15464->15037 15465->15461 15465->15464 15467 403f4e GetLastError 15466->15467 15469 403f7c 15466->15469 15468 403f5b WaitForSingleObject GetOverlappedResult 15467->15468 15467->15469 15468->15469 15470 403f8c ReadFile 15469->15470 15471 403ff0 15470->15471 15472 403fc2 GetLastError 15470->15472 15471->15042 15471->15043 15472->15471 15473 403fcf WaitForSingleObject GetOverlappedResult 15472->15473 15473->15471 15477 40eb74 15474->15477 15478 40eb7b GetProcessHeap HeapSize 15477->15478 15479 404350 15477->15479 15478->15479 15479->15050 15481 401924 GetVersionExA 15480->15481 15481->15094 15483 406eef AllocateAndInitializeSid 15482->15483 15489 406f55 15482->15489 15484 406f44 15483->15484 15485 406f1c CheckTokenMembership 15483->15485 15484->15489 15516 406e36 GetUserNameW 15484->15516 15486 406f3b FreeSid 15485->15486 15487 406f2e 15485->15487 15486->15484 15487->15486 15489->15104 15492 40920e 15490->15492 15494 409308 15490->15494 15491 4092f1 Sleep 15491->15492 15492->15491 15492->15492 15493 4092bf ShellExecuteA 15492->15493 15492->15494 15493->15492 15493->15494 15494->15121 15496 40ef32 15495->15496 15496->15120 15498 40f0f1 15497->15498 15499 40f0ed 15497->15499 15500 40f119 15498->15500 15501 40f0fa lstrlenA SysAllocStringByteLen 15498->15501 15499->15126 15503 40f11c MultiByteToWideChar 15500->15503 15502 40f117 15501->15502 15501->15503 15502->15126 15503->15502 15505 401820 17 API calls 15504->15505 15507 4018f2 15505->15507 15506 4018f9 15506->15121 15507->15506 15519 401280 15507->15519 15509 401908 15509->15121 15531 401000 15510->15531 15512 401839 15513 401851 GetCurrentProcess 15512->15513 15514 40183d 15512->15514 15515 401864 15513->15515 15514->15112 15515->15112 15517 406e5f LookupAccountNameW 15516->15517 15518 406e97 15516->15518 15517->15518 15518->15489 15520 4012e1 15519->15520 15521 4016f9 GetLastError 15520->15521 15522 4013a8 15520->15522 15523 401699 15521->15523 15522->15523 15524 401570 lstrlenW 15522->15524 15525 4015be GetStartupInfoW 15522->15525 15526 4015ff CreateProcessWithLogonW 15522->15526 15530 401668 CloseHandle 15522->15530 15523->15509 15524->15522 15525->15522 15527 4016bf GetLastError 15526->15527 15528 40163f WaitForSingleObject 15526->15528 15527->15523 15528->15522 15529 401659 CloseHandle 15528->15529 15529->15522 15530->15522 15532 40100d LoadLibraryA 15531->15532 15539 401023 15531->15539 15533 401021 15532->15533 15532->15539 15533->15512 15534 4010b5 GetProcAddress 15535 4010d1 GetProcAddress 15534->15535 15536 40127b 15534->15536 15535->15536 15537 4010f0 GetProcAddress 15535->15537 15536->15512 15537->15536 15538 401110 GetProcAddress 15537->15538 15538->15536 15540 401130 GetProcAddress 15538->15540 15539->15534 15551 4010ae 15539->15551 15540->15536 15541 40114f GetProcAddress 15540->15541 15541->15536 15542 40116f GetProcAddress 15541->15542 15542->15536 15543 40118f GetProcAddress 15542->15543 15543->15536 15544 4011ae GetProcAddress 15543->15544 15544->15536 15545 4011ce GetProcAddress 15544->15545 15545->15536 15546 4011ee GetProcAddress 15545->15546 15546->15536 15547 401209 GetProcAddress 15546->15547 15547->15536 15548 401225 GetProcAddress 15547->15548 15548->15536 15549 401241 GetProcAddress 15548->15549 15549->15536 15550 40125c GetProcAddress 15549->15550 15550->15536 15551->15512 15554 4069b9 WriteFile 15552->15554 15555 406a3c 15554->15555 15557 4069ff 15554->15557 15555->15135 15555->15136 15556 406a10 WriteFile 15556->15555 15556->15557 15557->15555 15557->15556 15559 40eb17 15558->15559 15560 40eb21 15558->15560 15562 40eae4 15559->15562 15560->15140 15563 40eb02 GetProcAddress 15562->15563 15564 40eaed LoadLibraryA 15562->15564 15563->15560 15564->15563 15565 40eb01 15564->15565 15565->15560 15567 40eba7 GetProcessHeap HeapSize 15566->15567 15568 40ebbf GetProcessHeap HeapFree 15566->15568 15567->15568 15568->15169 15570 40908d 15569->15570 15571 4090e2 wsprintfA 15570->15571 15572 40ee2a 15571->15572 15573 4090fd CreateFileA 15572->15573 15574 40911a lstrlenA WriteFile CloseHandle 15573->15574 15575 40913f 15573->15575 15574->15575 15575->15178 15575->15179 15577 40ee2a 15576->15577 15578 409794 CreateProcessA 15577->15578 15579 4097bb 15578->15579 15580 4097c2 15578->15580 15579->15190 15581 4097d4 GetThreadContext 15580->15581 15582 409801 15581->15582 15583 4097f5 15581->15583 15590 40637c 15582->15590 15584 4097f6 TerminateProcess 15583->15584 15584->15579 15586 409816 15586->15584 15587 40981e WriteProcessMemory 15586->15587 15587->15583 15588 40983b SetThreadContext 15587->15588 15588->15583 15589 409858 ResumeThread 15588->15589 15589->15579 15591 406386 15590->15591 15592 40638a GetModuleHandleA VirtualAlloc 15590->15592 15591->15586 15593 4063f5 15592->15593 15594 4063b6 15592->15594 15593->15586 15595 4063be VirtualAllocEx 15594->15595 15595->15593 15596 4063d6 15595->15596 15597 4063df WriteProcessMemory 15596->15597 15597->15593 15599 40dd41 InterlockedExchange 15598->15599 15600 40dd20 GetCurrentThreadId 15599->15600 15604 40dd4a 15599->15604 15601 40dd53 GetCurrentThreadId 15600->15601 15602 40dd2e GetTickCount 15600->15602 15601->15193 15603 40dd39 Sleep 15602->15603 15602->15604 15603->15599 15604->15601 15606 40dbf0 15605->15606 15638 40db67 GetEnvironmentVariableA 15606->15638 15608 40dcda 15608->15195 15609 40dc19 15609->15608 15610 40db67 3 API calls 15609->15610 15611 40dc5c 15610->15611 15611->15608 15612 40db67 3 API calls 15611->15612 15613 40dc9b 15612->15613 15613->15608 15614 40db67 3 API calls 15613->15614 15614->15608 15616 40db55 15615->15616 15617 40db3a 15615->15617 15616->15197 15616->15202 15642 40ebed 15617->15642 15651 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15619->15651 15621 40e3be 15621->15197 15622 40e342 15622->15621 15654 40de24 15622->15654 15625 40e528 15624->15625 15626 40e3f4 15624->15626 15625->15206 15627 40e434 RegQueryValueExA 15626->15627 15628 40e458 15627->15628 15629 40e51d RegCloseKey 15627->15629 15630 40e46e RegQueryValueExA 15628->15630 15629->15625 15630->15628 15631 40e488 15630->15631 15631->15629 15632 40db2e 8 API calls 15631->15632 15633 40e499 15632->15633 15633->15629 15634 40e4b9 RegQueryValueExA 15633->15634 15635 40e4e8 15633->15635 15634->15633 15634->15635 15635->15629 15636 40e332 14 API calls 15635->15636 15637 40e513 15636->15637 15637->15629 15639 40db89 lstrcpyA CreateFileA 15638->15639 15640 40dbca 15638->15640 15639->15609 15640->15609 15643 40ec01 15642->15643 15644 40ebf6 15642->15644 15645 40eba0 codecvt 2 API calls 15643->15645 15646 40ebcc 4 API calls 15644->15646 15647 40ec0a GetProcessHeap HeapReAlloc 15645->15647 15648 40ebfe 15646->15648 15649 40eb74 2 API calls 15647->15649 15648->15616 15650 40ec28 15649->15650 15650->15616 15665 40eb41 15651->15665 15655 40de3a 15654->15655 15662 40de4e 15655->15662 15669 40dd84 15655->15669 15658 40de9e 15659 40ebed 8 API calls 15658->15659 15658->15662 15663 40def6 15659->15663 15660 40de76 15673 40ddcf 15660->15673 15662->15622 15663->15662 15664 40ddcf lstrcmpA 15663->15664 15664->15662 15666 40eb54 15665->15666 15667 40eb4a 15665->15667 15666->15622 15668 40eae4 2 API calls 15667->15668 15668->15666 15670 40dd96 15669->15670 15671 40ddc5 15669->15671 15670->15671 15672 40ddad lstrcmpiA 15670->15672 15671->15658 15671->15660 15672->15670 15672->15671 15674 40dddd 15673->15674 15676 40de20 15673->15676 15675 40ddfa lstrcmpA 15674->15675 15674->15676 15675->15674 15676->15662 15678 40dd05 6 API calls 15677->15678 15679 40e821 15678->15679 15680 40dd84 lstrcmpiA 15679->15680 15681 40e82c 15680->15681 15682 40e844 15681->15682 15725 402480 15681->15725 15682->15222 15685 40dd05 6 API calls 15684->15685 15686 40df7c 15685->15686 15687 40dd84 lstrcmpiA 15686->15687 15690 40df89 15687->15690 15688 40dfc4 15688->15228 15689 40ddcf lstrcmpA 15689->15690 15690->15688 15690->15689 15691 40ec2e codecvt 4 API calls 15690->15691 15692 40dd84 lstrcmpiA 15690->15692 15691->15690 15692->15690 15694 40ea98 15693->15694 15734 40e8a1 15694->15734 15696 401e84 15696->15231 15698 4019d5 GetProcAddress GetProcAddress GetProcAddress 15697->15698 15699 4019ce 15697->15699 15700 401ab3 FreeLibrary 15698->15700 15701 401a04 15698->15701 15699->15235 15700->15699 15701->15700 15702 401a14 GetProcessHeap 15701->15702 15702->15699 15704 401a2e HeapAlloc 15702->15704 15704->15699 15705 401a42 15704->15705 15706 401a52 HeapReAlloc 15705->15706 15708 401a62 15705->15708 15706->15708 15707 401aa1 FreeLibrary 15707->15699 15708->15707 15709 401a96 HeapFree 15708->15709 15709->15707 15762 401ac3 LoadLibraryA 15710->15762 15713 401bcf 15713->15246 15715 401ac3 12 API calls 15714->15715 15716 401c09 15715->15716 15717 401c41 15716->15717 15718 401c0d GetComputerNameA 15716->15718 15717->15255 15719 401c45 GetVolumeInformationA 15718->15719 15720 401c1f 15718->15720 15719->15717 15720->15717 15720->15719 15722 40ee2a 15721->15722 15723 4030d0 gethostname gethostbyname 15722->15723 15724 401f82 15723->15724 15724->15259 15724->15261 15728 402419 lstrlenA 15725->15728 15727 402491 15727->15682 15729 402474 15728->15729 15730 40243d lstrlenA 15728->15730 15729->15727 15731 402464 lstrlenA 15730->15731 15732 40244e lstrcmpiA 15730->15732 15731->15729 15731->15730 15732->15731 15733 40245c 15732->15733 15733->15729 15733->15731 15735 40dd05 6 API calls 15734->15735 15736 40e8b4 15735->15736 15737 40dd84 lstrcmpiA 15736->15737 15738 40e8c0 15737->15738 15739 40e90a 15738->15739 15740 40e8c8 lstrcpynA 15738->15740 15741 402419 4 API calls 15739->15741 15750 40ea27 15739->15750 15742 40e8f5 15740->15742 15743 40e926 lstrlenA lstrlenA 15741->15743 15755 40df4c 15742->15755 15744 40e96a 15743->15744 15745 40e94c lstrlenA 15743->15745 15749 40ebcc 4 API calls 15744->15749 15744->15750 15745->15744 15747 40e901 15748 40dd84 lstrcmpiA 15747->15748 15748->15739 15751 40e98f 15749->15751 15750->15696 15751->15750 15752 40df4c 20 API calls 15751->15752 15753 40ea1e 15752->15753 15754 40ec2e codecvt 4 API calls 15753->15754 15754->15750 15756 40dd05 6 API calls 15755->15756 15757 40df51 15756->15757 15758 40f04e 4 API calls 15757->15758 15759 40df58 15758->15759 15760 40de24 10 API calls 15759->15760 15761 40df63 15760->15761 15761->15747 15763 401ae2 GetProcAddress 15762->15763 15764 401b68 GetComputerNameA GetVolumeInformationA 15762->15764 15763->15764 15765 401af5 15763->15765 15764->15713 15766 40ebed 8 API calls 15765->15766 15767 401b29 15765->15767 15766->15765 15767->15764 15767->15767 15768 40ec2e codecvt 4 API calls 15767->15768 15768->15764 15770 406ec3 2 API calls 15769->15770 15771 407ef4 15770->15771 15772 4073ff 17 API calls 15771->15772 15781 407fc9 15771->15781 15773 407f16 15772->15773 15773->15781 15782 407809 GetUserNameA 15773->15782 15775 407f63 15776 40ef1e lstrlenA 15775->15776 15775->15781 15777 407fa6 15776->15777 15778 40ef1e lstrlenA 15777->15778 15779 407fb7 15778->15779 15806 407a95 RegOpenKeyExA 15779->15806 15781->15273 15783 40783d LookupAccountNameA 15782->15783 15784 407a8d 15782->15784 15783->15784 15785 407874 GetLengthSid GetFileSecurityA 15783->15785 15784->15775 15785->15784 15786 4078a8 GetSecurityDescriptorOwner 15785->15786 15787 4078c5 EqualSid 15786->15787 15788 40791d GetSecurityDescriptorDacl 15786->15788 15787->15788 15789 4078dc LocalAlloc 15787->15789 15788->15784 15796 407941 15788->15796 15789->15788 15790 4078ef InitializeSecurityDescriptor 15789->15790 15792 407916 LocalFree 15790->15792 15793 4078fb SetSecurityDescriptorOwner 15790->15793 15791 40795b GetAce 15791->15796 15792->15788 15793->15792 15794 40790b SetFileSecurityA 15793->15794 15794->15792 15795 407980 EqualSid 15795->15796 15796->15784 15796->15791 15796->15795 15797 407a3d 15796->15797 15798 4079be EqualSid 15796->15798 15799 40799d DeleteAce 15796->15799 15797->15784 15800 407a43 LocalAlloc 15797->15800 15798->15796 15799->15796 15800->15784 15801 407a56 InitializeSecurityDescriptor 15800->15801 15802 407a62 SetSecurityDescriptorDacl 15801->15802 15803 407a86 LocalFree 15801->15803 15802->15803 15804 407a73 SetFileSecurityA 15802->15804 15803->15784 15804->15803 15805 407a83 15804->15805 15805->15803 15807 407ac4 15806->15807 15808 407acb GetUserNameA 15806->15808 15807->15781 15809 407da7 RegCloseKey 15808->15809 15810 407aed LookupAccountNameA 15808->15810 15809->15807 15810->15809 15811 407b24 RegGetKeySecurity 15810->15811 15811->15809 15812 407b49 GetSecurityDescriptorOwner 15811->15812 15813 407b63 EqualSid 15812->15813 15814 407bb8 GetSecurityDescriptorDacl 15812->15814 15813->15814 15816 407b74 LocalAlloc 15813->15816 15815 407da6 15814->15815 15823 407bdc 15814->15823 15815->15809 15816->15814 15817 407b8a InitializeSecurityDescriptor 15816->15817 15819 407bb1 LocalFree 15817->15819 15820 407b96 SetSecurityDescriptorOwner 15817->15820 15818 407bf8 GetAce 15818->15823 15819->15814 15820->15819 15821 407ba6 RegSetKeySecurity 15820->15821 15821->15819 15822 407c1d EqualSid 15822->15823 15823->15815 15823->15818 15823->15822 15824 407cd9 15823->15824 15825 407c5f EqualSid 15823->15825 15826 407c3a DeleteAce 15823->15826 15824->15815 15827 407d5a LocalAlloc 15824->15827 15829 407cf2 RegOpenKeyExA 15824->15829 15825->15823 15826->15823 15827->15815 15828 407d70 InitializeSecurityDescriptor 15827->15828 15830 407d7c SetSecurityDescriptorDacl 15828->15830 15831 407d9f LocalFree 15828->15831 15829->15827 15834 407d0f 15829->15834 15830->15831 15832 407d8c RegSetKeySecurity 15830->15832 15831->15815 15832->15831 15833 407d9c 15832->15833 15833->15831 15835 407d43 RegSetValueExA 15834->15835 15835->15827 15836 407d54 15835->15836 15836->15827 15837->15289 15839 40dd05 6 API calls 15838->15839 15842 40e65f 15839->15842 15840 40e6a5 15841 40ebcc 4 API calls 15840->15841 15847 40e6f5 15840->15847 15843 40e6b0 15841->15843 15842->15840 15844 40e68c lstrcmpA 15842->15844 15845 40e6b7 15843->15845 15846 40e6e0 lstrcpynA 15843->15846 15843->15847 15844->15842 15845->15291 15846->15847 15847->15845 15848 40e71d lstrcmpA 15847->15848 15848->15847 15849->15297 15851 40c525 15850->15851 15852 40c532 15850->15852 15851->15852 15854 40ec2e codecvt 4 API calls 15851->15854 15853 40c548 15852->15853 16002 40e7ff 15852->16002 15856 40e7ff lstrcmpiA 15853->15856 15864 40c54f 15853->15864 15854->15852 15857 40c615 15856->15857 15858 40ebcc 4 API calls 15857->15858 15857->15864 15858->15864 15859 40c5d1 15862 40ebcc 4 API calls 15859->15862 15861 40e819 11 API calls 15863 40c5b7 15861->15863 15862->15864 15865 40f04e 4 API calls 15863->15865 15864->15310 15866 40c5bf 15865->15866 15866->15853 15866->15859 15868 402692 inet_addr 15867->15868 15869 40268e 15867->15869 15868->15869 15870 40269e gethostbyname 15868->15870 15871 40f428 15869->15871 15870->15869 16005 40f315 15871->16005 15875 40c8d2 15874->15875 15876 40c907 15875->15876 15877 40c517 23 API calls 15875->15877 15876->15312 15877->15876 15878 40f43e 15879 40f473 recv 15878->15879 15880 40f47c 15879->15880 15881 40f458 15879->15881 15880->15328 15881->15879 15881->15880 15883 40c670 15882->15883 15885 40c67d 15882->15885 15884 40ebcc 4 API calls 15883->15884 15884->15885 15886 40ebcc 4 API calls 15885->15886 15888 40c699 15885->15888 15886->15888 15887 40c6f3 15887->15341 15887->15358 15888->15887 15889 40c73c send 15888->15889 15889->15887 15891 40c770 15890->15891 15892 40c77d 15890->15892 15893 40ebcc 4 API calls 15891->15893 15894 40ebcc 4 API calls 15892->15894 15895 40c799 15892->15895 15893->15892 15894->15895 15896 40ebcc 4 API calls 15895->15896 15898 40c7b5 15895->15898 15896->15898 15897 40f43e recv 15899 40c7cb 15897->15899 15898->15897 15900 40f43e recv 15899->15900 15901 40c7d3 15899->15901 15900->15901 15901->15358 16018 407db7 15902->16018 15905 40f04e 4 API calls 15908 407e4c 15905->15908 15906 407e96 15906->15358 15907 407e70 15907->15906 15909 40f04e 4 API calls 15907->15909 15908->15907 15910 40f04e 4 API calls 15908->15910 15909->15906 15910->15907 15912 406ec3 2 API calls 15911->15912 15913 407fdd 15912->15913 15914 4080c2 CreateProcessA 15913->15914 15915 4073ff 17 API calls 15913->15915 15914->15394 15914->15395 15916 407fff 15915->15916 15916->15914 15917 407809 21 API calls 15916->15917 15918 40804d 15917->15918 15918->15914 15919 40ef1e lstrlenA 15918->15919 15920 40809e 15919->15920 15921 40ef1e lstrlenA 15920->15921 15922 4080af 15921->15922 15923 407a95 24 API calls 15922->15923 15923->15914 15925 407db7 2 API calls 15924->15925 15926 407eb8 15925->15926 15927 40f04e 4 API calls 15926->15927 15928 407ece DeleteFileA 15927->15928 15928->15358 15930 40dd05 6 API calls 15929->15930 15931 40e31d 15930->15931 16022 40e177 15931->16022 15933 40e326 15933->15367 15935 4031f3 15934->15935 15945 4031ec 15934->15945 15936 40ebcc 4 API calls 15935->15936 15943 4031fc 15936->15943 15937 403459 15940 40f04e 4 API calls 15937->15940 15938 40349d 15939 40ec2e codecvt 4 API calls 15938->15939 15939->15945 15941 40345f 15940->15941 15942 4030fa 4 API calls 15941->15942 15942->15945 15944 40ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15943->15944 15943->15945 15946 40344d 15943->15946 15949 40344b 15943->15949 15950 403141 lstrcmpiA 15943->15950 16048 4030fa GetTickCount 15943->16048 15944->15943 15945->15358 15947 40ec2e codecvt 4 API calls 15946->15947 15947->15949 15949->15937 15949->15938 15950->15943 15952 4030fa 4 API calls 15951->15952 15953 403c1a 15952->15953 15954 403ce6 15953->15954 16053 403a72 15953->16053 15954->15358 15957 403a72 9 API calls 15959 403c5e 15957->15959 15958 403a72 9 API calls 15958->15959 15959->15954 15959->15958 15960 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15959->15960 15960->15959 15962 403a10 15961->15962 15963 4030fa 4 API calls 15962->15963 15964 403a1a 15963->15964 15964->15358 15966 40dd05 6 API calls 15965->15966 15967 40e7be 15966->15967 15967->15358 15969 40c105 15968->15969 15970 40c07e wsprintfA 15968->15970 15969->15358 16062 40bfce GetTickCount wsprintfA 15970->16062 15972 40c0ef 16063 40bfce GetTickCount wsprintfA 15972->16063 15975 407047 15974->15975 15976 406f88 LookupAccountNameA 15974->15976 15975->15358 15978 407025 15976->15978 15979 406fcb 15976->15979 15980 406edd 5 API calls 15978->15980 15981 406fdb ConvertSidToStringSidA 15979->15981 15982 40702a wsprintfA 15980->15982 15981->15978 15983 406ff1 15981->15983 15982->15975 15984 407013 LocalFree 15983->15984 15984->15978 15986 40dd05 6 API calls 15985->15986 15987 40e85c 15986->15987 15988 40dd84 lstrcmpiA 15987->15988 15989 40e867 15988->15989 15990 40e885 lstrcpyA 15989->15990 16064 4024a5 15989->16064 16067 40dd69 15990->16067 15996 407db7 2 API calls 15995->15996 15997 407de1 15996->15997 15998 407e16 15997->15998 15999 40f04e 4 API calls 15997->15999 15998->15358 16000 407df2 15999->16000 16000->15998 16001 40f04e 4 API calls 16000->16001 16001->15998 16003 40dd84 lstrcmpiA 16002->16003 16004 40c58e 16003->16004 16004->15853 16004->15859 16004->15861 16006 40ca1d 16005->16006 16007 40f33b 16005->16007 16006->15325 16006->15878 16008 40f347 htons socket 16007->16008 16009 40f382 ioctlsocket 16008->16009 16010 40f374 closesocket 16008->16010 16011 40f3aa connect select 16009->16011 16012 40f39d 16009->16012 16010->16006 16011->16006 16014 40f3f2 __WSAFDIsSet 16011->16014 16013 40f39f closesocket 16012->16013 16013->16006 16014->16013 16015 40f403 ioctlsocket 16014->16015 16017 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 16015->16017 16017->16006 16019 407dc8 InterlockedExchange 16018->16019 16020 407dc0 Sleep 16019->16020 16021 407dd4 16019->16021 16020->16019 16021->15905 16021->15907 16023 40e184 16022->16023 16024 40e2e4 16023->16024 16025 40e223 16023->16025 16038 40dfe2 16023->16038 16024->15933 16025->16024 16027 40dfe2 8 API calls 16025->16027 16031 40e23c 16027->16031 16028 40e1be 16028->16025 16029 40dbcf 3 API calls 16028->16029 16032 40e1d6 16029->16032 16030 40e21a CloseHandle 16030->16025 16031->16024 16042 40e095 RegCreateKeyExA 16031->16042 16032->16025 16032->16030 16033 40e1f9 WriteFile 16032->16033 16033->16030 16035 40e213 16033->16035 16035->16030 16036 40e2a3 16036->16024 16037 40e095 4 API calls 16036->16037 16037->16024 16039 40e024 16038->16039 16040 40dffc 16038->16040 16039->16028 16040->16039 16041 40db2e 8 API calls 16040->16041 16041->16039 16043 40e172 16042->16043 16046 40e0c0 16042->16046 16043->16036 16044 40e13d 16045 40e14e RegDeleteValueA RegCloseKey 16044->16045 16045->16043 16046->16044 16047 40e115 RegSetValueExA 16046->16047 16047->16044 16047->16046 16049 403122 InterlockedExchange 16048->16049 16050 40312e 16049->16050 16051 40310f GetTickCount 16049->16051 16050->15943 16051->16050 16052 40311a Sleep 16051->16052 16052->16049 16054 40f04e 4 API calls 16053->16054 16061 403a83 16054->16061 16055 403ac1 16055->15954 16055->15957 16056 403be6 16058 40ec2e codecvt 4 API calls 16056->16058 16057 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 16059 403bc0 16057->16059 16058->16055 16059->16056 16059->16057 16060 403b66 lstrlenA 16060->16055 16060->16061 16061->16055 16061->16059 16061->16060 16062->15972 16063->15969 16065 402419 4 API calls 16064->16065 16066 4024b6 16065->16066 16066->15990 16068 40dd79 lstrlenA 16067->16068 16068->15358 16070 404084 16069->16070 16071 40407d 16069->16071 16072 403ecd 6 API calls 16070->16072 16073 40408f 16072->16073 16074 404000 3 API calls 16073->16074 16076 404095 16074->16076 16075 404130 16077 403ecd 6 API calls 16075->16077 16076->16075 16081 403f18 4 API calls 16076->16081 16078 404159 CreateNamedPipeA 16077->16078 16079 404167 Sleep 16078->16079 16080 404188 ConnectNamedPipe 16078->16080 16079->16075 16082 404176 CloseHandle 16079->16082 16084 404195 GetLastError 16080->16084 16093 4041ab 16080->16093 16083 4040da 16081->16083 16082->16080 16085 403f8c 4 API calls 16083->16085 16086 40425e DisconnectNamedPipe 16084->16086 16084->16093 16087 4040ec 16085->16087 16086->16080 16088 404127 CloseHandle 16087->16088 16089 404101 16087->16089 16088->16075 16090 403f18 4 API calls 16089->16090 16091 40411c ExitProcess 16090->16091 16092 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 16092->16093 16093->16080 16093->16086 16093->16092 16094 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 16093->16094 16095 40426a CloseHandle CloseHandle 16093->16095 16094->16093 16096 40e318 23 API calls 16095->16096 16097 40427b 16096->16097 16097->16097 16099 408791 16098->16099 16100 40879f 16098->16100 16101 40f04e 4 API calls 16099->16101 16102 4087bc 16100->16102 16104 40f04e 4 API calls 16100->16104 16101->16100 16103 40e819 11 API calls 16102->16103 16105 4087d7 16103->16105 16104->16102 16114 408803 16105->16114 16120 4026b2 gethostbyaddr 16105->16120 16108 4087eb 16110 40e8a1 30 API calls 16108->16110 16108->16114 16110->16114 16113 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 16113->16114 16114->16113 16115 40e819 11 API calls 16114->16115 16116 4088a0 Sleep 16114->16116 16118 4026b2 2 API calls 16114->16118 16119 40e8a1 30 API calls 16114->16119 16125 408cee 16114->16125 16133 40c4d6 16114->16133 16136 40c4e2 16114->16136 16139 402011 16114->16139 16174 408328 16114->16174 16115->16114 16116->16114 16118->16114 16119->16114 16121 4026fb 16120->16121 16122 4026cd 16120->16122 16121->16108 16123 4026e1 inet_ntoa 16122->16123 16124 4026de 16122->16124 16123->16124 16124->16108 16126 408d02 GetTickCount 16125->16126 16127 408dae 16125->16127 16126->16127 16129 408d19 16126->16129 16127->16114 16128 408da1 GetTickCount 16128->16127 16129->16128 16132 408d89 16129->16132 16226 40a677 16129->16226 16229 40a688 16129->16229 16132->16128 16237 40c2dc 16133->16237 16137 40c2dc 141 API calls 16136->16137 16138 40c4ec 16137->16138 16138->16114 16140 402020 16139->16140 16141 40202e 16139->16141 16142 40f04e 4 API calls 16140->16142 16143 40204b 16141->16143 16145 40f04e 4 API calls 16141->16145 16142->16141 16144 40206e GetTickCount 16143->16144 16146 40f04e 4 API calls 16143->16146 16147 402090 16144->16147 16148 4020db GetTickCount 16144->16148 16145->16143 16151 402068 16146->16151 16152 4020d4 GetTickCount 16147->16152 16156 402684 2 API calls 16147->16156 16168 4020ce 16147->16168 16564 401978 16147->16564 16149 402132 GetTickCount GetTickCount 16148->16149 16150 4020e7 16148->16150 16154 40f04e 4 API calls 16149->16154 16153 40212b GetTickCount 16150->16153 16163 401978 15 API calls 16150->16163 16164 402125 16150->16164 16569 402ef8 16150->16569 16151->16144 16152->16148 16153->16149 16155 402159 16154->16155 16158 40e854 13 API calls 16155->16158 16171 4021b4 16155->16171 16156->16147 16160 40218e 16158->16160 16159 40f04e 4 API calls 16166 4021d1 16159->16166 16162 40e819 11 API calls 16160->16162 16167 40219c 16162->16167 16163->16150 16164->16153 16165 4021f2 16165->16114 16166->16165 16169 40ea84 30 API calls 16166->16169 16167->16171 16577 401c5f 16167->16577 16168->16152 16170 4021ec 16169->16170 16172 40f04e 4 API calls 16170->16172 16171->16159 16172->16165 16175 407dd6 6 API calls 16174->16175 16176 40833c 16175->16176 16177 406ec3 2 API calls 16176->16177 16200 408340 16176->16200 16178 40834f 16177->16178 16179 40835c 16178->16179 16182 40846b 16178->16182 16180 4073ff 17 API calls 16179->16180 16202 408373 16180->16202 16181 4085df 16184 408626 GetTempPathA 16181->16184 16192 408762 16181->16192 16201 408638 16181->16201 16185 4084a7 RegOpenKeyExA 16182->16185 16197 408450 16182->16197 16183 40675c 21 API calls 16183->16181 16184->16201 16187 4084c0 RegQueryValueExA 16185->16187 16188 40852f 16185->16188 16190 408521 RegCloseKey 16187->16190 16191 4084dd 16187->16191 16193 408564 RegOpenKeyExA 16188->16193 16208 4085a5 16188->16208 16189 4086ad 16189->16192 16194 407e2f 6 API calls 16189->16194 16190->16188 16191->16190 16198 40ebcc 4 API calls 16191->16198 16196 40ec2e codecvt 4 API calls 16192->16196 16192->16200 16195 408573 RegSetValueExA RegCloseKey 16193->16195 16193->16208 16205 4086bb 16194->16205 16195->16208 16196->16200 16197->16181 16197->16183 16204 4084f0 16198->16204 16199 40875b DeleteFileA 16199->16192 16200->16114 16649 406ba7 IsBadCodePtr 16201->16649 16202->16197 16202->16200 16206 4083ea RegOpenKeyExA 16202->16206 16204->16190 16207 4084f8 RegQueryValueExA 16204->16207 16205->16199 16212 4086e0 lstrcpyA lstrlenA 16205->16212 16206->16197 16209 4083fd RegQueryValueExA 16206->16209 16207->16190 16210 408515 16207->16210 16208->16197 16211 40ec2e codecvt 4 API calls 16208->16211 16213 40842d RegSetValueExA 16209->16213 16214 40841e 16209->16214 16215 40ec2e codecvt 4 API calls 16210->16215 16211->16197 16216 407fcf 64 API calls 16212->16216 16217 408447 RegCloseKey 16213->16217 16214->16213 16214->16217 16218 40851d 16215->16218 16219 408719 CreateProcessA 16216->16219 16217->16197 16218->16190 16220 40873d CloseHandle CloseHandle 16219->16220 16221 40874f 16219->16221 16220->16192 16222 407ee6 64 API calls 16221->16222 16223 408754 16222->16223 16224 407ead 6 API calls 16223->16224 16225 40875a 16224->16225 16225->16199 16232 40a63d 16226->16232 16228 40a685 16228->16129 16230 40a63d GetTickCount 16229->16230 16231 40a696 16230->16231 16231->16129 16233 40a645 16232->16233 16234 40a64d 16232->16234 16233->16228 16235 40a66e 16234->16235 16236 40a65e GetTickCount 16234->16236 16235->16228 16236->16235 16253 40a4c7 GetTickCount 16237->16253 16240 40c300 GetTickCount 16242 40c337 16240->16242 16241 40c326 16241->16242 16243 40c32b GetTickCount 16241->16243 16247 40c363 GetTickCount 16242->16247 16252 40c45e 16242->16252 16243->16242 16244 40c4d2 16244->16114 16245 40c4ab InterlockedIncrement CreateThread 16245->16244 16246 40c4cb CloseHandle 16245->16246 16258 40b535 16245->16258 16246->16244 16248 40c373 16247->16248 16247->16252 16249 40c378 GetTickCount 16248->16249 16250 40c37f 16248->16250 16249->16250 16251 40c43b GetTickCount 16250->16251 16251->16252 16252->16244 16252->16245 16254 40a4f7 InterlockedExchange 16253->16254 16255 40a500 16254->16255 16256 40a4e4 GetTickCount 16254->16256 16255->16240 16255->16241 16255->16252 16256->16255 16257 40a4ef Sleep 16256->16257 16257->16254 16259 40b566 16258->16259 16260 40ebcc 4 API calls 16259->16260 16261 40b587 16260->16261 16262 40ebcc 4 API calls 16261->16262 16300 40b590 16262->16300 16263 40bdcd InterlockedDecrement 16264 40bde2 16263->16264 16266 40ec2e codecvt 4 API calls 16264->16266 16267 40bdea 16266->16267 16269 40ec2e codecvt 4 API calls 16267->16269 16268 40bdb7 Sleep 16268->16300 16270 40bdf2 16269->16270 16272 40be05 16270->16272 16273 40ec2e codecvt 4 API calls 16270->16273 16271 40bdcc 16271->16263 16273->16272 16274 40ebed 8 API calls 16274->16300 16277 40b6b6 lstrlenA 16277->16300 16278 4030b5 2 API calls 16278->16300 16279 40e819 11 API calls 16279->16300 16280 40b6ed lstrcpyA 16333 405ce1 16280->16333 16283 40b731 lstrlenA 16283->16300 16284 40b71f lstrcmpA 16284->16283 16284->16300 16285 40b772 GetTickCount 16285->16300 16286 40bd49 InterlockedIncrement 16427 40a628 16286->16427 16288 40ab81 lstrcpynA InterlockedIncrement 16288->16300 16290 40b7ce InterlockedIncrement 16343 40acd7 16290->16343 16291 4038f0 6 API calls 16291->16300 16292 40bc5b InterlockedIncrement 16292->16300 16295 40b912 GetTickCount 16295->16300 16296 40b826 InterlockedIncrement 16296->16285 16297 40b932 GetTickCount 16299 40bc6d InterlockedIncrement 16297->16299 16297->16300 16298 40bcdc closesocket 16298->16300 16299->16300 16300->16263 16300->16268 16300->16271 16300->16274 16300->16277 16300->16278 16300->16279 16300->16280 16300->16283 16300->16284 16300->16285 16300->16286 16300->16288 16300->16290 16300->16291 16300->16292 16300->16295 16300->16296 16300->16297 16300->16298 16304 40bba6 InterlockedIncrement 16300->16304 16306 40bc4c closesocket 16300->16306 16307 40a7c1 22 API calls 16300->16307 16309 405ce1 22 API calls 16300->16309 16310 40ba71 wsprintfA 16300->16310 16312 40ef1e lstrlenA 16300->16312 16313 405ded 12 API calls 16300->16313 16314 40a688 GetTickCount 16300->16314 16315 403e10 16300->16315 16318 403e4f 16300->16318 16321 40384f 16300->16321 16341 40a7a3 inet_ntoa 16300->16341 16348 40abee 16300->16348 16360 401feb GetTickCount 16300->16360 16381 403cfb 16300->16381 16384 40b3c5 16300->16384 16415 40ab81 16300->16415 16304->16300 16306->16300 16307->16300 16309->16300 16361 40a7c1 16310->16361 16312->16300 16313->16300 16314->16300 16316 4030fa 4 API calls 16315->16316 16317 403e1d 16316->16317 16317->16300 16319 4030fa 4 API calls 16318->16319 16320 403e5c 16319->16320 16320->16300 16322 4030fa 4 API calls 16321->16322 16324 403863 16322->16324 16323 4038b2 16323->16300 16324->16323 16325 4038b9 16324->16325 16326 403889 16324->16326 16436 4035f9 16325->16436 16430 403718 16326->16430 16331 4035f9 6 API calls 16331->16323 16332 403718 6 API calls 16332->16323 16334 405cf4 16333->16334 16335 405cec 16333->16335 16337 404bd1 4 API calls 16334->16337 16442 404bd1 GetTickCount 16335->16442 16338 405d02 16337->16338 16447 405472 16338->16447 16342 40a7b9 16341->16342 16342->16300 16344 40f315 14 API calls 16343->16344 16345 40aceb 16344->16345 16346 40acff 16345->16346 16347 40f315 14 API calls 16345->16347 16346->16300 16347->16346 16349 40abfb 16348->16349 16352 40ac65 16349->16352 16510 402f22 16349->16510 16351 40f315 14 API calls 16351->16352 16352->16351 16353 40ac8a 16352->16353 16354 40ac6f 16352->16354 16353->16300 16356 40ab81 2 API calls 16354->16356 16355 40ac23 16355->16352 16358 402684 2 API calls 16355->16358 16357 40ac81 16356->16357 16518 4038f0 16357->16518 16358->16355 16360->16300 16362 40a87d lstrlenA send 16361->16362 16363 40a7df 16361->16363 16364 40a899 16362->16364 16365 40a8bf 16362->16365 16363->16362 16369 40a7fa wsprintfA 16363->16369 16372 40a80a 16363->16372 16373 40a8f2 16363->16373 16366 40a8a5 wsprintfA 16364->16366 16374 40a89e 16364->16374 16367 40a8c4 send 16365->16367 16365->16373 16366->16374 16370 40a8d8 wsprintfA 16367->16370 16367->16373 16368 40a978 recv 16368->16373 16375 40a982 16368->16375 16369->16372 16370->16374 16371 40a9b0 wsprintfA 16371->16374 16372->16362 16373->16368 16373->16371 16373->16375 16374->16300 16375->16374 16376 4030b5 2 API calls 16375->16376 16377 40ab05 16376->16377 16378 40e819 11 API calls 16377->16378 16379 40ab17 16378->16379 16380 40a7a3 inet_ntoa 16379->16380 16380->16374 16382 4030fa 4 API calls 16381->16382 16383 403d0b 16382->16383 16383->16300 16385 405ce1 22 API calls 16384->16385 16386 40b3e6 16385->16386 16387 405ce1 22 API calls 16386->16387 16389 40b404 16387->16389 16388 40b440 16391 40ef7c 3 API calls 16388->16391 16389->16388 16390 40ef7c 3 API calls 16389->16390 16392 40b42b 16390->16392 16393 40b458 wsprintfA 16391->16393 16394 40ef7c 3 API calls 16392->16394 16395 40ef7c 3 API calls 16393->16395 16394->16388 16396 40b480 16395->16396 16397 40ef7c 3 API calls 16396->16397 16398 40b493 16397->16398 16399 40ef7c 3 API calls 16398->16399 16400 40b4bb 16399->16400 16532 40ad89 GetLocalTime SystemTimeToFileTime 16400->16532 16404 40b4cc 16405 40ef7c 3 API calls 16404->16405 16406 40b4dd 16405->16406 16407 40b211 7 API calls 16406->16407 16408 40b4ec 16407->16408 16409 40ef7c 3 API calls 16408->16409 16410 40b4fd 16409->16410 16411 40b211 7 API calls 16410->16411 16412 40b509 16411->16412 16413 40ef7c 3 API calls 16412->16413 16414 40b51a 16413->16414 16414->16300 16416 40ab8c 16415->16416 16418 40abe9 GetTickCount 16415->16418 16417 40aba8 lstrcpynA 16416->16417 16416->16418 16419 40abe1 InterlockedIncrement 16416->16419 16417->16416 16420 40a51d 16418->16420 16419->16416 16421 40a4c7 4 API calls 16420->16421 16422 40a52c 16421->16422 16423 40a542 GetTickCount 16422->16423 16425 40a539 GetTickCount 16422->16425 16423->16425 16426 40a56c 16425->16426 16426->16300 16428 40a4c7 4 API calls 16427->16428 16429 40a633 16428->16429 16429->16300 16431 40f04e 4 API calls 16430->16431 16433 40372a 16431->16433 16432 403847 16432->16323 16432->16332 16433->16432 16434 4037b3 GetCurrentThreadId 16433->16434 16434->16433 16435 4037c8 GetCurrentThreadId 16434->16435 16435->16433 16437 40f04e 4 API calls 16436->16437 16439 40360c 16437->16439 16438 4036f1 16438->16323 16438->16331 16439->16438 16440 4036da GetCurrentThreadId 16439->16440 16440->16438 16441 4036e5 GetCurrentThreadId 16440->16441 16441->16438 16443 404bff InterlockedExchange 16442->16443 16444 404c08 16443->16444 16445 404bec GetTickCount 16443->16445 16444->16334 16445->16444 16446 404bf7 Sleep 16445->16446 16446->16443 16466 404763 16447->16466 16449 405b58 16476 404699 16449->16476 16452 404763 lstrlenA 16453 405b6e 16452->16453 16497 404f9f 16453->16497 16455 405b79 16455->16300 16457 405549 lstrlenA 16465 40548a 16457->16465 16458 405472 13 API calls 16458->16465 16460 40558d lstrcpynA 16460->16465 16461 404ae6 8 API calls 16461->16465 16462 405a9f lstrcpyA 16462->16465 16463 405935 lstrcpynA 16463->16465 16464 4058e7 lstrcpyA 16464->16465 16465->16449 16465->16458 16465->16460 16465->16461 16465->16462 16465->16463 16465->16464 16470 404ae6 16465->16470 16474 40ef7c lstrlenA lstrlenA lstrlenA 16465->16474 16468 40477a 16466->16468 16467 404859 16467->16465 16468->16467 16469 40480d lstrlenA 16468->16469 16469->16468 16471 404af3 16470->16471 16473 404b03 16470->16473 16472 40ebed 8 API calls 16471->16472 16472->16473 16473->16457 16475 40efb4 16474->16475 16475->16465 16502 4045b3 16476->16502 16479 4045b3 7 API calls 16480 4046c6 16479->16480 16481 4045b3 7 API calls 16480->16481 16482 4046d8 16481->16482 16483 4045b3 7 API calls 16482->16483 16484 4046ea 16483->16484 16485 4045b3 7 API calls 16484->16485 16486 4046ff 16485->16486 16487 4045b3 7 API calls 16486->16487 16488 404711 16487->16488 16489 4045b3 7 API calls 16488->16489 16490 404723 16489->16490 16491 40ef7c 3 API calls 16490->16491 16492 404735 16491->16492 16493 40ef7c 3 API calls 16492->16493 16494 40474a 16493->16494 16495 40ef7c 3 API calls 16494->16495 16496 40475c 16495->16496 16496->16452 16498 404fb0 16497->16498 16499 404fac 16497->16499 16500 404ffd 16498->16500 16501 404fd5 IsBadCodePtr 16498->16501 16499->16455 16500->16455 16501->16498 16503 4045c1 16502->16503 16504 4045c8 16502->16504 16505 40ebcc 4 API calls 16503->16505 16506 4045e1 16504->16506 16507 40ebcc 4 API calls 16504->16507 16505->16504 16508 404691 16506->16508 16509 40ef7c 3 API calls 16506->16509 16507->16506 16508->16479 16509->16506 16525 402d21 GetModuleHandleA 16510->16525 16513 402fcf GetProcessHeap HeapFree 16517 402f44 16513->16517 16514 402f4f 16516 402f6b GetProcessHeap HeapFree 16514->16516 16515 402f85 16515->16513 16515->16515 16516->16517 16517->16355 16519 403900 16518->16519 16523 403980 16518->16523 16520 4030fa 4 API calls 16519->16520 16524 40390a 16520->16524 16521 40391b GetCurrentThreadId 16521->16524 16522 403939 GetCurrentThreadId 16522->16524 16523->16353 16524->16521 16524->16522 16524->16523 16526 402d46 LoadLibraryA 16525->16526 16527 402d5b GetProcAddress 16525->16527 16526->16527 16529 402d54 16526->16529 16527->16529 16531 402d6b 16527->16531 16528 402d97 GetProcessHeap HeapAlloc 16528->16529 16528->16531 16529->16514 16529->16515 16529->16517 16530 402db5 lstrcpynA 16530->16531 16531->16528 16531->16529 16531->16530 16533 40adbf 16532->16533 16557 40ad08 gethostname 16533->16557 16536 4030b5 2 API calls 16537 40add3 16536->16537 16538 40a7a3 inet_ntoa 16537->16538 16539 40ade4 16537->16539 16538->16539 16540 40ae85 wsprintfA 16539->16540 16543 40ae36 wsprintfA wsprintfA 16539->16543 16541 40ef7c 3 API calls 16540->16541 16542 40aebb 16541->16542 16545 40ef7c 3 API calls 16542->16545 16544 40ef7c 3 API calls 16543->16544 16544->16539 16546 40aed2 16545->16546 16547 40b211 16546->16547 16548 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16547->16548 16549 40b2af GetLocalTime 16547->16549 16550 40b2d2 16548->16550 16549->16550 16551 40b2d9 SystemTimeToFileTime 16550->16551 16552 40b31c GetTimeZoneInformation 16550->16552 16553 40b2ec 16551->16553 16555 40b33a wsprintfA 16552->16555 16554 40b312 FileTimeToSystemTime 16553->16554 16554->16552 16555->16404 16558 40ad71 16557->16558 16562 40ad26 lstrlenA 16557->16562 16560 40ad85 16558->16560 16561 40ad79 lstrcpyA 16558->16561 16560->16536 16561->16560 16562->16558 16563 40ad68 lstrlenA 16562->16563 16563->16558 16565 40f428 14 API calls 16564->16565 16566 40198a 16565->16566 16567 401990 closesocket 16566->16567 16568 401998 16566->16568 16567->16568 16568->16147 16570 402d21 6 API calls 16569->16570 16571 402f01 16570->16571 16574 402f0f 16571->16574 16585 402df2 GetModuleHandleA 16571->16585 16573 402684 2 API calls 16575 402f1d 16573->16575 16574->16573 16576 402f1f 16574->16576 16575->16150 16576->16150 16578 401c80 16577->16578 16579 401d1c 16578->16579 16580 401cc2 wsprintfA 16578->16580 16583 401d79 16578->16583 16579->16579 16582 401d47 wsprintfA 16579->16582 16581 402684 2 API calls 16580->16581 16581->16578 16584 402684 2 API calls 16582->16584 16583->16171 16584->16583 16586 402e10 LoadLibraryA 16585->16586 16587 402e0b 16585->16587 16588 402e17 16586->16588 16587->16586 16587->16588 16589 402ef1 16588->16589 16590 402e28 GetProcAddress 16588->16590 16589->16574 16590->16589 16591 402e3e GetProcessHeap HeapAlloc 16590->16591 16593 402e62 16591->16593 16592 402ede GetProcessHeap HeapFree 16592->16589 16593->16589 16593->16592 16594 402e7f htons inet_addr 16593->16594 16595 402ea5 gethostbyname 16593->16595 16597 402ceb 16593->16597 16594->16593 16594->16595 16595->16593 16598 402cf2 16597->16598 16600 402d1c 16598->16600 16601 402d0e Sleep 16598->16601 16602 402a62 GetProcessHeap HeapAlloc 16598->16602 16600->16593 16601->16598 16601->16600 16603 402a92 16602->16603 16604 402a99 socket 16602->16604 16603->16598 16605 402cd3 GetProcessHeap HeapFree 16604->16605 16606 402ab4 16604->16606 16605->16603 16606->16605 16618 402abd 16606->16618 16607 402adb htons 16622 4026ff 16607->16622 16609 402b04 select 16609->16618 16610 402ca4 16611 402cb3 GetProcessHeap HeapFree closesocket 16610->16611 16611->16603 16612 402b3f recv 16612->16618 16613 402b66 htons 16613->16610 16613->16618 16614 402b87 htons 16614->16610 16614->16618 16617 402bf3 GetProcessHeap HeapAlloc 16617->16618 16618->16607 16618->16609 16618->16610 16618->16611 16618->16612 16618->16613 16618->16614 16618->16617 16619 402c17 htons 16618->16619 16621 402c4d GetProcessHeap HeapFree 16618->16621 16629 402923 16618->16629 16641 402904 16618->16641 16637 402871 16619->16637 16621->16618 16623 40271d 16622->16623 16624 402717 16622->16624 16626 40272b GetTickCount htons 16623->16626 16625 40ebcc 4 API calls 16624->16625 16625->16623 16627 4027cc htons htons sendto 16626->16627 16628 40278a 16626->16628 16627->16618 16628->16627 16630 402944 16629->16630 16632 40293d 16629->16632 16645 402816 htons 16630->16645 16632->16618 16633 402871 htons 16634 402950 16633->16634 16634->16632 16634->16633 16635 4029bd htons htons htons 16634->16635 16635->16632 16636 4029f6 GetProcessHeap HeapAlloc 16635->16636 16636->16632 16636->16634 16638 4028e3 16637->16638 16640 402889 16637->16640 16638->16618 16639 4028c3 htons 16639->16638 16639->16640 16640->16638 16640->16639 16642 402908 16641->16642 16644 402921 16641->16644 16643 402909 GetProcessHeap HeapFree 16642->16643 16643->16643 16643->16644 16644->16618 16646 40286b 16645->16646 16647 402836 16645->16647 16646->16634 16647->16646 16648 40285c htons 16647->16648 16648->16646 16648->16647 16650 406bc0 16649->16650 16651 406bbc 16649->16651 16652 40ebcc 4 API calls 16650->16652 16659 406bd4 16650->16659 16651->16189 16653 406be4 16652->16653 16654 406c07 CreateFileA 16653->16654 16655 406bfc 16653->16655 16653->16659 16657 406c34 WriteFile 16654->16657 16658 406c2a 16654->16658 16656 40ec2e codecvt 4 API calls 16655->16656 16656->16659 16661 406c49 CloseHandle DeleteFileA 16657->16661 16662 406c5a CloseHandle 16657->16662 16660 40ec2e codecvt 4 API calls 16658->16660 16659->16189 16660->16659 16661->16658 16663 40ec2e codecvt 4 API calls 16662->16663 16663->16659 14861 264cfa1 14862 264cfb0 14861->14862 14865 264d741 14862->14865 14866 264d75c 14865->14866 14867 264d765 CreateToolhelp32Snapshot 14866->14867 14868 264d781 Module32First 14866->14868 14867->14866 14867->14868 14869 264d790 14868->14869 14871 264cfb9 14868->14871 14872 264d400 14869->14872 14873 264d42b 14872->14873 14874 264d43c VirtualAlloc 14873->14874 14875 264d474 14873->14875 14874->14875 14875->14875 19267 264cf97 19268 264cfa1 19267->19268 19269 264d741 3 API calls 19268->19269 19270 264cfb9 19269->19270
                                                                                        APIs
                                                                                        • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                        • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                          • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                          • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                          • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                        • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                        • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                        • ExitProcess.KERNEL32 ref: 00409C06
                                                                                        • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                        • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                        • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                        • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                        • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                        • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                        • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                        • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                        • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                        • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                        • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                        • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                        • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                        • wsprintfA.USER32 ref: 0040A0B6
                                                                                        • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                        • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                        • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                        • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                        • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                        • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                        • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                          • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                          • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                          • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                        • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                        • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                        • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                        • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                        • DeleteFileA.KERNEL32(004133D8), ref: 0040A407
                                                                                        • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                        • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                        • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                        • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                        • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                        • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                        • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                        • String ID: "$"$"$%X%08X$D$P$PromptOnSecureDesktop$\
                                                                                        • API String ID: 2089075347-2824936573
                                                                                        • Opcode ID: 603121095b7679364f468b5179938349acae34033f0d3c12a89c9af7faf008a0
                                                                                        • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                        • Opcode Fuzzy Hash: 603121095b7679364f468b5179938349acae34033f0d3c12a89c9af7faf008a0
                                                                                        • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 497 409326-409348 call 401910 GetVersionExA 500 409358-40935c 497->500 501 40934a-409356 497->501 502 409360-40937d GetModuleHandleA GetModuleFileNameA 500->502 501->502 503 409385-4093a2 502->503 504 40937f 502->504 505 4093a4-4093d7 call 402544 wsprintfA 503->505 506 4093d9-409412 call 402544 wsprintfA 503->506 504->503 511 409415-40942c call 40ee2a 505->511 506->511 514 4094a3-4094b3 call 406edd 511->514 515 40942e-409432 511->515 520 4094b9-4094f9 call 402544 RegOpenKeyExA 514->520 521 40962f-409632 514->521 515->514 516 409434-4094a0 call 406cc9 call 40ef00 call 402544 call 40ef1e call 402544 wsprintfA call 40ee2a 515->516 516->514 531 409502-40952e call 402544 RegQueryValueExA 520->531 532 4094fb-409500 520->532 523 409634-409637 521->523 526 409639-40964a call 401820 523->526 527 40967b-409682 523->527 540 40964c-409662 526->540 541 40966d-409679 526->541 534 409683 call 4091eb 527->534 550 409530-409537 531->550 551 409539-409565 call 402544 RegQueryValueExA 531->551 536 40957a-40957f 532->536 544 409688-409690 534->544 545 409581-409584 536->545 546 40958a-40958d 536->546 548 409664-40966b 540->548 549 40962b-40962d 540->549 541->534 553 409692 544->553 554 409698-4096a0 544->554 545->523 545->546 546->527 547 409593-40959a 546->547 555 40961a-40961f 547->555 556 40959c-4095a1 547->556 548->549 560 4096a2-4096a9 549->560 557 40956e-409577 RegCloseKey 550->557 551->557 566 409567 551->566 553->554 554->560 564 409625 555->564 556->555 561 4095a3-4095c0 call 40f0e4 556->561 557->536 570 4095c2-4095db call 4018e0 561->570 571 40960c-409618 561->571 564->549 566->557 570->560 574 4095e1-4095f9 570->574 571->564 574->560 575 4095ff-409607 574->575 575->560
                                                                                        APIs
                                                                                        • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                        • wsprintfA.USER32 ref: 004093CE
                                                                                        • wsprintfA.USER32 ref: 0040940C
                                                                                        • wsprintfA.USER32 ref: 0040948D
                                                                                        • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                        • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                        • String ID: PromptOnSecureDesktop$runas
                                                                                        • API String ID: 3696105349-2220793183
                                                                                        • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                        • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                        • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                        • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 614 406a60-406a89 CreateFileA 615 406b8c-406ba1 GetLastError 614->615 616 406a8f-406ac3 GetDiskFreeSpaceA 614->616 617 406ba3-406ba6 615->617 618 406ac5-406adc call 40eb0e 616->618 619 406b1d-406b34 call 406987 616->619 618->619 626 406ade 618->626 624 406b56-406b63 CloseHandle 619->624 625 406b36-406b54 GetLastError CloseHandle 619->625 628 406b65-406b7d GetLastError CloseHandle 624->628 629 406b86-406b8a 624->629 627 406b7f-406b80 DeleteFileA 625->627 630 406ae0-406ae5 626->630 631 406ae7-406afb call 40eca5 626->631 627->629 628->627 629->617 630->631 632 406afd-406aff 630->632 631->619 632->619 635 406b01 632->635 636 406b03-406b08 635->636 637 406b0a-406b17 call 40eca5 635->637 636->619 636->637 637->619
                                                                                        APIs
                                                                                        • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,75918A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                        • GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                        • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                        • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                        • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 3188212458-2980165447
                                                                                        • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                        • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                        • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                        • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                        • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                        • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$CountFileInformationSystemTickVolume
                                                                                        • String ID:
                                                                                        • API String ID: 1209300637-0
                                                                                        • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                        • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                        • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                        • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 811 264d741-264d75a 812 264d75c-264d75e 811->812 813 264d765-264d771 CreateToolhelp32Snapshot 812->813 814 264d760 812->814 815 264d781-264d78e Module32First 813->815 816 264d773-264d779 813->816 814->813 817 264d797-264d79f 815->817 818 264d790-264d791 call 264d400 815->818 816->815 821 264d77b-264d77f 816->821 822 264d796 818->822 821->812 821->815 822->817
                                                                                        APIs
                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0264D769
                                                                                        • Module32First.KERNEL32(00000000,00000224), ref: 0264D789
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079068400.000000000263D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0263D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_263d000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                        • String ID:
                                                                                        • API String ID: 3833638111-0
                                                                                        • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                        • Instruction ID: 68f0683cc1a1321370307e31181d4800cc08c3b49174cbb0671d093d41034eb5
                                                                                        • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                        • Instruction Fuzzy Hash: 7AF09632A007116BD7203BF9AC8CF6E76ECAF49668F100528F686D15C0DF70E8458A61

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 827 40ebcc-40ebec GetProcessHeap RtlAllocateHeap call 40eb74
                                                                                        APIs
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                        • RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                          • Part of subcall function 0040EB74: GetProcessHeap.KERNEL32(00000000,00000000,0040EC28,00000000,?,0040DB55,7FFF0001), ref: 0040EB81
                                                                                          • Part of subcall function 0040EB74: HeapSize.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EB88
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$Process$AllocateSize
                                                                                        • String ID:
                                                                                        • API String ID: 2559512979-0
                                                                                        • Opcode ID: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                        • Instruction ID: 42103369b453d960252fa070f8f6fdc0a0ffae9c693debdf4c74a5c852f77059
                                                                                        • Opcode Fuzzy Hash: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                        • Instruction Fuzzy Hash: 54C0803210422077C60127A57C0CEDA3E74DF04352F084425F505C1160CB794880879D

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 264 4073ff-407419 265 40741b 264->265 266 40741d-407422 264->266 265->266 267 407424 266->267 268 407426-40742b 266->268 267->268 269 407430-407435 268->269 270 40742d 268->270 271 407437 269->271 272 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 269->272 270->269 271->272 277 407487-40749d call 40ee2a 272->277 278 4077f9-4077fe call 40ee2a 272->278 283 407703-40770e RegEnumKeyA 277->283 284 407801 278->284 285 4074a2-4074b1 call 406cad 283->285 286 407714-40771d RegCloseKey 283->286 287 407804-407808 284->287 290 4074b7-4074cc call 40f1a5 285->290 291 4076ed-407700 285->291 286->284 290->291 294 4074d2-4074f8 RegOpenKeyExA 290->294 291->283 295 407727-40772a 294->295 296 4074fe-407530 call 402544 RegQueryValueExA 294->296 297 407755-407764 call 40ee2a 295->297 298 40772c-407740 call 40ef00 295->298 296->295 305 407536-40753c 296->305 306 4076df-4076e2 297->306 307 407742-407745 RegCloseKey 298->307 308 40774b-40774e 298->308 309 40753f-407544 305->309 306->291 311 4076e4-4076e7 RegCloseKey 306->311 307->308 310 4077ec-4077f7 RegCloseKey 308->310 309->309 312 407546-40754b 309->312 310->287 311->291 312->297 313 407551-40756b call 40ee95 312->313 313->297 316 407571-407593 call 402544 call 40ee95 313->316 321 407753 316->321 322 407599-4075a0 316->322 321->297 323 4075a2-4075c6 call 40ef00 call 40ed03 322->323 324 4075c8-4075d7 call 40ed03 322->324 329 4075d8-4075da 323->329 324->329 331 4075dc 329->331 332 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 329->332 331->332 342 407626-40762b 332->342 342->342 343 40762d-407634 342->343 344 407637-40763c 343->344 344->344 345 40763e-407642 344->345 346 407644-407656 call 40ed77 345->346 347 40765c-407673 call 40ed23 345->347 346->347 352 407769-40777c call 40ef00 346->352 353 407680 347->353 354 407675-40767e 347->354 359 4077e3-4077e6 RegCloseKey 352->359 356 407683-40768e call 406cad 353->356 354->356 361 407722-407725 356->361 362 407694-4076bf call 40f1a5 call 406c96 356->362 359->310 363 4076dd 361->363 368 4076c1-4076c7 362->368 369 4076d8 362->369 363->306 368->369 370 4076c9-4076d2 368->370 369->363 370->369 371 40777e-407797 GetFileAttributesExA 370->371 372 407799 371->372 373 40779a-40779f 371->373 372->373 374 4077a1 373->374 375 4077a3-4077a8 373->375 374->375 376 4077c4-4077c8 375->376 377 4077aa-4077c0 call 40ee08 375->377 378 4077d7-4077dc 376->378 379 4077ca-4077d6 call 40ef00 376->379 377->376 382 4077e0-4077e2 378->382 383 4077de 378->383 379->378 382->359 383->382
                                                                                        APIs
                                                                                        • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,75920F10,00000000), ref: 00407472
                                                                                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00000101,?,?,?,?,?,?,?,75920F10,00000000), ref: 004074F0
                                                                                        • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,75920F10,00000000), ref: 00407528
                                                                                        • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,75920F10,00000000), ref: 004076E7
                                                                                        • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                        • RegCloseKey.KERNELBASE(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 00407717
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,75920F10,00000000), ref: 00407745
                                                                                        • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 004077EF
                                                                                          • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 004077E6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                        • String ID: "$PromptOnSecureDesktop
                                                                                        • API String ID: 3433985886-3108538426
                                                                                        • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                        • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                        • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                        • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 386 40704c-407071 387 407073 386->387 388 407075-40707a 386->388 387->388 389 40707c 388->389 390 40707e-407083 388->390 389->390 391 407085 390->391 392 407087-40708c 390->392 391->392 393 407090-4070ca call 402544 RegOpenKeyExA 392->393 394 40708e 392->394 397 4070d0-4070f6 call 406dc2 393->397 398 4071b8-4071c8 call 40ee2a 393->398 394->393 403 40719b-4071a9 RegEnumValueA 397->403 404 4071cb-4071cf 398->404 405 4070fb-4070fd 403->405 406 4071af-4071b2 RegCloseKey 403->406 407 40716e-407194 405->407 408 4070ff-407102 405->408 406->398 407->403 408->407 409 407104-407107 408->409 409->407 410 407109-40710d 409->410 410->407 411 40710f-407133 call 402544 call 40eed1 410->411 416 4071d0-407203 call 402544 call 40ee95 call 40ee2a 411->416 417 407139-407145 call 406cad 411->417 432 407205-407212 RegCloseKey 416->432 433 407227-40722e 416->433 423 407147-40715c call 40f1a5 417->423 424 40715e-40716b call 40ee2a 417->424 423->416 423->424 424->407 434 407222-407225 432->434 435 407214-407221 call 40ef00 432->435 436 407230-407256 call 40ef00 call 40ed23 433->436 437 40725b-40728c call 402544 call 40ee95 call 40ee2a 433->437 434->404 435->434 436->437 449 407258 436->449 451 4072b8-4072cb call 40ed77 437->451 452 40728e-40729a RegCloseKey 437->452 449->437 459 4072dd-4072f4 call 40ed23 451->459 460 4072cd-4072d8 RegCloseKey 451->460 453 4072aa-4072b3 452->453 454 40729c-4072a9 call 40ef00 452->454 453->404 454->453 463 407301 459->463 464 4072f6-4072ff 459->464 460->404 465 407304-40730f call 406cad 463->465 464->465 468 407311-40731d RegCloseKey 465->468 469 407335-40735d call 406c96 465->469 470 40732d-407330 468->470 471 40731f-40732c call 40ef00 468->471 476 4073d5-4073e2 RegCloseKey 469->476 477 40735f-407365 469->477 470->453 471->470 478 4073f2-4073f7 476->478 479 4073e4-4073f1 call 40ef00 476->479 477->476 480 407367-407370 477->480 479->478 480->476 481 407372-40737c 480->481 483 40739d-4073a2 481->483 484 40737e-407395 GetFileAttributesExA 481->484 487 4073a4 483->487 488 4073a6-4073a9 483->488 484->483 486 407397 484->486 486->483 487->488 489 4073b9-4073bc 488->489 490 4073ab-4073b8 call 40ef00 488->490 492 4073cb-4073cd 489->492 493 4073be-4073ca call 40ef00 489->493 490->489 492->476 493->492
                                                                                        APIs
                                                                                        • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000101,75920F10,?,75920F10,00000000), ref: 004070C2
                                                                                        • RegEnumValueA.KERNELBASE(75920F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,75920F10,00000000), ref: 0040719E
                                                                                        • RegCloseKey.KERNELBASE(75920F10,?,75920F10,00000000), ref: 004071B2
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 00407208
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 00407291
                                                                                        • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 004072D0
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 00407314
                                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 004073D8
                                                                                          • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                        • String ID: $"$PromptOnSecureDesktop
                                                                                        • API String ID: 4293430545-98143240
                                                                                        • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                        • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                        • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                        • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 576 40675c-406778 577 406784-4067a2 CreateFileA 576->577 578 40677a-40677e SetFileAttributesA 576->578 579 4067a4-4067b2 CreateFileA 577->579 580 4067b5-4067b8 577->580 578->577 579->580 581 4067c5-4067c9 580->581 582 4067ba-4067bf SetFileAttributesA 580->582 583 406977-406986 581->583 584 4067cf-4067df GetFileSize 581->584 582->581 585 4067e5-4067e7 584->585 586 40696b 584->586 585->586 587 4067ed-40680b ReadFile 585->587 588 40696e-406971 CloseHandle 586->588 587->586 589 406811-406824 SetFilePointer 587->589 588->583 589->586 590 40682a-406842 ReadFile 589->590 590->586 591 406848-406861 SetFilePointer 590->591 591->586 592 406867-406876 591->592 593 4068d5-4068df 592->593 594 406878-40688f ReadFile 592->594 593->588 595 4068e5-4068eb 593->595 596 406891-40689e 594->596 597 4068d2 594->597 598 4068f0-4068fe call 40ebcc 595->598 599 4068ed 595->599 600 4068a0-4068b5 596->600 601 4068b7-4068ba 596->601 597->593 598->586 607 406900-40690b SetFilePointer 598->607 599->598 603 4068bd-4068c3 600->603 601->603 605 4068c5 603->605 606 4068c8-4068ce 603->606 605->606 606->594 608 4068d0 606->608 609 40695a-406969 call 40ec2e 607->609 610 40690d-406920 ReadFile 607->610 608->593 609->588 610->609 611 406922-406958 610->611 611->588
                                                                                        APIs
                                                                                        • SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0040677E
                                                                                        • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0040679A
                                                                                        • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 004067B0
                                                                                        • SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 004067BF
                                                                                        • GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 004067D3
                                                                                        • ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,75920F10,00000000), ref: 00406807
                                                                                        • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040681F
                                                                                        • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0040683E
                                                                                        • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040685C
                                                                                        • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,75920F10,00000000), ref: 0040688B
                                                                                        • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,75920F10,00000000), ref: 00406906
                                                                                        • ReadFile.KERNEL32(000000FF,004121A8,00000000,00408244,00000000,?,75920F10,00000000), ref: 0040691C
                                                                                        • CloseHandle.KERNELBASE(000000FF,?,75920F10,00000000), ref: 00406971
                                                                                          • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                          • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                                        • String ID:
                                                                                        • API String ID: 2622201749-0
                                                                                        • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                        • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                        • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                        • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 640 40c003c-40c0047 641 40c004c-40c0263 call 40c0a3f call 40c0e0f call 40c0d90 VirtualAlloc 640->641 642 40c0049 640->642 657 40c028b-40c0292 641->657 658 40c0265-40c0289 call 40c0a69 641->658 642->641 659 40c02a1-40c02b0 657->659 661 40c02ce-40c03c2 VirtualProtect call 40c0cce call 40c0ce7 658->661 659->661 662 40c02b2-40c02cc 659->662 669 40c03d1-40c03e0 661->669 662->659 670 40c0439-40c04b8 VirtualFree 669->670 671 40c03e2-40c0437 call 40c0ce7 669->671 673 40c04be-40c04cd 670->673 674 40c05f4-40c05fe 670->674 671->669 678 40c04d3-40c04dd 673->678 675 40c077f-40c0789 674->675 676 40c0604-40c060d 674->676 682 40c078b-40c07a3 675->682 683 40c07a6-40c07b0 675->683 676->675 680 40c0613-40c0637 676->680 678->674 679 40c04e3-40c0505 LoadLibraryA 678->679 684 40c0517-40c0520 679->684 685 40c0507-40c0515 679->685 688 40c063e-40c0648 680->688 682->683 686 40c086e-40c08be LoadLibraryA 683->686 687 40c07b6-40c07cb 683->687 689 40c0526-40c0547 684->689 685->689 696 40c08c7-40c08f9 686->696 690 40c07d2-40c07d5 687->690 688->675 691 40c064e-40c065a 688->691 694 40c054d-40c0550 689->694 692 40c0824-40c0833 690->692 693 40c07d7-40c07e0 690->693 691->675 695 40c0660-40c066a 691->695 704 40c0839-40c083c 692->704 699 40c07e4-40c0822 693->699 700 40c07e2 693->700 701 40c0556-40c056b 694->701 702 40c05e0-40c05ef 694->702 703 40c067a-40c0689 695->703 697 40c08fb-40c0901 696->697 698 40c0902-40c091d 696->698 697->698 699->690 700->692 705 40c056d 701->705 706 40c056f-40c057a 701->706 702->678 707 40c068f-40c06b2 703->707 708 40c0750-40c077a 703->708 704->686 709 40c083e-40c0847 704->709 705->702 711 40c057c-40c0599 706->711 712 40c059b-40c05bb 706->712 713 40c06ef-40c06fc 707->713 714 40c06b4-40c06ed 707->714 708->688 715 40c0849 709->715 716 40c084b-40c086c 709->716 723 40c05bd-40c05db 711->723 712->723 717 40c06fe-40c0748 713->717 718 40c074b 713->718 714->713 715->686 716->704 717->718 718->703 723->694
                                                                                        APIs
                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 040C024D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual
                                                                                        • String ID: cess$kernel32.dll
                                                                                        • API String ID: 4275171209-1230238691
                                                                                        • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                        • Instruction ID: 1dab67e863e62ec9b548f6c48d5b4aaf51138b6ebbcc7d96e25d982c822f711b
                                                                                        • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                        • Instruction Fuzzy Hash: 47526A74A01229DFDB64CF98C984BACBBB1BF09304F1480D9E94DAB351DB30AA95DF15

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                        • lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                        • lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                          • Part of subcall function 00406A60: CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,75918A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                          • Part of subcall function 00406A60: GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                          • Part of subcall function 00406A60: GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                          • Part of subcall function 00406A60: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                          • Part of subcall function 00406A60: DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Filelstrcat$CloseCreateDeleteDiskErrorFreeHandleLastSpacelstrcpy
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 4131120076-2980165447
                                                                                        • Opcode ID: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                        • Instruction ID: c4e01e0c9c22f42140b45f86cbdbc152d24ce0e59ed2090f1037bb69612005af
                                                                                        • Opcode Fuzzy Hash: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                        • Instruction Fuzzy Hash: 0501A27294020877EA103F62EC47F9F3F1DEB44728F00483AF619790D2D9BA95709AAC

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 739 404000-404008 740 40400b-40402a CreateFileA 739->740 741 404057 740->741 742 40402c-404035 GetLastError 740->742 743 404059-40405c 741->743 744 404052 742->744 745 404037-40403a 742->745 746 404054-404056 743->746 744->746 745->744 747 40403c-40403f 745->747 747->743 748 404041-404050 Sleep 747->748 748->740 748->744
                                                                                        APIs
                                                                                        • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,PromptOnSecureDesktop,004042B6,00000000,00000001,PromptOnSecureDesktop,00000000,?,004098FD), ref: 00404021
                                                                                        • GetLastError.KERNEL32(?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 0040402C
                                                                                        • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404046
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateErrorFileLastSleep
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 408151869-2980165447
                                                                                        • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                        • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                        • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                        • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 749 406987-4069b7 750 4069e0 749->750 751 4069b9-4069be 749->751 753 4069e4-4069fd WriteFile 750->753 751->750 752 4069c0-4069d0 751->752 754 4069d2 752->754 755 4069d5-4069de 752->755 756 406a4d-406a51 753->756 757 4069ff-406a02 753->757 754->755 755->753 758 406a53-406a56 756->758 759 406a59 756->759 757->756 760 406a04-406a08 757->760 758->759 761 406a5b-406a5f 759->761 762 406a0a-406a0d 760->762 763 406a3c-406a3e 760->763 764 406a10-406a2e WriteFile 762->764 763->761 765 406a40-406a4b 764->765 766 406a30-406a33 764->766 765->761 766->765 767 406a35-406a3a 766->767 767->763 767->764
                                                                                        APIs
                                                                                        • WriteFile.KERNELBASE(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                        • WriteFile.KERNELBASE(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: FileWrite
                                                                                        • String ID: ,k@
                                                                                        • API String ID: 3934441357-1053005162
                                                                                        • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                        • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                        • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                        • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 769 4091eb-409208 770 409308 769->770 771 40920e-40921c call 40ed03 769->771 772 40930b-40930f 770->772 775 40921e-40922c call 40ed03 771->775 776 40923f-409249 771->776 775->776 782 40922e-409230 775->782 778 409250-409270 call 40ee08 776->778 779 40924b 776->779 785 409272-40927f 778->785 786 4092dd-4092e1 778->786 779->778 784 409233-409238 782->784 784->784 787 40923a-40923c 784->787 788 409281-409285 785->788 789 40929b-40929e 785->789 790 4092e3-4092e5 786->790 791 4092e7-4092e8 786->791 787->776 788->788 794 409287 788->794 792 4092a0 789->792 793 40928e-409293 789->793 790->791 795 4092ea-4092ef 790->795 791->786 798 4092a8-4092ab 792->798 799 409295-409298 793->799 800 409289-40928c 793->800 794->789 796 4092f1-4092f6 Sleep 795->796 797 4092fc-409302 795->797 796->797 797->770 797->771 802 4092a2-4092a5 798->802 803 4092ad-4092b0 798->803 799->798 801 40929a 799->801 800->793 800->801 801->789 804 4092b2 802->804 805 4092a7 802->805 803->804 806 4092bd 803->806 807 4092b5-4092b9 804->807 805->798 808 4092bf-4092db ShellExecuteA 806->808 807->807 809 4092bb 807->809 808->786 810 409310-409324 808->810 809->808 810->772
                                                                                        APIs
                                                                                        • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000023,00000000,00000000), ref: 004092CF
                                                                                        • Sleep.KERNELBASE(000001F4,00000000,00000000,000000C8), ref: 004092F6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExecuteShellSleep
                                                                                        • String ID:
                                                                                        • API String ID: 4194306370-0
                                                                                        • Opcode ID: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                                        • Instruction ID: 2238cefa34e52eac0eed51a1b9fc18e9663c37cde2c16e9a3df151323357230f
                                                                                        • Opcode Fuzzy Hash: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                                        • Instruction Fuzzy Hash: E941EE718083497EEB269664988C7E73BA49B52300F2809FFD492B72D3D7BC4D818759

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 824 40c0e0f-40c0e24 SetErrorMode * 2 825 40c0e2b-40c0e2c 824->825 826 40c0e26 824->826 826->825
                                                                                        APIs
                                                                                        • SetErrorMode.KERNELBASE(00000400,?,?,040C0223,?,?), ref: 040C0E19
                                                                                        • SetErrorMode.KERNELBASE(00000000,?,?,040C0223,?,?), ref: 040C0E1E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorMode
                                                                                        • String ID:
                                                                                        • API String ID: 2340568224-0
                                                                                        • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                        • Instruction ID: 7f0cf881bb43db57050677ab7943137c06155485fb51825f42092dbf9388b019
                                                                                        • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                        • Instruction Fuzzy Hash: 98D01231145128F7D7403BD4DC09BCD7B5CDF05B62F008011FB0DE9080C770954046E5

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 830 406dc2-406dd5 831 406e33-406e35 830->831 832 406dd7-406df1 call 406cc9 call 40ef00 830->832 837 406df4-406df9 832->837 837->837 838 406dfb-406e00 837->838 839 406e02-406e22 GetVolumeInformationA 838->839 840 406e24 838->840 839->840 841 406e2e 839->841 840->841 841->831
                                                                                        APIs
                                                                                          • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                          • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                          • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                          • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                        • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                        • String ID:
                                                                                        • API String ID: 1823874839-0
                                                                                        • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                        • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                        • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                        • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C
                                                                                        APIs
                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0264D451
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079068400.000000000263D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0263D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_263d000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 4275171209-0
                                                                                        • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                        • Instruction ID: 76c0a164d042e1d14defd937b934a7da6afe5a98970b23a59c3a3392a810e783
                                                                                        • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                        • Instruction Fuzzy Hash: 4C113979A00208EFDB01DF98C985E98BFF5AF08351F0580A4F9889B361D771EA90DF90
                                                                                        APIs
                                                                                        • closesocket.WS2_32(?), ref: 0040CA4E
                                                                                        • closesocket.WS2_32(?), ref: 0040CB63
                                                                                        • GetTempPathA.KERNEL32(00000120,?), ref: 0040CC28
                                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040CCB4
                                                                                        • WriteFile.KERNEL32(0040A4B3,?,-000000E8,?,00000000), ref: 0040CCDC
                                                                                        • CloseHandle.KERNEL32(0040A4B3), ref: 0040CCED
                                                                                        • wsprintfA.USER32 ref: 0040CD21
                                                                                        • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040CD77
                                                                                        • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0040CD89
                                                                                        • CloseHandle.KERNEL32(?), ref: 0040CD98
                                                                                        • CloseHandle.KERNEL32(?), ref: 0040CD9D
                                                                                        • DeleteFileA.KERNEL32(?), ref: 0040CDC4
                                                                                        • CloseHandle.KERNEL32(0040A4B3), ref: 0040CDCC
                                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040CFB1
                                                                                        • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040CFEF
                                                                                        • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040D033
                                                                                        • lstrcatA.KERNEL32(?,?), ref: 0040D10C
                                                                                        • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040D155
                                                                                        • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0040D171
                                                                                        • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040D195
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0040D19C
                                                                                        • SetFileAttributesA.KERNEL32(?,00000002), ref: 0040D1C8
                                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D231
                                                                                        • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D27C
                                                                                        • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D2AB
                                                                                        • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2C7
                                                                                        • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2EB
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2F2
                                                                                        • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D326
                                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D372
                                                                                        • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D3BD
                                                                                        • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D3EC
                                                                                        • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D408
                                                                                        • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D428
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D42F
                                                                                        • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D45B
                                                                                        • CreateProcessA.KERNEL32(?,00410264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040D4DE
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4F4
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4FC
                                                                                        • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D513
                                                                                        • closesocket.WS2_32(?), ref: 0040D56C
                                                                                        • Sleep.KERNEL32(000003E8), ref: 0040D577
                                                                                        • ExitProcess.KERNEL32 ref: 0040D583
                                                                                        • wsprintfA.USER32 ref: 0040D81F
                                                                                          • Part of subcall function 0040C65C: send.WS2_32(00000000,?,00000000), ref: 0040C74B
                                                                                        • closesocket.WS2_32(?), ref: 0040DAD5
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                        • String ID: .dat$.sys$4$@$PromptOnSecureDesktop$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                        • API String ID: 562065436-3791576231
                                                                                        • Opcode ID: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                                        • Instruction ID: 1bec03d5b3261cfbda03ea9d0ba23ae7472bbf6119f1c93de8fbd0284471d070
                                                                                        • Opcode Fuzzy Hash: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                                        • Instruction Fuzzy Hash: 1BB2B471D00209BBEB209FA4DD85FEA7BB9EB08304F14457BF505B22D1D7789A898B5C
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                        • GetProcAddress.KERNEL32(?,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                        • GetProcAddress.KERNEL32(?,RtlSetLastWin32Error), ref: 004010E1
                                                                                        • GetProcAddress.KERNEL32(?,NtTerminateProcess), ref: 00401101
                                                                                        • GetProcAddress.KERNEL32(?,RtlFreeSid), ref: 00401121
                                                                                        • GetProcAddress.KERNEL32(?,RtlInitUnicodeString), ref: 00401140
                                                                                        • GetProcAddress.KERNEL32(?,NtSetInformationThread), ref: 00401160
                                                                                        • GetProcAddress.KERNEL32(?,NtSetInformationToken), ref: 00401180
                                                                                        • GetProcAddress.KERNEL32(?,RtlNtStatusToDosError), ref: 0040119F
                                                                                        • GetProcAddress.KERNEL32(?,NtClose), ref: 004011BF
                                                                                        • GetProcAddress.KERNEL32(?,NtOpenProcessToken), ref: 004011DF
                                                                                        • GetProcAddress.KERNEL32(?,NtDuplicateToken), ref: 004011FE
                                                                                        • GetProcAddress.KERNEL32(?,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressProc$LibraryLoad
                                                                                        • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                        • API String ID: 2238633743-3228201535
                                                                                        • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                        • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                        • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                        • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                        APIs
                                                                                        • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                        • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                        • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                        • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                        • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                        • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                        • wsprintfA.USER32 ref: 0040B3B7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                        • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                        • API String ID: 766114626-2976066047
                                                                                        • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                        • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                        • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                        • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                        APIs
                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                        • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                        • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                        • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                        • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                        • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                        • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                        • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                        • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                        • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                        • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                        • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                        • String ID: D
                                                                                        • API String ID: 3722657555-2746444292
                                                                                        • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                        • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                        • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                        • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                        APIs
                                                                                        • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                        • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExecuteShelllstrlen
                                                                                        • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDGu$uac$useless$wusa.exe
                                                                                        • API String ID: 1628651668-3716895483
                                                                                        • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                        • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                        • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                        • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                        APIs
                                                                                        • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                        • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                        • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                        • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                        • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                          • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                        • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                        • API String ID: 4207808166-1381319158
                                                                                        • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                        • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                        • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                        • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                        APIs
                                                                                        • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7591F380), ref: 00402A83
                                                                                        • HeapAlloc.KERNEL32(00000000,?,7591F380), ref: 00402A86
                                                                                        • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                        • htons.WS2_32(00000000), ref: 00402ADB
                                                                                        • select.WS2_32 ref: 00402B28
                                                                                        • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                        • htons.WS2_32(?), ref: 00402B71
                                                                                        • htons.WS2_32(?), ref: 00402B8C
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                        • String ID:
                                                                                        • API String ID: 1639031587-0
                                                                                        • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                        • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                        • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                        • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                        APIs
                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                        • ExitProcess.KERNEL32 ref: 00404121
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateEventExitProcess
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 2404124870-2980165447
                                                                                        • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                        • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                        • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                        • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                        APIs
                                                                                        • IsBadReadPtr.KERNEL32(?,00000014), ref: 0040609C
                                                                                        • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                        • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                        • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Read$AddressLibraryLoadProc
                                                                                        • String ID:
                                                                                        • API String ID: 2438460464-0
                                                                                        • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                        • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                        • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                        • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                        APIs
                                                                                        • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                        • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                        • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                        • String ID: *p@
                                                                                        • API String ID: 3429775523-2474123842
                                                                                        • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                        • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                        • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                        • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                        • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                        • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                        • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                        • String ID:
                                                                                        • API String ID: 1965334864-0
                                                                                        • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                        • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                        • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                        • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000), ref: 040C65F6
                                                                                        • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 040C6610
                                                                                        • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 040C6631
                                                                                        • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 040C6652
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                        • String ID:
                                                                                        • API String ID: 1965334864-0
                                                                                        • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                        • Instruction ID: 15cd707c6c9f33af238b02535426f379084de913f296c00ccda63dae2410f208
                                                                                        • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                        • Instruction Fuzzy Hash: 4E115471600219FFDB615F75DC45F9F3FA8EB057A9F104429F905E7250D6B2ED0086A4
                                                                                        APIs
                                                                                        • CreateFileW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000100), ref: 00408E5F
                                                                                        • DeviceIoControl.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00408EAB
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408EB4
                                                                                          • Part of subcall function 00408DF1: GetSystemTime.KERNEL32(?,004129F8,?,?,00408E8B,?), ref: 00408DFC
                                                                                          • Part of subcall function 00408DF1: SystemTimeToFileTime.KERNEL32(?,00408E8B,?,?,00408E8B,?), ref: 00408E0A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$FileSystem$CloseControlCreateDeviceHandle
                                                                                        • String ID:
                                                                                        • API String ID: 3754425949-0
                                                                                        • Opcode ID: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                        • Instruction ID: 6158522553dbc768b3fa764069f531a078bfca64040c8912efb0c234455cb59d
                                                                                        • Opcode Fuzzy Hash: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                        • Instruction Fuzzy Hash: CD11C8726402047BEB115F95CD4EEDB3F6DEB85714F00452AF611B62C1DAB9985087A8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: .$GetProcAddress.$l
                                                                                        • API String ID: 0-2784972518
                                                                                        • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                        • Instruction ID: 5dd47ddf5ee9797b686c283b66344bcc52891e7661172e1b4ff876746549ab72
                                                                                        • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                        • Instruction Fuzzy Hash: 093116B6910609DFEB10CF99C880AAEBBF9FF48328F15414AD941B7250D771EA45CBA4
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                        • Instruction ID: 64893a5cec851924fefc00027ac9d8258265f32e823952a4835c6918c3f2ac29
                                                                                        • Opcode Fuzzy Hash: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                        • Instruction Fuzzy Hash: 59714BB4501B41CFD360CF66D548782BBE0BB54308F10CD6ED5AAAB790DBB86588DF98
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079068400.000000000263D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0263D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_263d000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                        • Instruction ID: 1add39999d3260e4e92bf0df4f5d9d3f96d25e2f81e53ecbfa6114bf1fe07a7f
                                                                                        • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                        • Instruction Fuzzy Hash: 931182727401009FDB54DF55DCC0FA673EAEB89660B198055ED08CB311EA75E842C760
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                        • Instruction ID: 3797127e5c4377b4a6cbe51d4907fe2467ac25082df8d4391fe916b43a912c09
                                                                                        • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                        • Instruction Fuzzy Hash: 1E01A776600604CFDF21CFA4C844BAE33EAEB86215F4544A9E506A7241E774B941CB90
                                                                                        APIs
                                                                                        • ExitProcess.KERNEL32 ref: 040C9E6D
                                                                                        • lstrcpy.KERNEL32(?,00000000), ref: 040C9FE1
                                                                                        • lstrcat.KERNEL32(?,?), ref: 040C9FF2
                                                                                        • lstrcat.KERNEL32(?,0041070C), ref: 040CA004
                                                                                        • GetFileAttributesExA.KERNEL32(?,?,?), ref: 040CA054
                                                                                        • DeleteFileA.KERNEL32(?), ref: 040CA09F
                                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 040CA0D6
                                                                                        • lstrcpy.KERNEL32 ref: 040CA12F
                                                                                        • lstrlen.KERNEL32(00000022), ref: 040CA13C
                                                                                        • GetTempPathA.KERNEL32(000001F4,?), ref: 040C9F13
                                                                                          • Part of subcall function 040C7029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 040C7081
                                                                                          • Part of subcall function 040C6F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\rwmckfcj,040C7043), ref: 040C6F4E
                                                                                          • Part of subcall function 040C6F30: GetProcAddress.KERNEL32(00000000), ref: 040C6F55
                                                                                          • Part of subcall function 040C6F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 040C6F7B
                                                                                          • Part of subcall function 040C6F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 040C6F92
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 040CA1A2
                                                                                        • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 040CA1C5
                                                                                        • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 040CA214
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 040CA21B
                                                                                        • GetDriveTypeA.KERNEL32(?), ref: 040CA265
                                                                                        • lstrcat.KERNEL32(?,00000000), ref: 040CA29F
                                                                                        • lstrcat.KERNEL32(?,00410A34), ref: 040CA2C5
                                                                                        • lstrcat.KERNEL32(?,00000022), ref: 040CA2D9
                                                                                        • lstrcat.KERNEL32(?,00410A34), ref: 040CA2F4
                                                                                        • wsprintfA.USER32 ref: 040CA31D
                                                                                        • lstrcat.KERNEL32(?,00000000), ref: 040CA345
                                                                                        • lstrcat.KERNEL32(?,?), ref: 040CA364
                                                                                        • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 040CA387
                                                                                        • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 040CA398
                                                                                        • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 040CA1D1
                                                                                          • Part of subcall function 040C9966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 040C999D
                                                                                          • Part of subcall function 040C9966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 040C99BD
                                                                                          • Part of subcall function 040C9966: RegCloseKey.ADVAPI32(?), ref: 040C99C6
                                                                                        • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 040CA3DB
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 040CA3E2
                                                                                        • GetDriveTypeA.KERNEL32(00000022), ref: 040CA41D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                        • String ID: "$"$"$D$P$\
                                                                                        • API String ID: 1653845638-2605685093
                                                                                        • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                        • Instruction ID: 4ca0467ca66a0a16cb710abff3c288f3698d13cc3aa9e7775fb9a259e40364fe
                                                                                        • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                        • Instruction Fuzzy Hash: 03F12DB1D4025DEFDB21DBA09C48FEF7BBCAB08304F1444AAE605F2141E775AA858F65
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,004133B0,?), ref: 00407B16
                                                                                        • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                        • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                        • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                        • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                        • String ID: D$PromptOnSecureDesktop
                                                                                        • API String ID: 2976863881-1403908072
                                                                                        • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                        • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                        • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                        • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 040C7D21
                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 040C7D46
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 040C7D7D
                                                                                        • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 040C7DA2
                                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 040C7DC0
                                                                                        • EqualSid.ADVAPI32(?,?), ref: 040C7DD1
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 040C7DE5
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 040C7DF3
                                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 040C7E03
                                                                                        • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 040C7E12
                                                                                        • LocalFree.KERNEL32(00000000), ref: 040C7E19
                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 040C7E35
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                        • String ID: D$PromptOnSecureDesktop
                                                                                        • API String ID: 2976863881-1403908072
                                                                                        • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                        • Instruction ID: e77cb99d288bcf3c5bdb3b72021bf9ea657e2d666f2c46ce7720e8de7be2aa40
                                                                                        • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                        • Instruction Fuzzy Hash: E1A16C7290021AEFDB619FA0DC88FEEBBB9FB08301F14806AE505F3150D7759A85CB64
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                        • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                        • API String ID: 2400214276-165278494
                                                                                        • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                        • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                        • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                        • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                        APIs
                                                                                        • wsprintfA.USER32 ref: 0040A7FB
                                                                                        • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                        • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                        • wsprintfA.USER32 ref: 0040A8AF
                                                                                        • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                        • wsprintfA.USER32 ref: 0040A8E2
                                                                                        • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                        • wsprintfA.USER32 ref: 0040A9B9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$send$lstrlenrecv
                                                                                        • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                        • API String ID: 3650048968-2394369944
                                                                                        • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                        • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                        • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                        • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                        APIs
                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 040C7A96
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 040C7ACD
                                                                                        • GetLengthSid.ADVAPI32(?), ref: 040C7ADF
                                                                                        • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 040C7B01
                                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 040C7B1F
                                                                                        • EqualSid.ADVAPI32(?,?), ref: 040C7B39
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 040C7B4A
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 040C7B58
                                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 040C7B68
                                                                                        • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 040C7B77
                                                                                        • LocalFree.KERNEL32(00000000), ref: 040C7B7E
                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 040C7B9A
                                                                                        • GetAce.ADVAPI32(?,?,?), ref: 040C7BCA
                                                                                        • EqualSid.ADVAPI32(?,?), ref: 040C7BF1
                                                                                        • DeleteAce.ADVAPI32(?,?), ref: 040C7C0A
                                                                                        • EqualSid.ADVAPI32(?,?), ref: 040C7C2C
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 040C7CB1
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 040C7CBF
                                                                                        • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 040C7CD0
                                                                                        • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 040C7CE0
                                                                                        • LocalFree.KERNEL32(00000000), ref: 040C7CEE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                        • String ID: D
                                                                                        • API String ID: 3722657555-2746444292
                                                                                        • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                        • Instruction ID: 1bec8cb39a75eacf651f3c56fa2495595566a8a117bf4f395ad7aba962dfe2a3
                                                                                        • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                        • Instruction Fuzzy Hash: DD812A7190021AEBDB21CFA4DD84BEEBBB8AF08344F04816EE615F7150D775AA45CFA4
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                        • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                        • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                        • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Value$CloseOpenQuery
                                                                                        • String ID: PromptOnSecureDesktop$localcfg
                                                                                        • API String ID: 237177642-1678164370
                                                                                        • Opcode ID: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                        • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                        • Opcode Fuzzy Hash: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                        • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                        APIs
                                                                                        • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                        • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                        • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                        • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                        • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                        • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                        • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                        • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                        • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                        • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                        • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                        • API String ID: 835516345-270533642
                                                                                        • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                        • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                        • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                        • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 040C865A
                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 040C867B
                                                                                        • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 040C86A8
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 040C86B1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Value$CloseOpenQuery
                                                                                        • String ID: "$PromptOnSecureDesktop
                                                                                        • API String ID: 237177642-3108538426
                                                                                        • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                        • Instruction ID: 5edf6b9127c50c1aefba5d07d0d716b982fff13d91ff783a4a48730b02f01e1f
                                                                                        • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                        • Instruction Fuzzy Hash: F3C1B472940109FEEB51AFA4DC84EEF7BBDEB04345F14846DF604F2050E7B0AA949B69
                                                                                        APIs
                                                                                        • ShellExecuteExW.SHELL32(?), ref: 040C1601
                                                                                        • lstrlenW.KERNEL32(-00000003), ref: 040C17D8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExecuteShelllstrlen
                                                                                        • String ID: $<$@$D
                                                                                        • API String ID: 1628651668-1974347203
                                                                                        • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                        • Instruction ID: c0d38d19ebe9a281034ebc3683ebd48231d09c827b44988c6f0a9b46bccd08ab
                                                                                        • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                        • Instruction Fuzzy Hash: 71F16CB1508341DFD720DF64C888BAEB7E5FB89304F008A2DF596AB291D7B4A944CF56
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 040C76D9
                                                                                        • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 040C7757
                                                                                        • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 040C778F
                                                                                        • ___ascii_stricmp.LIBCMT ref: 040C78B4
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 040C794E
                                                                                        • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 040C796D
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 040C797E
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 040C79AC
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 040C7A56
                                                                                          • Part of subcall function 040CF40C: lstrlen.KERNEL32(000000E4,00000000,PromptOnSecureDesktop,000000E4,040C772A,?), ref: 040CF414
                                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 040C79F6
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 040C7A4D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                        • String ID: "$PromptOnSecureDesktop
                                                                                        • API String ID: 3433985886-3108538426
                                                                                        • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                        • Instruction ID: 196957d942f24b1140393e3c055b9c8532bccb78121376a0d6df1fcc6bb3f0cb
                                                                                        • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                        • Instruction Fuzzy Hash: D4C1A17290020AEFEB619FA4DC44FEE7BB9EF45714F1040A9E504F7190EB75AA848F61
                                                                                        APIs
                                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 040C2CED
                                                                                        • socket.WS2_32(00000002,00000002,00000011), ref: 040C2D07
                                                                                        • htons.WS2_32(00000000), ref: 040C2D42
                                                                                        • select.WS2_32 ref: 040C2D8F
                                                                                        • recv.WS2_32(?,00000000,00001000,00000000), ref: 040C2DB1
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000108), ref: 040C2E62
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                        • String ID:
                                                                                        • API String ID: 127016686-0
                                                                                        • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                        • Instruction ID: 2f564d388bd5fe6cd5713e2a731d40208fb04ec1c32dd0e5550ea25b847ce911
                                                                                        • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                        • Instruction Fuzzy Hash: 1461E471904309EBC320AF64DC08BAFBBE8FB44745F01489DF944B7591D7B5E8819BA6
                                                                                        APIs
                                                                                        • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                          • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                          • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                          • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                          • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                          • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                          • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                        • wsprintfA.USER32 ref: 0040AEA5
                                                                                          • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                        • wsprintfA.USER32 ref: 0040AE4F
                                                                                        • wsprintfA.USER32 ref: 0040AE5E
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                        • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                        • API String ID: 3631595830-1816598006
                                                                                        • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                        • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                        • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                        • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(iphlpapi.dll,759223A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                        • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                        • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                        • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                        • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                        • htons.WS2_32(00000035), ref: 00402E88
                                                                                        • inet_addr.WS2_32(?), ref: 00402E93
                                                                                        • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                        • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                        • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                        • String ID: GetNetworkParams$iphlpapi.dll
                                                                                        • API String ID: 929413710-2099955842
                                                                                        • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                        • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                        • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                        • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                        APIs
                                                                                        • GetVersionExA.KERNEL32(?), ref: 040C95A7
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 040C95D5
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 040C95DC
                                                                                        • wsprintfA.USER32 ref: 040C9635
                                                                                        • wsprintfA.USER32 ref: 040C9673
                                                                                        • wsprintfA.USER32 ref: 040C96F4
                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 040C9758
                                                                                        • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 040C978D
                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 040C97D8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 3696105349-2980165447
                                                                                        • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                        • Instruction ID: eaea467d6d11f281b892cf9667d8994298dda968bbca4e77279d02ec0514a8c4
                                                                                        • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                        • Instruction Fuzzy Hash: 9FA17EB1940248EFEB21DFA0CC85FDE3BACEB04744F10412AFA15A6191E7B5E5848FA5
                                                                                        APIs
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcmpi
                                                                                        • String ID: 06A$46A$86A$smtp_ban$smtp_herr$smtp_retr
                                                                                        • API String ID: 1586166983-142018493
                                                                                        • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                        • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                        • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                        • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                        APIs
                                                                                        • wsprintfA.USER32 ref: 0040B467
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$wsprintf
                                                                                        • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                        • API String ID: 1220175532-2340906255
                                                                                        • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                        • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                        • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                        • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                        APIs
                                                                                        • GetVersionExA.KERNEL32 ref: 040C202D
                                                                                        • GetSystemInfo.KERNEL32(?), ref: 040C204F
                                                                                        • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 040C206A
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 040C2071
                                                                                        • GetCurrentProcess.KERNEL32(?), ref: 040C2082
                                                                                        • GetTickCount.KERNEL32 ref: 040C2230
                                                                                          • Part of subcall function 040C1E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 040C1E7C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                        • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                                        • API String ID: 4207808166-1391650218
                                                                                        • Opcode ID: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                        • Instruction ID: f675bb8d53ad393ea0a11ba1a81fbe21ad2242ad4d6e85ca20181925d01babf7
                                                                                        • Opcode Fuzzy Hash: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                        • Instruction Fuzzy Hash: B051A3B0900344EFE330AF658C85FAFBAECEB5470CF00495DF996A2542D7B9B58487A5
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 00402078
                                                                                        • GetTickCount.KERNEL32 ref: 004020D4
                                                                                        • GetTickCount.KERNEL32 ref: 004020DB
                                                                                        • GetTickCount.KERNEL32 ref: 0040212B
                                                                                        • GetTickCount.KERNEL32 ref: 00402132
                                                                                        • GetTickCount.KERNEL32 ref: 00402142
                                                                                          • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,7508EA50,80000001,00000000,0040E513,?,?,?,?,000000E4), ref: 0040F089
                                                                                          • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,7508EA50,80000001,00000000,0040E513,?,?,?,?,000000E4,000000C8), ref: 0040F093
                                                                                          • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                          • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                          • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                        • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                        • API String ID: 3976553417-1522128867
                                                                                        • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                        • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                        • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                        • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                        APIs
                                                                                        • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                        • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                        • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: closesockethtonssocket
                                                                                        • String ID: time_cfg
                                                                                        • API String ID: 311057483-2401304539
                                                                                        • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                        • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                        • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                        • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                        APIs
                                                                                          • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                          • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                        • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                        • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                        • GetTickCount.KERNEL32 ref: 0040C363
                                                                                        • GetTickCount.KERNEL32 ref: 0040C378
                                                                                        • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                        • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                        • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                        • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 1553760989-1857712256
                                                                                        • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                        • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                        • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                        • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 040C3068
                                                                                        • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 040C3078
                                                                                        • GetProcAddress.KERNEL32(00000000,00410408), ref: 040C3095
                                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 040C30B6
                                                                                        • htons.WS2_32(00000035), ref: 040C30EF
                                                                                        • inet_addr.WS2_32(?), ref: 040C30FA
                                                                                        • gethostbyname.WS2_32(?), ref: 040C310D
                                                                                        • HeapFree.KERNEL32(00000000), ref: 040C314D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                        • String ID: iphlpapi.dll
                                                                                        • API String ID: 2869546040-3565520932
                                                                                        • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                        • Instruction ID: aa46a39942c74a1c1cabb739e6ab3cfc566768f65814690e3f311a45f97665ed
                                                                                        • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                        • Instruction Fuzzy Hash: 6D31B631A10206EFDB519FB89C48AAE77F8EF45760F14C129ED18F72A0DB74E5818B58
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                        • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                        • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                        • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                        • String ID: DnsQuery_A$dnsapi.dll
                                                                                        • API String ID: 3560063639-3847274415
                                                                                        • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                        • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                        • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                        • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                        • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                        • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                        • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$PromptOnSecureDesktop$kernel32
                                                                                        • API String ID: 1082366364-2834986871
                                                                                        • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                        • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                        • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                        • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                        APIs
                                                                                        • CreateProcessA.KERNEL32(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,PromptOnSecureDesktop), ref: 004097B1
                                                                                        • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097EB
                                                                                        • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097F9
                                                                                        • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 00409831
                                                                                        • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040984E
                                                                                        • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040985B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                        • String ID: D$PromptOnSecureDesktop
                                                                                        • API String ID: 2981417381-1403908072
                                                                                        • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                        • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                        • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                        • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8
                                                                                        APIs
                                                                                        • IsBadReadPtr.KERNEL32(?,00000008), ref: 040C67C3
                                                                                        • htonl.WS2_32(?), ref: 040C67DF
                                                                                        • htonl.WS2_32(?), ref: 040C67EE
                                                                                        • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 040C68F1
                                                                                        • ExitProcess.KERNEL32 ref: 040C69BC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Processhtonl$CurrentExitRead
                                                                                        • String ID: except_info$localcfg
                                                                                        • API String ID: 1430491713-3605449297
                                                                                        • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                        • Instruction ID: 216136ff6603d2bf8235ea88d43ea8573145ca6256753fe9270036342acf11d7
                                                                                        • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                        • Instruction Fuzzy Hash: 8F618F71A40208EFDB609FA4DC45FEA77E9FB08300F14846AFA6DD2161EA75A980CF54
                                                                                        APIs
                                                                                        • htons.WS2_32(040CCC84), ref: 040CF5B4
                                                                                        • socket.WS2_32(00000002,00000001,00000000), ref: 040CF5CE
                                                                                        • closesocket.WS2_32(00000000), ref: 040CF5DC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: closesockethtonssocket
                                                                                        • String ID: time_cfg
                                                                                        • API String ID: 311057483-2401304539
                                                                                        • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                        • Instruction ID: 1e185fd6c9679ae8438c85ddb1e113a5e0e15678450905f1ef0ff8c8d6760455
                                                                                        • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                        • Instruction Fuzzy Hash: 7F317E71900119ABDB10DFA5DC84DEE7BBDEF48354F10456AFA05E3190E7709A818BA6
                                                                                        APIs
                                                                                        • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                        • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                        • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                        • wsprintfA.USER32 ref: 00407036
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                        • String ID: /%d$|
                                                                                        • API String ID: 676856371-4124749705
                                                                                        • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                        • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                        • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                        • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(?), ref: 040C2FA1
                                                                                        • LoadLibraryA.KERNEL32(?), ref: 040C2FB1
                                                                                        • GetProcAddress.KERNEL32(00000000,004103F0), ref: 040C2FC8
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000108), ref: 040C3000
                                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 040C3007
                                                                                        • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 040C3032
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                        • String ID: dnsapi.dll
                                                                                        • API String ID: 1242400761-3175542204
                                                                                        • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                        • Instruction ID: c07665e0d6c915bd2b36ab20b2953702bc4781a1901512c5985bc014eaa40c76
                                                                                        • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                        • Instruction Fuzzy Hash: 56219272900629FBCB219F94DC449EEBBB8EF08B10F108469F901F7540D7B4AA819BD4
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Code
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 3609698214-2980165447
                                                                                        • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                        • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                        • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                        • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\rwmckfcj,040C7043), ref: 040C6F4E
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 040C6F55
                                                                                        • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 040C6F7B
                                                                                        • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 040C6F92
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                        • String ID: C:\Windows\SysWOW64\$PromptOnSecureDesktop$\\.\pipe\rwmckfcj
                                                                                        • API String ID: 1082366364-2125150131
                                                                                        • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                        • Instruction ID: 162179ae664c4dbc2128d8baba1f69a3a633f97449c42045bcfce0b992b39ca8
                                                                                        • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                        • Instruction Fuzzy Hash: 3F21C221741341FAF77257319C88FFF2A8C8B42758F2840ADF944B64D1DAD9A4D6826D
                                                                                        APIs
                                                                                        • GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                        • wsprintfA.USER32 ref: 004090E9
                                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                        • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                        • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 2439722600-2980165447
                                                                                        • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                        • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                        • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                        • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                        APIs
                                                                                        • GetTempPathA.KERNEL32(00000400,?), ref: 040C92E2
                                                                                        • wsprintfA.USER32 ref: 040C9350
                                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 040C9375
                                                                                        • lstrlen.KERNEL32(?,?,00000000), ref: 040C9389
                                                                                        • WriteFile.KERNEL32(00000000,?,00000000), ref: 040C9394
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 040C939B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 2439722600-2980165447
                                                                                        • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                        • Instruction ID: f8fdb53683a4481bfe58dd611e8cb23b28b6256c96c1f5515762044855291dd9
                                                                                        • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                        • Instruction Fuzzy Hash: 761172B2740114BBE7206771EC0DFEF3A6DDBC8B19F008069BB09B5091EAB45A4297A4
                                                                                        APIs
                                                                                        • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 040C9A18
                                                                                        • GetThreadContext.KERNEL32(?,?), ref: 040C9A52
                                                                                        • TerminateProcess.KERNEL32(?,00000000), ref: 040C9A60
                                                                                        • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 040C9A98
                                                                                        • SetThreadContext.KERNEL32(?,00010002), ref: 040C9AB5
                                                                                        • ResumeThread.KERNEL32(?), ref: 040C9AC2
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                        • String ID: D
                                                                                        • API String ID: 2981417381-2746444292
                                                                                        • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                        • Instruction ID: 6a844d91582650feedbce2f723c6dc69244fffaa24ca7da2b08af8d6d8494c57
                                                                                        • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                        • Instruction Fuzzy Hash: 81213BB1A01219BBDB519BA1DC09EEF7BBCEF04754F404065FA19F1050E7759A44CBA4
                                                                                        APIs
                                                                                        • inet_addr.WS2_32(004102D8), ref: 040C1C18
                                                                                        • LoadLibraryA.KERNEL32(004102C8), ref: 040C1C26
                                                                                        • GetProcessHeap.KERNEL32 ref: 040C1C84
                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 040C1C9D
                                                                                        • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 040C1CC1
                                                                                        • HeapFree.KERNEL32(?,00000000,00000000), ref: 040C1D02
                                                                                        • FreeLibrary.KERNEL32(?), ref: 040C1D0B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                        • String ID:
                                                                                        • API String ID: 2324436984-0
                                                                                        • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                        • Instruction ID: 2a046dc11a59ed45c015142c05512e08c51756906a42fa01ed6a52c5e9201405
                                                                                        • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                        • Instruction Fuzzy Hash: EF313B32E00219FFCB519FE4DC888AEBABAEB45711B24447EF501B6111D7B55E80DF94
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,PromptOnSecureDesktop), ref: 0040E3E6
                                                                                        • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                        • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                        • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                        • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: QueryValue$CloseOpen
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 1586453840-2980165447
                                                                                        • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                        • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                        • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                        • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                        APIs
                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404290
                                                                                        • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                        • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseHandle$CreateEvent
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 1371578007-2980165447
                                                                                        • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                        • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                        • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                        • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                                        APIs
                                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 040C6CE4
                                                                                        • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 040C6D22
                                                                                        • GetLastError.KERNEL32 ref: 040C6DA7
                                                                                        • CloseHandle.KERNEL32(?), ref: 040C6DB5
                                                                                        • GetLastError.KERNEL32 ref: 040C6DD6
                                                                                        • DeleteFileA.KERNEL32(?), ref: 040C6DE7
                                                                                        • GetLastError.KERNEL32 ref: 040C6DFD
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                        • String ID:
                                                                                        • API String ID: 3873183294-0
                                                                                        • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                        • Instruction ID: 2311ca8192e780eb1b4ad7074da3608d68d87d396f5d02f15b958775723c3721
                                                                                        • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                        • Instruction Fuzzy Hash: F031E272D00149FFDB219FA4DD44ADE7FBAEF48304F148469E211B7250D772A5458BA1
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,PromptOnSecureDesktop), ref: 0040915F
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                        • CharToOemA.USER32(?,?), ref: 00409174
                                                                                        • wsprintfA.USER32 ref: 004091A9
                                                                                          • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                          • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                          • Part of subcall function 00409064: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                          • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                          • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                          • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                        • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 3857584221-2980165447
                                                                                        • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                        • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                        • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                        • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 040C93C6
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 040C93CD
                                                                                        • CharToOemA.USER32(?,?), ref: 040C93DB
                                                                                        • wsprintfA.USER32 ref: 040C9410
                                                                                          • Part of subcall function 040C92CB: GetTempPathA.KERNEL32(00000400,?), ref: 040C92E2
                                                                                          • Part of subcall function 040C92CB: wsprintfA.USER32 ref: 040C9350
                                                                                          • Part of subcall function 040C92CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 040C9375
                                                                                          • Part of subcall function 040C92CB: lstrlen.KERNEL32(?,?,00000000), ref: 040C9389
                                                                                          • Part of subcall function 040C92CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 040C9394
                                                                                          • Part of subcall function 040C92CB: CloseHandle.KERNEL32(00000000), ref: 040C939B
                                                                                        • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 040C9448
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 3857584221-2980165447
                                                                                        • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                        • Instruction ID: 1ae3d5b2005a9de36b61c64b0684919e9d873786577b5e4075fb41bc72744c38
                                                                                        • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                        • Instruction Fuzzy Hash: C70192F6900118BBE720A7619D89EDF377CDB85705F0040A5BB49F2080DAB497C48F75
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen
                                                                                        • String ID: $localcfg
                                                                                        • API String ID: 1659193697-2018645984
                                                                                        • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                        • Instruction ID: d11b0a8599c5d9cad7b2df44576c9445bd94a0a59ced9ee264492ad8b3bfcebc
                                                                                        • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                        • Instruction Fuzzy Hash: 2B710A71B4030CEBEF619B94ECC5FEE37AA9B40719F24402EF905B60D1DAA1B5848F56
                                                                                        APIs
                                                                                          • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                          • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                          • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                          • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                        • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                        • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                        • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                        • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                        • String ID: flags_upd$localcfg
                                                                                        • API String ID: 204374128-3505511081
                                                                                        • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                        • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                        • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                        • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                        APIs
                                                                                          • Part of subcall function 040CDF6C: GetCurrentThreadId.KERNEL32 ref: 040CDFBA
                                                                                        • lstrcmp.KERNEL32(00410178,00000000), ref: 040CE8FA
                                                                                        • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,040C6128), ref: 040CE950
                                                                                        • lstrcmp.KERNEL32(?,00000008), ref: 040CE989
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                        • String ID: A$ A$ A
                                                                                        • API String ID: 2920362961-1846390581
                                                                                        • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                        • Instruction ID: 6f0e261295d9487e3be51681dbe1faae9d46c5fae0e615cca7d1e40e824896b8
                                                                                        • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                        • Instruction Fuzzy Hash: 3A318B31600705DBDBB18F24C884BAE7BE8FB09724F10892EE599A7551E370F885CBC2
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Code
                                                                                        • String ID:
                                                                                        • API String ID: 3609698214-0
                                                                                        • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                        • Instruction ID: f2cf30c949edea78775fc7a27ddef98eb01f49b045291d8fac1cf34b7f79cc60
                                                                                        • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                        • Instruction Fuzzy Hash: 84212172204119FFDB209B71FC48EDF7FEDDB496A5B10882AF502E1091EB71EA4096B4
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                        • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                        • Sleep.KERNEL32(00000000,?,75920F10,?,00000000,0040E538,?,75920F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                        • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 3819781495-0
                                                                                        • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                        • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                        • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                        • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 040CC6B4
                                                                                        • InterlockedIncrement.KERNEL32(040CC74B), ref: 040CC715
                                                                                        • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,040CC747), ref: 040CC728
                                                                                        • CloseHandle.KERNEL32(00000000,?,040CC747,00413588,040C8A77), ref: 040CC733
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 1026198776-1857712256
                                                                                        • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                        • Instruction ID: 4570966e592fdd29a128d73e8cd29479c1c07b30d2b92cdbe33f4c98334c8ee0
                                                                                        • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                        • Instruction Fuzzy Hash: CF514DB1A05B41CFE7649F79C6C462ABBE9FB48304B50593EE18BD7AA0D774F8408B10
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 0040815F
                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 00408187
                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 004081BE
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 00408210
                                                                                          • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0040677E
                                                                                          • Part of subcall function 0040675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0040679A
                                                                                          • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 004067B0
                                                                                          • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 004067BF
                                                                                          • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 004067D3
                                                                                          • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,75920F10,00000000), ref: 00406807
                                                                                          • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040681F
                                                                                          • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0040683E
                                                                                          • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040685C
                                                                                          • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                          • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 124786226-2980165447
                                                                                        • Opcode ID: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                        • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                        • Opcode Fuzzy Hash: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                        • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                        APIs
                                                                                        • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                        • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                        • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                        • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Value$CloseCreateDelete
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 2667537340-2980165447
                                                                                        • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                        • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                        • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                        • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                        APIs
                                                                                        • RegCreateKeyExA.ADVAPI32(80000001,040CE50A,00000000,00000000,00000000,00020106,00000000,040CE50A,00000000,000000E4), ref: 040CE319
                                                                                        • RegSetValueExA.ADVAPI32(040CE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 040CE38E
                                                                                        • RegDeleteValueA.ADVAPI32(040CE50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 040CE3BF
                                                                                        • RegCloseKey.ADVAPI32(040CE50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,040CE50A), ref: 040CE3C8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Value$CloseCreateDelete
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 2667537340-2980165447
                                                                                        • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                        • Instruction ID: 4803a2b58c989d3153338e19fd6ea83a0178b1dcc025053f91231b5d5ab18198
                                                                                        • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                        • Instruction Fuzzy Hash: EB214B71A00219FBDB209FA4EC89EDE7FA9EF08754F008025F908A6150E271AA5497E1
                                                                                        APIs
                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 040C71E1
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 040C7228
                                                                                        • LocalFree.KERNEL32(?,?,?), ref: 040C7286
                                                                                        • wsprintfA.USER32 ref: 040C729D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                        • String ID: |
                                                                                        • API String ID: 2539190677-2343686810
                                                                                        • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                        • Instruction ID: b44bb501eb7632a695e62c8e44757340997b0fbe21725451236075fb65b405d9
                                                                                        • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                        • Instruction Fuzzy Hash: C5311A72A00209FBDB41DFA8DC45ADE7BACEF04314F14C16AF959EB140EA75E6488B94
                                                                                        APIs
                                                                                        • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                        • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                        • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                        • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$gethostnamelstrcpy
                                                                                        • String ID: LocalHost
                                                                                        • API String ID: 3695455745-3154191806
                                                                                        • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                        • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                        • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                        • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                        APIs
                                                                                        • GetLocalTime.KERNEL32(?), ref: 040CB51A
                                                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 040CB529
                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 040CB548
                                                                                        • GetTimeZoneInformation.KERNEL32(?), ref: 040CB590
                                                                                        • wsprintfA.USER32 ref: 040CB61E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                        • String ID:
                                                                                        • API String ID: 4026320513-0
                                                                                        • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                        • Instruction ID: eb82a67edf627fb885c31e5c8bbd85b7e9c08aa69f974bc2323e6164dd36c927
                                                                                        • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                        • Instruction Fuzzy Hash: F7510EB1D0021CEACF54DFD5D8899EEBBB9AF48304F10816AE505B6150E7B85AC9CF98
                                                                                        APIs
                                                                                        • IsBadReadPtr.KERNEL32(?,00000014), ref: 040C6303
                                                                                        • LoadLibraryA.KERNEL32(?), ref: 040C632A
                                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 040C63B1
                                                                                        • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 040C6405
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Read$AddressLibraryLoadProc
                                                                                        • String ID:
                                                                                        • API String ID: 2438460464-0
                                                                                        • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                        • Instruction ID: b11611b75cc071fcdc3b44e577538700dc5b4c56054356fb22930f8d69d31f73
                                                                                        • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                        • Instruction Fuzzy Hash: E3413B71A00205EBDB64CF98C884AADB7F4EF05358F14896DE855E7290E772F982DB90
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                        • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                        • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                        • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                        APIs
                                                                                          • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                          • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                          • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                        • lstrcmpA.KERNEL32(75920F18,00000000,?,75920F10,00000000,?,00405EC1), ref: 0040E693
                                                                                        • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,75920F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                        • lstrcmpA.KERNEL32(?,00000008,?,75920F10,00000000,?,00405EC1), ref: 0040E722
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                        • String ID: A$ A
                                                                                        • API String ID: 3343386518-686259309
                                                                                        • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                        • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                        • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                        • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 0040272E
                                                                                        • htons.WS2_32(00000001), ref: 00402752
                                                                                        • htons.WS2_32(0000000F), ref: 004027D5
                                                                                        • htons.WS2_32(00000001), ref: 004027E3
                                                                                        • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                          • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                          • Part of subcall function 0040EBCC: RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                        • String ID:
                                                                                        • API String ID: 1128258776-0
                                                                                        • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                        • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                        • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                        • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                        APIs
                                                                                        • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                        • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                        • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                        • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                        • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: setsockopt
                                                                                        • String ID:
                                                                                        • API String ID: 3981526788-0
                                                                                        • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                        • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                        • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                        • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                        APIs
                                                                                        • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                        • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                        • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                        • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$lstrcmpi
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 1808961391-1857712256
                                                                                        • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                        • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                        • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                        • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                        APIs
                                                                                          • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                          • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                          • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,75920F10,?,00000000,?,0040A445), ref: 0040E558
                                                                                        • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,75920F10,?,00000000,?,0040A445), ref: 0040E583
                                                                                        • CloseHandle.KERNEL32(00000000,?,75920F10,?,00000000,?,0040A445), ref: 0040E5B2
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 3683885500-2980165447
                                                                                        • Opcode ID: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                        • Instruction ID: 336cca8f28a0ae06816d6806ca3c094c6326420f96deeb8fe64773c8e7208e17
                                                                                        • Opcode Fuzzy Hash: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                        • Instruction Fuzzy Hash: F321EAB19402047AE2207B639C0AFAB3D1CDF54758F10093EBA09B11E3E9BDD96082BD
                                                                                        APIs
                                                                                          • Part of subcall function 040CDF6C: GetCurrentThreadId.KERNEL32 ref: 040CDFBA
                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,00410170,?,00000000,?,040CA6AC), ref: 040CE7BF
                                                                                        • ReadFile.KERNEL32(00000000,004136C4,00000000,?,00000000,?,00410170,?,00000000,?,040CA6AC), ref: 040CE7EA
                                                                                        • CloseHandle.KERNEL32(00000000,?,00410170,?,00000000,?,040CA6AC), ref: 040CE819
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CloseCurrentHandleReadSizeThread
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 1396056608-2980165447
                                                                                        • Opcode ID: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                        • Instruction ID: 0310b0f73134000515bf1222b44ca894adeca5846ff1108cc991e90aaf8c4d14
                                                                                        • Opcode Fuzzy Hash: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                        • Instruction Fuzzy Hash: 8B21D3B2A40300FAF2207B219C46FEF3E5CDF55B68F10017CBA09B55D3EAA5A55192F5
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                        • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                        • API String ID: 2574300362-1087626847
                                                                                        • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                        • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                        • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                        • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 040C76D9
                                                                                        • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 040C796D
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 040C797E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseEnumOpen
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 1332880857-2980165447
                                                                                        • Opcode ID: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                        • Instruction ID: 5f3c9bd1bd86c8a418c4bf34f21cf43876fa1edefe3b0146712b7651d1114aba
                                                                                        • Opcode Fuzzy Hash: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                        • Instruction Fuzzy Hash: E611AC70A0010AEFEB119FA9EC45EEFBFB9EB81714F140169F515F7290E6B199408F61
                                                                                        APIs
                                                                                          • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                          • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                        • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                        • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                        • String ID: hi_id$localcfg
                                                                                        • API String ID: 2777991786-2393279970
                                                                                        • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                        • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                        • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                        • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,PromptOnSecureDesktop,00000000,?,?,0040A14A), ref: 00409736
                                                                                        • RegDeleteValueA.ADVAPI32(0040A14A,00000000,?,?,?,?,?,?,?,?,?,0040A14A), ref: 00409756
                                                                                        • RegCloseKey.ADVAPI32(0040A14A,?,?,?,?,?,?,?,?,?,0040A14A), ref: 0040975F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseDeleteOpenValue
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 849931509-2980165447
                                                                                        • Opcode ID: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                        • Instruction ID: 5e38ed9511aa8cc069582274463af9cddeeab7037fd65aad7bdf8be664a95ff7
                                                                                        • Opcode Fuzzy Hash: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                        • Instruction Fuzzy Hash: 5AF0C8B2680118BBF3106B51AC0BFDF3A2CDB44704F100075F605B50D2E6E55E9082BD
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 040C999D
                                                                                        • RegDeleteValueA.ADVAPI32(?,00000000), ref: 040C99BD
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 040C99C6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseDeleteOpenValue
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 849931509-2980165447
                                                                                        • Opcode ID: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                        • Instruction ID: 6c19569982177343cadc9631972a2be8a6da564212c17034f45f2ff9089e099a
                                                                                        • Opcode Fuzzy Hash: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                        • Instruction Fuzzy Hash: 84F09CB2680108FBF7116B54EC46FDF3A2CDB55B18F104065F605B50D1F6E55B9052B9
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: gethostbynameinet_addr
                                                                                        • String ID: time_cfg$u6A
                                                                                        • API String ID: 1594361348-1940331995
                                                                                        • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                        • Instruction ID: 104c439e9349fa61276d089879ac9257c15ab236f00333d66512ef54c5f8c3f2
                                                                                        • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                        • Instruction Fuzzy Hash: DDE0EC30A05511DFDB909F28F848AD977E5EF4A230F0585D9F454E75A0C774AC819654
                                                                                        APIs
                                                                                        • SetFileAttributesA.KERNEL32(?,00000080), ref: 040C69E5
                                                                                        • SetFileAttributesA.KERNEL32(?,00000002), ref: 040C6A26
                                                                                        • GetFileSize.KERNEL32(000000FF,00000000), ref: 040C6A3A
                                                                                        • CloseHandle.KERNEL32(000000FF), ref: 040C6BD8
                                                                                          • Part of subcall function 040CEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,040C1DCF,?), ref: 040CEEA8
                                                                                          • Part of subcall function 040CEE95: HeapFree.KERNEL32(00000000), ref: 040CEEAF
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                        • String ID:
                                                                                        • API String ID: 3384756699-0
                                                                                        • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                        • Instruction ID: b30f1b4dd5e0f09bb4e2bf63e98bfe2d6a4d148e3a326745966fd2204ec1e255
                                                                                        • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                        • Instruction Fuzzy Hash: F171187190021DEFDF20DFA4CC80AEEBBB9FB04354F10496AE515B6190D731AE92DB60
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf
                                                                                        • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                        • API String ID: 2111968516-120809033
                                                                                        • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                        • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                        • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                        • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                        APIs
                                                                                        • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                        • GetLastError.KERNEL32 ref: 00403F4E
                                                                                        • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3373104450-0
                                                                                        • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                        • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                        • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                        • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                        APIs
                                                                                        • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                        • GetLastError.KERNEL32 ref: 00403FC2
                                                                                        • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                        • String ID:
                                                                                        • API String ID: 888215731-0
                                                                                        • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                        • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                        • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                        • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                        APIs
                                                                                        • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 040C41AB
                                                                                        • GetLastError.KERNEL32 ref: 040C41B5
                                                                                        • WaitForSingleObject.KERNEL32(?,?), ref: 040C41C6
                                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 040C41D9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3373104450-0
                                                                                        • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                        • Instruction ID: bcbddcd9eba7de6560bd5b8e57fe17153da0ab57b0dfc643b26fb3ee5baf1650
                                                                                        • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                        • Instruction Fuzzy Hash: 1001E57691111AEBDF01DF90ED88BEE7BACFB18255F008065FD01E2050D770AA648BB6
                                                                                        APIs
                                                                                        • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 040C421F
                                                                                        • GetLastError.KERNEL32 ref: 040C4229
                                                                                        • WaitForSingleObject.KERNEL32(?,?), ref: 040C423A
                                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 040C424D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                        • String ID:
                                                                                        • API String ID: 888215731-0
                                                                                        • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                        • Instruction ID: 9eb90472742c74d9eb5aee9375df1af19f769fd02ff080620e8aeabe8bed2e0b
                                                                                        • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                        • Instruction Fuzzy Hash: DA01E272911209ABDF01DF90EE85BEE7BACFB08256F418065F901E2050D770AA548BB6
                                                                                        APIs
                                                                                        • lstrcmp.KERNEL32(?,80000009), ref: 040CE066
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcmp
                                                                                        • String ID: A$ A$ A
                                                                                        • API String ID: 1534048567-1846390581
                                                                                        • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                        • Instruction ID: dd4d8661a2840386df2f6ecdab33410d4426c0ebb6aee27b6e416d1ad82f5053
                                                                                        • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                        • Instruction Fuzzy Hash: 39F06231200702DBCB70CF25D884A86B7E9FB05321B64862EE154E3860D374B4D8CBD5
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                        • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                        • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                        • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                        • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                        • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                        • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                        • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                        • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                        • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                        • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                        • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                        • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                        • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                        • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                        • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                        • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 00403103
                                                                                        • GetTickCount.KERNEL32 ref: 0040310F
                                                                                        • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                        • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                        • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                        • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                        APIs
                                                                                        • WriteFile.KERNEL32(00000001,0040DAE0,00000000,00000000,00000000), ref: 0040E209
                                                                                        • CloseHandle.KERNEL32(00000001,00000003), ref: 0040E21D
                                                                                          • Part of subcall function 0040E095: RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                          • Part of subcall function 0040E095: RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                          • Part of subcall function 0040E095: RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                          • Part of subcall function 0040E095: RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 4151426672-2980165447
                                                                                        • Opcode ID: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                        • Instruction ID: b34283ca0245a4d5345772c7626065eb71a791ff6ac24fd5689ebe733b27dfc9
                                                                                        • Opcode Fuzzy Hash: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                        • Instruction Fuzzy Hash: 5D41DB71940214BADB205E938C06FDB3F6CEB44754F1084BEFA09B41D2E6B99A60D6BD
                                                                                        APIs
                                                                                        • WriteFile.KERNEL32(00000001,040C44E2,00000000,00000000,00000000), ref: 040CE470
                                                                                        • CloseHandle.KERNEL32(00000001,00000003), ref: 040CE484
                                                                                          • Part of subcall function 040CE2FC: RegCreateKeyExA.ADVAPI32(80000001,040CE50A,00000000,00000000,00000000,00020106,00000000,040CE50A,00000000,000000E4), ref: 040CE319
                                                                                          • Part of subcall function 040CE2FC: RegSetValueExA.ADVAPI32(040CE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 040CE38E
                                                                                          • Part of subcall function 040CE2FC: RegDeleteValueA.ADVAPI32(040CE50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 040CE3BF
                                                                                          • Part of subcall function 040CE2FC: RegCloseKey.ADVAPI32(040CE50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,040CE50A), ref: 040CE3C8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 4151426672-2980165447
                                                                                        • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                        • Instruction ID: dc0b41a4eff7ee6c6dcec293d5678c3fabc1950113f71fde3885c20fe15a9afc
                                                                                        • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                        • Instruction Fuzzy Hash: BD41A7B2D40214FAEB206F51CC45FEF3BACDB04768F14816DFA09B4091E6B5A650D6E5
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 040C83C6
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 040C8477
                                                                                          • Part of subcall function 040C69C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 040C69E5
                                                                                          • Part of subcall function 040C69C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 040C6A26
                                                                                          • Part of subcall function 040C69C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 040C6A3A
                                                                                          • Part of subcall function 040CEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,040C1DCF,?), ref: 040CEEA8
                                                                                          • Part of subcall function 040CEE95: HeapFree.KERNEL32(00000000), ref: 040CEEAF
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 359188348-2980165447
                                                                                        • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                        • Instruction ID: 13dfa7f483fa591d44fe3670b4c48bb8a17b785861c85d2c9f30cb09f6689e20
                                                                                        • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                        • Instruction Fuzzy Hash: 9D414DB2900109FFEB50ABA4DD80DEF77ADEB04249F1484AEE504F7050F6B06A948B69
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,040CE859,00000000,00020119,040CE859,PromptOnSecureDesktop), ref: 040CE64D
                                                                                        • RegCloseKey.ADVAPI32(040CE859,?,?,?,?,000000C8,000000E4), ref: 040CE787
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseOpen
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 47109696-2980165447
                                                                                        • Opcode ID: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                        • Instruction ID: 99a6c31d81bacc450563cafde02ecd8a7792cb164c3d91242ca2adba28d317c8
                                                                                        • Opcode Fuzzy Hash: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                        • Instruction Fuzzy Hash: 174118B2D0011DFFEF11EFA4DC85DEEBBB9EB14308F10456AE900B6150E371AA559BA1
                                                                                        APIs
                                                                                        • GetLocalTime.KERNEL32(?), ref: 040CAFFF
                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 040CB00D
                                                                                          • Part of subcall function 040CAF6F: gethostname.WS2_32(?,00000080), ref: 040CAF83
                                                                                          • Part of subcall function 040CAF6F: lstrcpy.KERNEL32(?,00410B90), ref: 040CAFE6
                                                                                          • Part of subcall function 040C331C: gethostname.WS2_32(?,00000080), ref: 040C333F
                                                                                          • Part of subcall function 040C331C: gethostbyname.WS2_32(?), ref: 040C3349
                                                                                          • Part of subcall function 040CAA0A: inet_ntoa.WS2_32(00000000), ref: 040CAA10
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                        • String ID: %OUTLOOK_BND_
                                                                                        • API String ID: 1981676241-3684217054
                                                                                        • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                        • Instruction ID: fe48fca4b32ac4f10bbd522b6bf0ac66b26e055ac1a080cefcdc1a3a70d2c822
                                                                                        • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                        • Instruction Fuzzy Hash: FE41347290024CEBDB25EFA0DC45EEE3BADFF04308F24441AF925A2151EA75E6548F55
                                                                                        APIs
                                                                                        • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 040C9536
                                                                                        • Sleep.KERNEL32(000001F4), ref: 040C955D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExecuteShellSleep
                                                                                        • String ID:
                                                                                        • API String ID: 4194306370-3916222277
                                                                                        • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                        • Instruction ID: ae1a748e556a10fa1d29e86c3a8de84f72d36900014bb347ae466da3039b272b
                                                                                        • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                        • Instruction Fuzzy Hash: 634107F1904385EFFBB6AB64D88CBEE7FE49B02314F1441ADD482B7192D6746981C711
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 040CB9D9
                                                                                        • InterlockedIncrement.KERNEL32(00413648), ref: 040CBA3A
                                                                                        • InterlockedIncrement.KERNEL32(?), ref: 040CBA94
                                                                                        • GetTickCount.KERNEL32 ref: 040CBB79
                                                                                        • GetTickCount.KERNEL32 ref: 040CBB99
                                                                                        • InterlockedIncrement.KERNEL32(?), ref: 040CBE15
                                                                                        • closesocket.WS2_32(00000000), ref: 040CBEB4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountIncrementInterlockedTick$closesocket
                                                                                        • String ID: %FROM_EMAIL
                                                                                        • API String ID: 1869671989-2903620461
                                                                                        • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                        • Instruction ID: a9206f1da198a31fca504a92e9054bdabfdd2d7954a0a32e37c747731b50ba6d
                                                                                        • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                        • Instruction Fuzzy Hash: 5E318B71500248DFDF24DFA4EC85AEE77B8EB48700F20405AFA25A6160EB70F685CF10
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 536389180-1857712256
                                                                                        • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                        • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                                        • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                        • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                                        APIs
                                                                                        Strings
                                                                                        • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTickwsprintf
                                                                                        • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                        • API String ID: 2424974917-1012700906
                                                                                        • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                        • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                        • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                        • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                        APIs
                                                                                          • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                          • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                        • String ID: %FROM_EMAIL
                                                                                        • API String ID: 3716169038-2903620461
                                                                                        • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                        • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                        • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                        • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                        APIs
                                                                                        • GetUserNameW.ADVAPI32(?,?), ref: 040C70BC
                                                                                        • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 040C70F4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Name$AccountLookupUser
                                                                                        • String ID: |
                                                                                        • API String ID: 2370142434-2343686810
                                                                                        • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                        • Instruction ID: 35141bc916a8bcfc924187f91e6434819457bb7e11b8ab2ebc0c4e8fb5d62442
                                                                                        • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                        • Instruction Fuzzy Hash: A011FA72900119EBDB51CFD8DC84ADEB7BDAB44711F1481AAE901F7190D670AB889FA0
                                                                                        APIs
                                                                                          • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                          • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                        • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                        • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 2777991786-1857712256
                                                                                        • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                        • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                        • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                        • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                        APIs
                                                                                        • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                        • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: IncrementInterlockedlstrcpyn
                                                                                        • String ID: %FROM_EMAIL
                                                                                        • API String ID: 224340156-2903620461
                                                                                        • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                        • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                        • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                        • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                        APIs
                                                                                        • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                        • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: gethostbyaddrinet_ntoa
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 2112563974-1857712256
                                                                                        • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                        • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                        • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                        • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: gethostbynameinet_addr
                                                                                        • String ID: time_cfg
                                                                                        • API String ID: 1594361348-2401304539
                                                                                        • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                        • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                        • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                        • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,7508EA50,80000001,00000000), ref: 0040EAF2
                                                                                        • GetProcAddress.KERNEL32(?,00000000), ref: 0040EB07
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID: ntdll.dll
                                                                                        • API String ID: 2574300362-2227199552
                                                                                        • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                        • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                        • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                        • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                        APIs
                                                                                          • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                          • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                        • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2077683077.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2077683077.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                        • String ID:
                                                                                        • API String ID: 1017166417-0
                                                                                        • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                        • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                        • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                        • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88
                                                                                        APIs
                                                                                          • Part of subcall function 040C2F88: GetModuleHandleA.KERNEL32(?), ref: 040C2FA1
                                                                                          • Part of subcall function 040C2F88: LoadLibraryA.KERNEL32(?), ref: 040C2FB1
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 040C31DA
                                                                                        • HeapFree.KERNEL32(00000000), ref: 040C31E1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079287696.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_40c0000_2IFYYPRUgO.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                        • String ID:
                                                                                        • API String ID: 1017166417-0
                                                                                        • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                        • Instruction ID: b2548dd1f947f1db23a56d115f9906c3fba1f9a147681a4dca4668199b7a24d1
                                                                                        • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                        • Instruction Fuzzy Hash: 22518E7191024AEFDF019F64D8889EDB7B5FF06305F148569EC96E7210E732AA19CB90

                                                                                        Execution Graph

                                                                                        Execution Coverage:2.9%
                                                                                        Dynamic/Decrypted Code Coverage:30.5%
                                                                                        Signature Coverage:0%
                                                                                        Total number of Nodes:1576
                                                                                        Total number of Limit Nodes:13
                                                                                        execution_graph 14790 409961 RegisterServiceCtrlHandlerA 14791 40997d 14790->14791 14798 4099cb 14790->14798 14800 409892 14791->14800 14793 40999a 14794 4099ba 14793->14794 14795 409892 SetServiceStatus 14793->14795 14797 409892 SetServiceStatus 14794->14797 14794->14798 14796 4099aa 14795->14796 14796->14794 14803 4098f2 14796->14803 14797->14798 14801 4098c2 SetServiceStatus 14800->14801 14801->14793 14804 4098f6 14803->14804 14806 409904 Sleep 14804->14806 14808 409917 14804->14808 14811 404280 CreateEventA 14804->14811 14806->14804 14807 409915 14806->14807 14807->14808 14810 409947 14808->14810 14838 40977c 14808->14838 14810->14794 14812 4042a5 14811->14812 14818 40429d 14811->14818 14852 403ecd 14812->14852 14814 4042b0 14856 404000 14814->14856 14817 4043c1 CloseHandle 14817->14818 14818->14804 14819 4042ce 14862 403f18 WriteFile 14819->14862 14824 4043ba CloseHandle 14824->14817 14825 404318 14826 403f18 4 API calls 14825->14826 14827 404331 14826->14827 14828 403f18 4 API calls 14827->14828 14829 40434a 14828->14829 14870 40ebcc GetProcessHeap HeapAlloc 14829->14870 14832 403f18 4 API calls 14833 404389 14832->14833 14873 40ec2e 14833->14873 14836 403f8c 4 API calls 14837 40439f CloseHandle CloseHandle 14836->14837 14837->14818 14902 40ee2a 14838->14902 14841 4097c2 14843 4097d4 Wow64GetThreadContext 14841->14843 14842 4097bb 14842->14810 14844 409801 14843->14844 14845 4097f5 14843->14845 14904 40637c 14844->14904 14847 4097f6 TerminateProcess 14845->14847 14847->14842 14848 409816 14848->14847 14849 40981e WriteProcessMemory 14848->14849 14849->14845 14850 40983b Wow64SetThreadContext 14849->14850 14850->14845 14851 409858 ResumeThread 14850->14851 14851->14842 14853 403ee2 14852->14853 14854 403edc 14852->14854 14853->14814 14878 406dc2 14854->14878 14857 40400b CreateFileA 14856->14857 14858 40402c GetLastError 14857->14858 14859 404052 14857->14859 14858->14859 14860 404037 14858->14860 14859->14817 14859->14818 14859->14819 14860->14859 14861 404041 Sleep 14860->14861 14861->14857 14861->14859 14863 403f4e GetLastError 14862->14863 14865 403f7c 14862->14865 14864 403f5b WaitForSingleObject GetOverlappedResult 14863->14864 14863->14865 14864->14865 14866 403f8c ReadFile 14865->14866 14867 403ff0 14866->14867 14868 403fc2 GetLastError 14866->14868 14867->14824 14867->14825 14868->14867 14869 403fcf WaitForSingleObject GetOverlappedResult 14868->14869 14869->14867 14896 40eb74 14870->14896 14874 40ec37 14873->14874 14875 40438f 14873->14875 14899 40eba0 14874->14899 14875->14836 14879 406dd7 14878->14879 14883 406e24 14878->14883 14884 406cc9 14879->14884 14881 406ddc 14881->14881 14882 406e02 GetVolumeInformationA 14881->14882 14881->14883 14882->14883 14883->14853 14885 406cdc GetModuleHandleA GetProcAddress 14884->14885 14886 406dbe 14884->14886 14887 406d12 GetSystemDirectoryA 14885->14887 14888 406cfd 14885->14888 14886->14881 14889 406d27 GetWindowsDirectoryA 14887->14889 14890 406d1e 14887->14890 14888->14887 14891 406d8b 14888->14891 14892 406d42 14889->14892 14890->14889 14890->14891 14891->14886 14894 40ef1e lstrlenA 14892->14894 14895 40ef32 14894->14895 14895->14891 14897 40eb7b GetProcessHeap HeapSize 14896->14897 14898 404350 14896->14898 14897->14898 14898->14832 14900 40eba7 GetProcessHeap HeapSize 14899->14900 14901 40ebbf GetProcessHeap HeapFree 14899->14901 14900->14901 14901->14875 14903 409794 CreateProcessA 14902->14903 14903->14841 14903->14842 14905 406386 14904->14905 14906 40638a GetModuleHandleA VirtualAlloc 14904->14906 14905->14848 14907 4063b6 14906->14907 14911 4063f5 14906->14911 14908 4063be VirtualAllocEx 14907->14908 14909 4063d6 14908->14909 14908->14911 14910 4063df WriteProcessMemory 14909->14910 14910->14911 14911->14848 14940 2698041 14941 2698050 14940->14941 14944 26987e1 14941->14944 14947 26987fc 14944->14947 14945 2698805 CreateToolhelp32Snapshot 14946 2698821 Module32First 14945->14946 14945->14947 14948 2698830 14946->14948 14949 2698059 14946->14949 14947->14945 14947->14946 14951 26984a0 14948->14951 14952 26984cb 14951->14952 14953 2698514 14952->14953 14954 26984dc VirtualAlloc 14952->14954 14953->14953 14954->14953 14955 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 15072 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14955->15072 14957 409a95 14958 409aa3 GetModuleHandleA GetModuleFileNameA 14957->14958 14963 40a3c7 14957->14963 14970 409ac4 14958->14970 14959 40a41c CreateThread WSAStartup 15183 40e52e 14959->15183 16010 40405e CreateEventA 14959->16010 14960 40a406 DeleteFileA 14960->14963 14964 40a40d 14960->14964 14962 409afd GetCommandLineA 14971 409b22 14962->14971 14963->14959 14963->14960 14963->14964 14966 40a3ed GetLastError 14963->14966 14964->14959 14965 40a445 15202 40eaaf 14965->15202 14966->14964 14968 40a3f8 Sleep 14966->14968 14968->14960 14969 40a44d 15206 401d96 14969->15206 14970->14962 14976 409c0c 14971->14976 14982 409b47 14971->14982 14973 40a457 15254 4080c9 14973->15254 15073 4096aa 14976->15073 14986 409b96 lstrlenA 14982->14986 14988 409b58 14982->14988 14983 40a1d2 14989 40a1e3 GetCommandLineA 14983->14989 14984 409c39 14987 40a167 GetModuleHandleA GetModuleFileNameA 14984->14987 14993 409c4b 14984->14993 14986->14988 14991 409c05 ExitProcess 14987->14991 14992 40a189 14987->14992 14988->14991 14996 409bd2 14988->14996 15017 40a205 14989->15017 14992->14991 15001 40a1b2 GetDriveTypeA 14992->15001 14993->14987 14995 404280 30 API calls 14993->14995 14998 409c5b 14995->14998 15085 40675c 14996->15085 14998->14987 15004 40675c 21 API calls 14998->15004 15001->14991 15003 40a1c5 15001->15003 15175 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 15003->15175 15005 409c79 15004->15005 15005->14987 15011 409ca0 GetTempPathA 15005->15011 15012 409e3e 15005->15012 15008 409bff 15008->14991 15009 40a491 15010 40a49f GetTickCount 15009->15010 15013 40a4be Sleep 15009->15013 15016 40a4b7 GetTickCount 15009->15016 15300 40c913 15009->15300 15010->15009 15010->15013 15011->15012 15015 409cba 15011->15015 15023 409e6b GetEnvironmentVariableA 15012->15023 15024 409e04 15012->15024 15013->15009 15123 4099d2 lstrcpyA 15015->15123 15016->15013 15020 40a285 lstrlenA 15017->15020 15033 40a239 15017->15033 15019 40ec2e codecvt 4 API calls 15022 40a15d 15019->15022 15020->15033 15022->14987 15022->14991 15023->15024 15025 409e7d 15023->15025 15024->15019 15026 4099d2 16 API calls 15025->15026 15027 409e9d 15026->15027 15027->15024 15032 409eb0 lstrcpyA lstrlenA 15027->15032 15028 406dc2 6 API calls 15030 409d5f 15028->15030 15035 406cc9 5 API calls 15030->15035 15031 40a3c2 15036 4098f2 41 API calls 15031->15036 15034 409ef4 15032->15034 15081 406ec3 15033->15081 15037 406dc2 6 API calls 15034->15037 15040 409f03 15034->15040 15039 409d72 lstrcpyA lstrcatA lstrcatA 15035->15039 15036->14963 15037->15040 15038 40a39d StartServiceCtrlDispatcherA 15038->15031 15042 409cf6 15039->15042 15041 409f32 RegOpenKeyExA 15040->15041 15044 409f48 RegSetValueExA RegCloseKey 15041->15044 15047 409f70 15041->15047 15130 409326 15042->15130 15043 40a35f 15043->15031 15043->15038 15044->15047 15052 409f9d GetModuleHandleA GetModuleFileNameA 15047->15052 15048 409e0c DeleteFileA 15048->15012 15049 409dde GetFileAttributesExA 15049->15048 15050 409df7 15049->15050 15050->15024 15167 4096ff 15050->15167 15054 409fc2 15052->15054 15055 40a093 15052->15055 15054->15055 15061 409ff1 GetDriveTypeA 15054->15061 15056 40a103 CreateProcessA 15055->15056 15057 40a0a4 wsprintfA 15055->15057 15058 40a13a 15056->15058 15059 40a12a DeleteFileA 15056->15059 15173 402544 15057->15173 15058->15024 15064 4096ff 3 API calls 15058->15064 15059->15058 15061->15055 15063 40a00d 15061->15063 15067 40a02d lstrcatA 15063->15067 15064->15024 15065 40ee2a 15066 40a0ec lstrcatA 15065->15066 15066->15056 15068 40a046 15067->15068 15069 40a052 lstrcatA 15068->15069 15070 40a064 lstrcatA 15068->15070 15069->15070 15070->15055 15071 40a081 lstrcatA 15070->15071 15071->15055 15072->14957 15074 4096b9 15073->15074 15403 4073ff 15074->15403 15076 4096e2 15077 4096e9 15076->15077 15078 4096fa 15076->15078 15423 40704c 15077->15423 15078->14983 15078->14984 15080 4096f7 15080->15078 15082 406ed5 15081->15082 15083 406ecc 15081->15083 15082->15043 15448 406e36 GetUserNameW 15083->15448 15086 406784 CreateFileA 15085->15086 15087 40677a SetFileAttributesA 15085->15087 15088 4067a4 CreateFileA 15086->15088 15089 4067b5 15086->15089 15087->15086 15088->15089 15090 4067c5 15089->15090 15091 4067ba SetFileAttributesA 15089->15091 15092 406977 15090->15092 15093 4067cf GetFileSize 15090->15093 15091->15090 15092->14991 15110 406a60 CreateFileA 15092->15110 15094 4067e5 15093->15094 15108 406922 15093->15108 15096 4067ed ReadFile 15094->15096 15094->15108 15095 40696e CloseHandle 15095->15092 15097 406811 SetFilePointer 15096->15097 15096->15108 15098 40682a ReadFile 15097->15098 15097->15108 15099 406848 SetFilePointer 15098->15099 15098->15108 15102 406867 15099->15102 15099->15108 15100 4068d0 15100->15095 15103 40ebcc 4 API calls 15100->15103 15101 406878 ReadFile 15101->15100 15101->15102 15102->15100 15102->15101 15104 4068f8 15103->15104 15105 406900 SetFilePointer 15104->15105 15104->15108 15106 40695a 15105->15106 15107 40690d ReadFile 15105->15107 15109 40ec2e codecvt 4 API calls 15106->15109 15107->15106 15107->15108 15108->15095 15109->15108 15111 406b8c GetLastError 15110->15111 15112 406a8f GetDiskFreeSpaceA 15110->15112 15114 406b86 15111->15114 15113 406ac5 15112->15113 15122 406ad7 15112->15122 15451 40eb0e 15113->15451 15114->15008 15118 406b56 CloseHandle 15118->15114 15121 406b65 GetLastError CloseHandle 15118->15121 15119 406b36 GetLastError CloseHandle 15120 406b7f DeleteFileA 15119->15120 15120->15114 15121->15120 15455 406987 15122->15455 15124 4099eb 15123->15124 15125 409a2f lstrcatA 15124->15125 15126 40ee2a 15125->15126 15127 409a4b lstrcatA 15126->15127 15128 406a60 13 API calls 15127->15128 15129 409a60 15128->15129 15129->15012 15129->15028 15129->15042 15465 401910 15130->15465 15133 40934a GetModuleHandleA GetModuleFileNameA 15135 40937f 15133->15135 15136 4093a4 15135->15136 15137 4093d9 15135->15137 15138 4093c3 wsprintfA 15136->15138 15139 409401 wsprintfA 15137->15139 15141 409415 15138->15141 15139->15141 15140 4094a0 15467 406edd 15140->15467 15141->15140 15144 406cc9 5 API calls 15141->15144 15143 4094ac 15145 40962f 15143->15145 15146 4094e8 RegOpenKeyExA 15143->15146 15147 409439 15144->15147 15152 409646 15145->15152 15488 401820 15145->15488 15149 409502 15146->15149 15150 4094fb 15146->15150 15154 40ef1e lstrlenA 15147->15154 15153 40951f RegQueryValueExA 15149->15153 15150->15145 15155 40958a 15150->15155 15161 4095d6 15152->15161 15494 4091eb 15152->15494 15156 409530 15153->15156 15157 409539 15153->15157 15158 409462 15154->15158 15155->15152 15159 409593 15155->15159 15160 40956e RegCloseKey 15156->15160 15162 409556 RegQueryValueExA 15157->15162 15163 40947e wsprintfA 15158->15163 15159->15161 15475 40f0e4 15159->15475 15160->15150 15161->15048 15161->15049 15162->15156 15162->15160 15163->15140 15165 4095bb 15165->15161 15482 4018e0 15165->15482 15168 402544 15167->15168 15169 40972d RegOpenKeyExA 15168->15169 15170 409740 15169->15170 15171 409765 15169->15171 15172 40974f RegDeleteValueA RegCloseKey 15170->15172 15171->15024 15172->15171 15174 402554 lstrcatA 15173->15174 15174->15065 15176 402544 15175->15176 15177 40919e wsprintfA 15176->15177 15178 4091bb 15177->15178 15532 409064 GetTempPathA 15178->15532 15181 4091d5 ShellExecuteA 15182 4091e7 15181->15182 15182->15008 15539 40dd05 GetTickCount 15183->15539 15185 40e538 15546 40dbcf 15185->15546 15187 40e544 15188 40e555 GetFileSize 15187->15188 15192 40e5b8 15187->15192 15189 40e5b1 CloseHandle 15188->15189 15190 40e566 15188->15190 15189->15192 15556 40db2e 15190->15556 15565 40e3ca RegOpenKeyExA 15192->15565 15194 40e576 ReadFile 15194->15189 15196 40e58d 15194->15196 15560 40e332 15196->15560 15199 40e5f2 15200 40e3ca 19 API calls 15199->15200 15201 40e629 15199->15201 15200->15201 15201->14965 15203 40eaba 15202->15203 15204 40eabe 15202->15204 15203->14969 15204->15203 15205 40dd05 6 API calls 15204->15205 15205->15203 15207 40ee2a 15206->15207 15208 401db4 GetVersionExA 15207->15208 15209 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 15208->15209 15211 401e24 15209->15211 15212 401e16 GetCurrentProcess 15209->15212 15618 40e819 15211->15618 15212->15211 15214 401e3d 15215 40e819 11 API calls 15214->15215 15216 401e4e 15215->15216 15217 401e77 15216->15217 15625 40df70 15216->15625 15634 40ea84 15217->15634 15220 401e6c 15222 40df70 12 API calls 15220->15222 15222->15217 15223 40e819 11 API calls 15224 401e93 15223->15224 15638 40199c inet_addr LoadLibraryA 15224->15638 15227 40e819 11 API calls 15228 401eb9 15227->15228 15229 401ed8 15228->15229 15230 40f04e 4 API calls 15228->15230 15231 40e819 11 API calls 15229->15231 15232 401ec9 15230->15232 15233 401eee 15231->15233 15234 40ea84 30 API calls 15232->15234 15242 401f0a 15233->15242 15651 401b71 15233->15651 15234->15229 15235 40e819 11 API calls 15237 401f23 15235->15237 15247 401f3f 15237->15247 15655 401bdf 15237->15655 15238 401efd 15239 40ea84 30 API calls 15238->15239 15239->15242 15241 40e819 11 API calls 15244 401f5e 15241->15244 15242->15235 15246 401f77 15244->15246 15248 40ea84 30 API calls 15244->15248 15245 40ea84 30 API calls 15245->15247 15662 4030b5 15246->15662 15247->15241 15248->15246 15251 406ec3 2 API calls 15253 401f8e GetTickCount 15251->15253 15253->14973 15255 406ec3 2 API calls 15254->15255 15256 4080eb 15255->15256 15257 4080f9 15256->15257 15258 4080ef 15256->15258 15259 40704c 16 API calls 15257->15259 15710 407ee6 15258->15710 15262 408110 15259->15262 15261 4080f4 15263 40675c 21 API calls 15261->15263 15272 408269 CreateThread 15261->15272 15262->15261 15264 408156 RegOpenKeyExA 15262->15264 15267 408244 15263->15267 15264->15261 15265 40816d RegQueryValueExA 15264->15265 15266 4081f7 15265->15266 15271 40818d 15265->15271 15268 40820d RegCloseKey 15266->15268 15270 40ec2e codecvt 4 API calls 15266->15270 15269 40ec2e codecvt 4 API calls 15267->15269 15267->15272 15268->15261 15269->15272 15278 4081dd 15270->15278 15271->15266 15273 40ebcc 4 API calls 15271->15273 15279 405e6c 15272->15279 16039 40877e 15272->16039 15274 4081a0 15273->15274 15274->15268 15275 4081aa RegQueryValueExA 15274->15275 15275->15266 15276 4081c4 15275->15276 15277 40ebcc 4 API calls 15276->15277 15277->15278 15278->15268 15778 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15279->15778 15281 405e71 15779 40e654 15281->15779 15283 405ec1 15284 403132 15283->15284 15285 40df70 12 API calls 15284->15285 15286 40313b 15285->15286 15287 40c125 15286->15287 15790 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15287->15790 15289 40c12d 15290 40e654 13 API calls 15289->15290 15291 40c2bd 15290->15291 15292 40e654 13 API calls 15291->15292 15293 40c2c9 15292->15293 15294 40e654 13 API calls 15293->15294 15295 40a47a 15294->15295 15296 408db1 15295->15296 15297 408dbc 15296->15297 15298 40e654 13 API calls 15297->15298 15299 408dec Sleep 15298->15299 15299->15009 15301 40c92f 15300->15301 15302 40c93c 15301->15302 15791 40c517 15301->15791 15304 40ca2b 15302->15304 15305 40e819 11 API calls 15302->15305 15304->15009 15306 40c96a 15305->15306 15307 40e819 11 API calls 15306->15307 15308 40c97d 15307->15308 15309 40e819 11 API calls 15308->15309 15310 40c990 15309->15310 15311 40c9aa 15310->15311 15312 40ebcc 4 API calls 15310->15312 15311->15304 15808 402684 15311->15808 15312->15311 15317 40ca26 15815 40c8aa 15317->15815 15320 40ca44 15321 40ca4b closesocket 15320->15321 15322 40ca83 15320->15322 15321->15317 15323 40ea84 30 API calls 15322->15323 15324 40caac 15323->15324 15325 40f04e 4 API calls 15324->15325 15326 40cab2 15325->15326 15327 40ea84 30 API calls 15326->15327 15328 40caca 15327->15328 15329 40ea84 30 API calls 15328->15329 15330 40cad9 15329->15330 15823 40c65c 15330->15823 15333 40cb60 closesocket 15333->15304 15335 40dad2 closesocket 15336 40e318 23 API calls 15335->15336 15336->15304 15337 40df4c 20 API calls 15365 40cb70 15337->15365 15342 40e654 13 API calls 15342->15365 15348 40ea84 30 API calls 15348->15365 15349 40d569 closesocket Sleep 15870 40e318 15349->15870 15350 40d815 wsprintfA 15350->15365 15351 40cc1c GetTempPathA 15351->15365 15352 40c517 23 API calls 15352->15365 15354 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15354->15365 15355 407ead 6 API calls 15355->15365 15356 40d582 ExitProcess 15357 40e8a1 30 API calls 15357->15365 15358 40c65c send GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15358->15365 15359 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15359->15365 15360 40cfe3 GetSystemDirectoryA 15360->15365 15361 40cfad GetEnvironmentVariableA 15361->15365 15362 40675c 21 API calls 15362->15365 15363 40d027 GetSystemDirectoryA 15363->15365 15364 40d105 lstrcatA 15364->15365 15365->15335 15365->15337 15365->15342 15365->15348 15365->15349 15365->15350 15365->15351 15365->15352 15365->15354 15365->15355 15365->15357 15365->15358 15365->15359 15365->15360 15365->15361 15365->15362 15365->15363 15365->15364 15366 40ef1e lstrlenA 15365->15366 15367 40cc9f CreateFileA 15365->15367 15369 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15365->15369 15370 40d15b CreateFileA 15365->15370 15375 40d149 SetFileAttributesA 15365->15375 15376 40d36e GetEnvironmentVariableA 15365->15376 15377 40d1bf SetFileAttributesA 15365->15377 15379 40d22d GetEnvironmentVariableA 15365->15379 15381 40d3af lstrcatA 15365->15381 15383 407fcf 64 API calls 15365->15383 15384 40d3f2 CreateFileA 15365->15384 15390 40d3e0 SetFileAttributesA 15365->15390 15391 40d26e lstrcatA 15365->15391 15393 40d4b1 CreateProcessA 15365->15393 15394 40d2b1 CreateFileA 15365->15394 15396 40d452 SetFileAttributesA 15365->15396 15398 407ee6 64 API calls 15365->15398 15399 40d29f SetFileAttributesA 15365->15399 15402 40d31d SetFileAttributesA 15365->15402 15831 40c75d 15365->15831 15843 407e2f 15365->15843 15865 407ead 15365->15865 15875 4031d0 15365->15875 15892 403c09 15365->15892 15902 403a00 15365->15902 15906 40e7b4 15365->15906 15909 40c06c 15365->15909 15915 406f5f GetUserNameA 15365->15915 15926 40e854 15365->15926 15936 407dd6 15365->15936 15366->15365 15367->15365 15368 40ccc6 WriteFile 15367->15368 15371 40cdcc CloseHandle 15368->15371 15372 40cced CloseHandle 15368->15372 15369->15365 15370->15365 15373 40d182 WriteFile CloseHandle 15370->15373 15371->15365 15378 40cd2f 15372->15378 15373->15365 15374 40cd16 wsprintfA 15374->15378 15375->15370 15376->15365 15377->15365 15378->15374 15852 407fcf 15378->15852 15379->15365 15381->15365 15381->15384 15383->15365 15384->15365 15385 40d415 WriteFile CloseHandle 15384->15385 15385->15365 15386 40cd81 WaitForSingleObject CloseHandle CloseHandle 15388 40f04e 4 API calls 15386->15388 15387 40cda5 15389 407ee6 64 API calls 15387->15389 15388->15387 15392 40cdbd DeleteFileA 15389->15392 15390->15384 15391->15365 15391->15394 15392->15365 15393->15365 15395 40d4e8 CloseHandle CloseHandle 15393->15395 15394->15365 15397 40d2d8 WriteFile CloseHandle 15394->15397 15395->15365 15396->15365 15397->15365 15398->15365 15399->15394 15402->15365 15404 40741b 15403->15404 15405 406dc2 6 API calls 15404->15405 15406 40743f 15405->15406 15407 407469 RegOpenKeyExA 15406->15407 15409 4077f9 15407->15409 15419 407487 ___ascii_stricmp 15407->15419 15408 407703 RegEnumKeyA 15410 407714 RegCloseKey 15408->15410 15408->15419 15409->15076 15410->15409 15411 40f1a5 lstrlenA 15411->15419 15412 4074d2 RegOpenKeyExA 15412->15419 15413 40772c 15415 407742 RegCloseKey 15413->15415 15416 40774b 15413->15416 15414 407521 RegQueryValueExA 15414->15419 15415->15416 15418 4077ec RegCloseKey 15416->15418 15417 4076e4 RegCloseKey 15417->15419 15418->15409 15419->15408 15419->15411 15419->15412 15419->15413 15419->15414 15419->15417 15420 407769 15419->15420 15422 40777e GetFileAttributesExA 15419->15422 15421 4077e3 RegCloseKey 15420->15421 15421->15418 15422->15420 15424 407073 15423->15424 15425 4070b9 RegOpenKeyExA 15424->15425 15426 4070d0 15425->15426 15440 4071b8 15425->15440 15427 406dc2 6 API calls 15426->15427 15430 4070d5 15427->15430 15428 40719b RegEnumValueA 15429 4071af RegCloseKey 15428->15429 15428->15430 15429->15440 15430->15428 15432 4071d0 15430->15432 15446 40f1a5 lstrlenA 15430->15446 15433 407205 RegCloseKey 15432->15433 15434 407227 15432->15434 15433->15440 15435 4072b8 ___ascii_stricmp 15434->15435 15436 40728e RegCloseKey 15434->15436 15437 4072cd RegCloseKey 15435->15437 15438 4072dd 15435->15438 15436->15440 15437->15440 15439 407311 RegCloseKey 15438->15439 15442 407335 15438->15442 15439->15440 15440->15080 15441 4073d5 RegCloseKey 15443 4073e4 15441->15443 15442->15441 15444 40737e GetFileAttributesExA 15442->15444 15445 407397 15442->15445 15444->15445 15445->15441 15447 40f1c3 15446->15447 15447->15430 15449 406e97 15448->15449 15450 406e5f LookupAccountNameW 15448->15450 15449->15082 15450->15449 15452 40eb17 15451->15452 15454 40eb21 15451->15454 15461 40eae4 15452->15461 15454->15122 15457 4069b9 WriteFile 15455->15457 15458 406a3c 15457->15458 15460 4069ff 15457->15460 15458->15118 15458->15119 15459 406a10 WriteFile 15459->15458 15459->15460 15460->15458 15460->15459 15462 40eb02 GetProcAddress 15461->15462 15463 40eaed LoadLibraryA 15461->15463 15462->15454 15463->15462 15464 40eb01 15463->15464 15464->15454 15466 401924 GetVersionExA 15465->15466 15466->15133 15468 406f55 15467->15468 15469 406eef AllocateAndInitializeSid 15467->15469 15468->15143 15470 406f44 15469->15470 15471 406f1c CheckTokenMembership 15469->15471 15470->15468 15474 406e36 2 API calls 15470->15474 15472 406f3b FreeSid 15471->15472 15473 406f2e 15471->15473 15472->15470 15473->15472 15474->15468 15476 40f0f1 15475->15476 15477 40f0ed 15475->15477 15478 40f119 15476->15478 15479 40f0fa lstrlenA SysAllocStringByteLen 15476->15479 15477->15165 15481 40f11c MultiByteToWideChar 15478->15481 15480 40f117 15479->15480 15479->15481 15480->15165 15481->15480 15483 401820 17 API calls 15482->15483 15485 4018f2 15483->15485 15484 4018f9 15484->15161 15485->15484 15499 401280 15485->15499 15487 401908 15487->15161 15511 401000 15488->15511 15490 401839 15491 401851 GetCurrentProcess 15490->15491 15492 40183d 15490->15492 15493 401864 15491->15493 15492->15152 15493->15152 15495 409308 15494->15495 15497 40920e 15494->15497 15495->15161 15496 4092f1 Sleep 15496->15497 15497->15495 15497->15496 15498 4092bf ShellExecuteA 15497->15498 15498->15495 15498->15497 15500 4012e1 15499->15500 15501 4016f9 GetLastError 15500->15501 15508 4013a8 15500->15508 15502 401699 15501->15502 15502->15487 15503 401570 lstrlenW 15503->15508 15504 4015be GetStartupInfoW 15504->15508 15505 4015ff CreateProcessWithLogonW 15506 4016bf GetLastError 15505->15506 15507 40163f WaitForSingleObject 15505->15507 15506->15502 15507->15508 15509 401659 CloseHandle 15507->15509 15508->15502 15508->15503 15508->15504 15508->15505 15510 401668 CloseHandle 15508->15510 15509->15508 15510->15508 15512 40100d LoadLibraryA 15511->15512 15520 401023 15511->15520 15513 401021 15512->15513 15512->15520 15513->15490 15514 4010b5 GetProcAddress 15515 4010d1 GetProcAddress 15514->15515 15516 40127b 15514->15516 15515->15516 15517 4010f0 GetProcAddress 15515->15517 15516->15490 15517->15516 15518 401110 GetProcAddress 15517->15518 15518->15516 15519 401130 GetProcAddress 15518->15519 15519->15516 15521 40114f GetProcAddress 15519->15521 15520->15514 15531 4010ae 15520->15531 15521->15516 15522 40116f GetProcAddress 15521->15522 15522->15516 15523 40118f GetProcAddress 15522->15523 15523->15516 15524 4011ae GetProcAddress 15523->15524 15524->15516 15525 4011ce GetProcAddress 15524->15525 15525->15516 15526 4011ee GetProcAddress 15525->15526 15526->15516 15527 401209 GetProcAddress 15526->15527 15527->15516 15528 401225 GetProcAddress 15527->15528 15528->15516 15529 401241 GetProcAddress 15528->15529 15529->15516 15530 40125c GetProcAddress 15529->15530 15530->15516 15531->15490 15533 40908d 15532->15533 15534 4090e2 wsprintfA 15533->15534 15535 40ee2a 15534->15535 15536 4090fd CreateFileA 15535->15536 15537 40911a lstrlenA WriteFile CloseHandle 15536->15537 15538 40913f 15536->15538 15537->15538 15538->15181 15538->15182 15540 40dd41 InterlockedExchange 15539->15540 15541 40dd20 GetCurrentThreadId 15540->15541 15542 40dd4a 15540->15542 15543 40dd53 GetCurrentThreadId 15541->15543 15544 40dd2e GetTickCount 15541->15544 15542->15543 15543->15185 15544->15542 15545 40dd39 Sleep 15544->15545 15545->15540 15547 40dbf0 15546->15547 15579 40db67 GetEnvironmentVariableA 15547->15579 15549 40dcda 15549->15187 15550 40dc19 15550->15549 15551 40db67 3 API calls 15550->15551 15552 40dc5c 15551->15552 15552->15549 15553 40db67 3 API calls 15552->15553 15554 40dc9b 15553->15554 15554->15549 15555 40db67 3 API calls 15554->15555 15555->15549 15557 40db55 15556->15557 15558 40db3a 15556->15558 15557->15189 15557->15194 15583 40ebed 15558->15583 15592 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15560->15592 15562 40e3be 15562->15189 15563 40e342 15563->15562 15595 40de24 15563->15595 15566 40e528 15565->15566 15567 40e3f4 15565->15567 15566->15199 15568 40e434 RegQueryValueExA 15567->15568 15569 40e458 15568->15569 15570 40e51d RegCloseKey 15568->15570 15571 40e46e RegQueryValueExA 15569->15571 15570->15566 15571->15569 15572 40e488 15571->15572 15572->15570 15573 40db2e 8 API calls 15572->15573 15574 40e499 15573->15574 15574->15570 15575 40e4b9 RegQueryValueExA 15574->15575 15576 40e4e8 15574->15576 15575->15574 15575->15576 15576->15570 15577 40e332 14 API calls 15576->15577 15578 40e513 15577->15578 15578->15570 15580 40db89 lstrcpyA CreateFileA 15579->15580 15581 40dbca 15579->15581 15580->15550 15581->15550 15584 40ec01 15583->15584 15585 40ebf6 15583->15585 15587 40eba0 codecvt 2 API calls 15584->15587 15586 40ebcc 4 API calls 15585->15586 15588 40ebfe 15586->15588 15589 40ec0a GetProcessHeap HeapReAlloc 15587->15589 15588->15557 15590 40eb74 2 API calls 15589->15590 15591 40ec28 15590->15591 15591->15557 15606 40eb41 15592->15606 15596 40de3a 15595->15596 15600 40de4e 15596->15600 15610 40dd84 15596->15610 15599 40ebed 8 API calls 15604 40def6 15599->15604 15600->15563 15601 40de76 15614 40ddcf 15601->15614 15602 40de9e 15602->15599 15602->15600 15604->15600 15605 40ddcf lstrcmpA 15604->15605 15605->15600 15607 40eb54 15606->15607 15608 40eb4a 15606->15608 15607->15563 15609 40eae4 2 API calls 15608->15609 15609->15607 15611 40ddc5 15610->15611 15612 40dd96 15610->15612 15611->15601 15611->15602 15612->15611 15613 40ddad lstrcmpiA 15612->15613 15613->15611 15613->15612 15615 40de20 15614->15615 15616 40dddd 15614->15616 15615->15600 15616->15615 15617 40ddfa lstrcmpA 15616->15617 15617->15616 15619 40dd05 6 API calls 15618->15619 15620 40e821 15619->15620 15621 40dd84 lstrcmpiA 15620->15621 15622 40e82c 15621->15622 15623 40e844 15622->15623 15666 402480 15622->15666 15623->15214 15626 40dd05 6 API calls 15625->15626 15627 40df7c 15626->15627 15628 40dd84 lstrcmpiA 15627->15628 15631 40df89 15628->15631 15629 40dfc4 15629->15220 15630 40ddcf lstrcmpA 15630->15631 15631->15629 15631->15630 15632 40ec2e codecvt 4 API calls 15631->15632 15633 40dd84 lstrcmpiA 15631->15633 15632->15631 15633->15631 15635 40ea98 15634->15635 15675 40e8a1 15635->15675 15637 401e84 15637->15223 15639 4019d5 GetProcAddress GetProcAddress GetProcAddress 15638->15639 15642 4019ce 15638->15642 15640 401ab3 FreeLibrary 15639->15640 15641 401a04 15639->15641 15640->15642 15641->15640 15643 401a14 GetProcessHeap 15641->15643 15642->15227 15643->15642 15645 401a2e HeapAlloc 15643->15645 15645->15642 15646 401a42 15645->15646 15647 401a62 15646->15647 15648 401a52 HeapReAlloc 15646->15648 15649 401aa1 FreeLibrary 15647->15649 15650 401a96 HeapFree 15647->15650 15648->15647 15649->15642 15650->15649 15703 401ac3 LoadLibraryA 15651->15703 15654 401bcf 15654->15238 15656 401ac3 12 API calls 15655->15656 15657 401c09 15656->15657 15658 401c41 15657->15658 15659 401c0d GetComputerNameA 15657->15659 15658->15245 15660 401c45 GetVolumeInformationA 15659->15660 15661 401c1f 15659->15661 15660->15658 15661->15658 15661->15660 15663 40ee2a 15662->15663 15664 4030d0 gethostname gethostbyname 15663->15664 15665 401f82 15664->15665 15665->15251 15665->15253 15669 402419 lstrlenA 15666->15669 15668 402491 15668->15623 15670 402474 15669->15670 15671 40243d lstrlenA 15669->15671 15670->15668 15672 402464 lstrlenA 15671->15672 15673 40244e lstrcmpiA 15671->15673 15672->15670 15672->15671 15673->15672 15674 40245c 15673->15674 15674->15670 15674->15672 15676 40dd05 6 API calls 15675->15676 15677 40e8b4 15676->15677 15678 40dd84 lstrcmpiA 15677->15678 15679 40e8c0 15678->15679 15680 40e90a 15679->15680 15681 40e8c8 lstrcpynA 15679->15681 15683 402419 4 API calls 15680->15683 15691 40ea27 15680->15691 15682 40e8f5 15681->15682 15696 40df4c 15682->15696 15684 40e926 lstrlenA lstrlenA 15683->15684 15686 40e96a 15684->15686 15687 40e94c lstrlenA 15684->15687 15690 40ebcc 4 API calls 15686->15690 15686->15691 15687->15686 15688 40e901 15689 40dd84 lstrcmpiA 15688->15689 15689->15680 15692 40e98f 15690->15692 15691->15637 15692->15691 15693 40df4c 20 API calls 15692->15693 15694 40ea1e 15693->15694 15695 40ec2e codecvt 4 API calls 15694->15695 15695->15691 15697 40dd05 6 API calls 15696->15697 15698 40df51 15697->15698 15699 40f04e 4 API calls 15698->15699 15700 40df58 15699->15700 15701 40de24 10 API calls 15700->15701 15702 40df63 15701->15702 15702->15688 15704 401ae2 GetProcAddress 15703->15704 15708 401b68 GetComputerNameA GetVolumeInformationA 15703->15708 15705 401af5 15704->15705 15704->15708 15706 40ebed 8 API calls 15705->15706 15707 401b29 15705->15707 15706->15705 15707->15708 15709 40ec2e codecvt 4 API calls 15707->15709 15708->15654 15709->15708 15711 406ec3 2 API calls 15710->15711 15712 407ef4 15711->15712 15713 407fc9 15712->15713 15714 4073ff 17 API calls 15712->15714 15713->15261 15715 407f16 15714->15715 15715->15713 15723 407809 GetUserNameA 15715->15723 15717 407f63 15717->15713 15718 40ef1e lstrlenA 15717->15718 15719 407fa6 15718->15719 15720 40ef1e lstrlenA 15719->15720 15721 407fb7 15720->15721 15747 407a95 RegOpenKeyExA 15721->15747 15724 40783d LookupAccountNameA 15723->15724 15729 407a8d 15723->15729 15725 407874 GetLengthSid GetFileSecurityA 15724->15725 15724->15729 15726 4078a8 GetSecurityDescriptorOwner 15725->15726 15725->15729 15727 4078c5 EqualSid 15726->15727 15728 40791d GetSecurityDescriptorDacl 15726->15728 15727->15728 15730 4078dc LocalAlloc 15727->15730 15728->15729 15737 407941 15728->15737 15729->15717 15730->15728 15731 4078ef InitializeSecurityDescriptor 15730->15731 15733 407916 LocalFree 15731->15733 15734 4078fb SetSecurityDescriptorOwner 15731->15734 15732 40795b GetAce 15732->15737 15733->15728 15734->15733 15735 40790b SetFileSecurityA 15734->15735 15735->15733 15736 407980 EqualSid 15736->15737 15737->15729 15737->15732 15737->15736 15738 407a3d 15737->15738 15739 4079be EqualSid 15737->15739 15740 40799d DeleteAce 15737->15740 15738->15729 15741 407a43 LocalAlloc 15738->15741 15739->15737 15740->15737 15741->15729 15742 407a56 InitializeSecurityDescriptor 15741->15742 15743 407a62 SetSecurityDescriptorDacl 15742->15743 15744 407a86 LocalFree 15742->15744 15743->15744 15745 407a73 SetFileSecurityA 15743->15745 15744->15729 15745->15744 15746 407a83 15745->15746 15746->15744 15748 407ac4 15747->15748 15749 407acb GetUserNameA 15747->15749 15748->15713 15750 407da7 RegCloseKey 15749->15750 15751 407aed LookupAccountNameA 15749->15751 15750->15748 15751->15750 15752 407b24 RegGetKeySecurity 15751->15752 15752->15750 15753 407b49 GetSecurityDescriptorOwner 15752->15753 15754 407b63 EqualSid 15753->15754 15755 407bb8 GetSecurityDescriptorDacl 15753->15755 15754->15755 15756 407b74 LocalAlloc 15754->15756 15757 407da6 15755->15757 15764 407bdc 15755->15764 15756->15755 15758 407b8a InitializeSecurityDescriptor 15756->15758 15757->15750 15760 407bb1 LocalFree 15758->15760 15761 407b96 SetSecurityDescriptorOwner 15758->15761 15759 407bf8 GetAce 15759->15764 15760->15755 15761->15760 15762 407ba6 RegSetKeySecurity 15761->15762 15762->15760 15763 407c1d EqualSid 15763->15764 15764->15757 15764->15759 15764->15763 15765 407cd9 15764->15765 15766 407c5f EqualSid 15764->15766 15767 407c3a DeleteAce 15764->15767 15765->15757 15768 407d5a LocalAlloc 15765->15768 15769 407cf2 RegOpenKeyExA 15765->15769 15766->15764 15767->15764 15768->15757 15770 407d70 InitializeSecurityDescriptor 15768->15770 15769->15768 15775 407d0f 15769->15775 15771 407d7c SetSecurityDescriptorDacl 15770->15771 15772 407d9f LocalFree 15770->15772 15771->15772 15773 407d8c RegSetKeySecurity 15771->15773 15772->15757 15773->15772 15774 407d9c 15773->15774 15774->15772 15776 407d43 RegSetValueExA 15775->15776 15776->15768 15777 407d54 15776->15777 15777->15768 15778->15281 15780 40dd05 6 API calls 15779->15780 15784 40e65f 15780->15784 15781 40e6a5 15782 40ebcc 4 API calls 15781->15782 15786 40e6f5 15781->15786 15783 40e6b0 15782->15783 15783->15786 15787 40e6b7 15783->15787 15788 40e6e0 lstrcpynA 15783->15788 15784->15781 15785 40e68c lstrcmpA 15784->15785 15785->15784 15786->15787 15789 40e71d lstrcmpA 15786->15789 15787->15283 15788->15786 15789->15786 15790->15289 15792 40c525 15791->15792 15796 40c532 15791->15796 15794 40ec2e codecvt 4 API calls 15792->15794 15792->15796 15793 40c548 15797 40e7ff lstrcmpiA 15793->15797 15804 40c54f 15793->15804 15794->15796 15796->15793 15943 40e7ff 15796->15943 15798 40c615 15797->15798 15799 40ebcc 4 API calls 15798->15799 15798->15804 15799->15804 15800 40c5d1 15802 40ebcc 4 API calls 15800->15802 15802->15804 15803 40e819 11 API calls 15805 40c5b7 15803->15805 15804->15302 15806 40f04e 4 API calls 15805->15806 15807 40c5bf 15806->15807 15807->15793 15807->15800 15809 402692 inet_addr 15808->15809 15810 40268e 15808->15810 15809->15810 15811 40269e gethostbyname 15809->15811 15812 40f428 15810->15812 15811->15810 15946 40f315 15812->15946 15817 40c8d2 15815->15817 15816 40c907 15816->15304 15817->15816 15818 40c517 23 API calls 15817->15818 15818->15816 15819 40f43e 15820 40f473 recv 15819->15820 15821 40f458 15820->15821 15822 40f47c 15820->15822 15821->15820 15821->15822 15822->15320 15824 40c670 15823->15824 15825 40c67d 15823->15825 15826 40ebcc 4 API calls 15824->15826 15827 40ebcc 4 API calls 15825->15827 15829 40c699 15825->15829 15826->15825 15827->15829 15828 40c6f3 15828->15333 15828->15365 15829->15828 15830 40c73c send 15829->15830 15830->15828 15832 40c770 15831->15832 15833 40c77d 15831->15833 15834 40ebcc 4 API calls 15832->15834 15835 40c799 15833->15835 15836 40ebcc 4 API calls 15833->15836 15834->15833 15838 40ebcc 4 API calls 15835->15838 15839 40c7b5 15835->15839 15836->15835 15837 40f43e recv 15840 40c7cb 15837->15840 15838->15839 15839->15837 15841 40f43e recv 15840->15841 15842 40c7d3 15840->15842 15841->15842 15842->15365 15959 407db7 15843->15959 15846 40f04e 4 API calls 15849 407e4c 15846->15849 15847 407e96 15847->15365 15848 40f04e 4 API calls 15848->15847 15850 40f04e 4 API calls 15849->15850 15851 407e70 15849->15851 15850->15851 15851->15847 15851->15848 15853 406ec3 2 API calls 15852->15853 15854 407fdd 15853->15854 15855 4073ff 17 API calls 15854->15855 15864 4080c2 CreateProcessA 15854->15864 15856 407fff 15855->15856 15857 407809 21 API calls 15856->15857 15856->15864 15858 40804d 15857->15858 15859 40ef1e lstrlenA 15858->15859 15858->15864 15860 40809e 15859->15860 15861 40ef1e lstrlenA 15860->15861 15862 4080af 15861->15862 15863 407a95 24 API calls 15862->15863 15863->15864 15864->15386 15864->15387 15866 407db7 2 API calls 15865->15866 15867 407eb8 15866->15867 15868 40f04e 4 API calls 15867->15868 15869 407ece DeleteFileA 15868->15869 15869->15365 15871 40dd05 6 API calls 15870->15871 15872 40e31d 15871->15872 15963 40e177 15872->15963 15874 40e326 15874->15356 15876 4031f3 15875->15876 15885 4031ec 15875->15885 15877 40ebcc 4 API calls 15876->15877 15889 4031fc 15877->15889 15878 403459 15881 40f04e 4 API calls 15878->15881 15879 40349d 15880 40ec2e codecvt 4 API calls 15879->15880 15880->15885 15882 40345f 15881->15882 15883 4030fa 4 API calls 15882->15883 15883->15885 15884 40ebcc GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15884->15889 15885->15365 15886 40344d 15887 40ec2e codecvt 4 API calls 15886->15887 15890 40344b 15887->15890 15889->15884 15889->15885 15889->15886 15889->15890 15891 403141 lstrcmpiA 15889->15891 15989 4030fa GetTickCount 15889->15989 15890->15878 15890->15879 15891->15889 15893 4030fa 4 API calls 15892->15893 15894 403c1a 15893->15894 15898 403ce6 15894->15898 15994 403a72 15894->15994 15897 403a72 9 API calls 15901 403c5e 15897->15901 15898->15365 15899 403a72 9 API calls 15899->15901 15900 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15900->15901 15901->15898 15901->15899 15901->15900 15903 403a10 15902->15903 15904 4030fa 4 API calls 15903->15904 15905 403a1a 15904->15905 15905->15365 15907 40dd05 6 API calls 15906->15907 15908 40e7be 15907->15908 15908->15365 15910 40c105 15909->15910 15911 40c07e wsprintfA 15909->15911 15910->15365 16003 40bfce GetTickCount wsprintfA 15911->16003 15913 40c0ef 16004 40bfce GetTickCount wsprintfA 15913->16004 15916 407047 15915->15916 15917 406f88 LookupAccountNameA 15915->15917 15916->15365 15919 407025 15917->15919 15920 406fcb 15917->15920 15921 406edd 5 API calls 15919->15921 15923 406fdb ConvertSidToStringSidA 15920->15923 15922 40702a wsprintfA 15921->15922 15922->15916 15923->15919 15924 406ff1 15923->15924 15925 407013 LocalFree 15924->15925 15925->15919 15927 40dd05 6 API calls 15926->15927 15928 40e85c 15927->15928 15929 40dd84 lstrcmpiA 15928->15929 15930 40e867 15929->15930 15931 40e885 lstrcpyA 15930->15931 16005 4024a5 15930->16005 16008 40dd69 15931->16008 15937 407db7 2 API calls 15936->15937 15938 407de1 15937->15938 15939 407e16 15938->15939 15940 40f04e 4 API calls 15938->15940 15939->15365 15941 407df2 15940->15941 15941->15939 15942 40f04e 4 API calls 15941->15942 15942->15939 15944 40dd84 lstrcmpiA 15943->15944 15945 40c58e 15944->15945 15945->15793 15945->15800 15945->15803 15947 40ca1d 15946->15947 15948 40f33b 15946->15948 15947->15317 15947->15819 15949 40f347 htons socket 15948->15949 15950 40f382 ioctlsocket 15949->15950 15951 40f374 closesocket 15949->15951 15952 40f3aa connect select 15950->15952 15953 40f39d 15950->15953 15951->15947 15952->15947 15955 40f3f2 __WSAFDIsSet 15952->15955 15954 40f39f closesocket 15953->15954 15954->15947 15955->15954 15956 40f403 ioctlsocket 15955->15956 15958 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 15956->15958 15958->15947 15960 407dc8 InterlockedExchange 15959->15960 15961 407dc0 Sleep 15960->15961 15962 407dd4 15960->15962 15961->15960 15962->15846 15962->15851 15964 40e184 15963->15964 15965 40e223 15964->15965 15977 40e2e4 15964->15977 15979 40dfe2 15964->15979 15967 40dfe2 8 API calls 15965->15967 15965->15977 15971 40e23c 15967->15971 15968 40e1be 15968->15965 15969 40dbcf 3 API calls 15968->15969 15972 40e1d6 15969->15972 15970 40e21a CloseHandle 15970->15965 15971->15977 15983 40e095 RegCreateKeyExA 15971->15983 15972->15965 15972->15970 15973 40e1f9 WriteFile 15972->15973 15973->15970 15975 40e213 15973->15975 15975->15970 15976 40e2a3 15976->15977 15978 40e095 4 API calls 15976->15978 15977->15874 15978->15977 15980 40dffc 15979->15980 15982 40e024 15979->15982 15981 40db2e 8 API calls 15980->15981 15980->15982 15981->15982 15982->15968 15984 40e172 15983->15984 15986 40e0c0 15983->15986 15984->15976 15985 40e13d 15987 40e14e RegDeleteValueA RegCloseKey 15985->15987 15986->15985 15988 40e115 RegSetValueExA 15986->15988 15987->15984 15988->15985 15988->15986 15990 403122 InterlockedExchange 15989->15990 15991 40312e 15990->15991 15992 40310f GetTickCount 15990->15992 15991->15889 15992->15991 15993 40311a Sleep 15992->15993 15993->15990 15995 40f04e 4 API calls 15994->15995 15996 403a83 15995->15996 15997 403bc0 15996->15997 16001 403b66 lstrlenA 15996->16001 16002 403ac1 15996->16002 15998 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15997->15998 15999 403be6 15997->15999 15998->15997 16000 40ec2e codecvt 4 API calls 15999->16000 16000->16002 16001->15996 16001->16002 16002->15897 16002->15898 16003->15913 16004->15910 16006 402419 4 API calls 16005->16006 16007 4024b6 16006->16007 16007->15931 16009 40dd79 lstrlenA 16008->16009 16009->15365 16011 404084 16010->16011 16012 40407d 16010->16012 16013 403ecd 6 API calls 16011->16013 16014 40408f 16013->16014 16015 404000 3 API calls 16014->16015 16017 404095 16015->16017 16016 404130 16018 403ecd 6 API calls 16016->16018 16017->16016 16022 403f18 4 API calls 16017->16022 16019 404159 CreateNamedPipeA 16018->16019 16020 404167 Sleep 16019->16020 16021 404188 ConnectNamedPipe 16019->16021 16020->16016 16023 404176 CloseHandle 16020->16023 16025 404195 GetLastError 16021->16025 16030 4041ab 16021->16030 16024 4040da 16022->16024 16023->16021 16026 403f8c 4 API calls 16024->16026 16027 40425e DisconnectNamedPipe 16025->16027 16025->16030 16028 4040ec 16026->16028 16027->16021 16029 404127 CloseHandle 16028->16029 16031 404101 16028->16031 16029->16016 16030->16021 16030->16027 16032 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 16030->16032 16034 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 16030->16034 16036 40426a CloseHandle CloseHandle 16030->16036 16033 403f18 4 API calls 16031->16033 16032->16030 16035 40411c ExitProcess 16033->16035 16034->16030 16037 40e318 23 API calls 16036->16037 16038 40427b 16037->16038 16038->16038 16040 408791 16039->16040 16041 40879f 16039->16041 16042 40f04e 4 API calls 16040->16042 16043 4087bc 16041->16043 16044 40f04e 4 API calls 16041->16044 16042->16041 16045 40e819 11 API calls 16043->16045 16044->16043 16046 4087d7 16045->16046 16055 408803 16046->16055 16061 4026b2 gethostbyaddr 16046->16061 16049 4087eb 16051 40e8a1 30 API calls 16049->16051 16049->16055 16051->16055 16054 40e819 11 API calls 16054->16055 16055->16054 16056 4088a0 Sleep 16055->16056 16058 4026b2 2 API calls 16055->16058 16059 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 16055->16059 16060 40e8a1 30 API calls 16055->16060 16066 408cee 16055->16066 16074 40c4d6 16055->16074 16077 40c4e2 16055->16077 16080 402011 16055->16080 16115 408328 16055->16115 16056->16055 16058->16055 16059->16055 16060->16055 16062 4026fb 16061->16062 16063 4026cd 16061->16063 16062->16049 16064 4026e1 inet_ntoa 16063->16064 16065 4026de 16063->16065 16064->16065 16065->16049 16067 408d02 GetTickCount 16066->16067 16068 408dae 16066->16068 16067->16068 16071 408d19 16067->16071 16068->16055 16069 408da1 GetTickCount 16069->16068 16071->16069 16073 408d89 16071->16073 16167 40a677 16071->16167 16170 40a688 16071->16170 16073->16069 16178 40c2dc 16074->16178 16078 40c2dc 141 API calls 16077->16078 16079 40c4ec 16078->16079 16079->16055 16081 402020 16080->16081 16082 40202e 16080->16082 16084 40f04e 4 API calls 16081->16084 16083 40204b 16082->16083 16085 40f04e 4 API calls 16082->16085 16086 40206e GetTickCount 16083->16086 16087 40f04e 4 API calls 16083->16087 16084->16082 16085->16083 16088 4020db GetTickCount 16086->16088 16099 402090 16086->16099 16090 402068 16087->16090 16089 402132 GetTickCount GetTickCount 16088->16089 16104 4020e7 16088->16104 16092 40f04e 4 API calls 16089->16092 16090->16086 16091 4020d4 GetTickCount 16091->16088 16094 402159 16092->16094 16093 40212b GetTickCount 16093->16089 16096 4021b4 16094->16096 16098 40e854 13 API calls 16094->16098 16095 402684 2 API calls 16095->16099 16100 40f04e 4 API calls 16096->16100 16103 40218e 16098->16103 16099->16091 16099->16095 16102 4020ce 16099->16102 16505 401978 16099->16505 16101 4021d1 16100->16101 16106 4021f2 16101->16106 16110 40ea84 30 API calls 16101->16110 16102->16091 16107 40e819 11 API calls 16103->16107 16104->16093 16108 401978 15 API calls 16104->16108 16109 402125 16104->16109 16510 402ef8 16104->16510 16106->16055 16111 40219c 16107->16111 16108->16104 16109->16093 16112 4021ec 16110->16112 16111->16096 16518 401c5f 16111->16518 16113 40f04e 4 API calls 16112->16113 16113->16106 16116 407dd6 6 API calls 16115->16116 16117 40833c 16116->16117 16118 406ec3 2 API calls 16117->16118 16143 408340 16117->16143 16119 40834f 16118->16119 16120 40835c 16119->16120 16123 40846b 16119->16123 16121 4073ff 17 API calls 16120->16121 16141 408373 16121->16141 16122 4085df 16124 408626 GetTempPathA 16122->16124 16131 408762 16122->16131 16144 408638 16122->16144 16127 4084a7 RegOpenKeyExA 16123->16127 16140 408450 16123->16140 16124->16144 16125 40675c 21 API calls 16125->16122 16129 4084c0 RegQueryValueExA 16127->16129 16130 40852f 16127->16130 16128 4086ad 16128->16131 16134 407e2f 6 API calls 16128->16134 16132 408521 RegCloseKey 16129->16132 16133 4084dd 16129->16133 16135 408564 RegOpenKeyExA 16130->16135 16147 4085a5 16130->16147 16139 40ec2e codecvt 4 API calls 16131->16139 16131->16143 16132->16130 16133->16132 16137 40ebcc 4 API calls 16133->16137 16148 4086bb 16134->16148 16136 408573 RegSetValueExA RegCloseKey 16135->16136 16135->16147 16136->16147 16142 4084f0 16137->16142 16138 40875b DeleteFileA 16138->16131 16139->16143 16140->16122 16140->16125 16141->16140 16141->16143 16149 4083ea RegOpenKeyExA 16141->16149 16142->16132 16146 4084f8 RegQueryValueExA 16142->16146 16143->16055 16590 406ba7 IsBadCodePtr 16144->16590 16146->16132 16150 408515 16146->16150 16147->16140 16151 40ec2e codecvt 4 API calls 16147->16151 16148->16138 16154 4086e0 lstrcpyA lstrlenA 16148->16154 16149->16140 16152 4083fd RegQueryValueExA 16149->16152 16153 40ec2e codecvt 4 API calls 16150->16153 16151->16140 16155 40842d RegSetValueExA 16152->16155 16156 40841e 16152->16156 16158 40851d 16153->16158 16159 407fcf 64 API calls 16154->16159 16157 408447 RegCloseKey 16155->16157 16156->16155 16156->16157 16157->16140 16158->16132 16160 408719 CreateProcessA 16159->16160 16161 40873d CloseHandle CloseHandle 16160->16161 16162 40874f 16160->16162 16161->16131 16163 407ee6 64 API calls 16162->16163 16164 408754 16163->16164 16165 407ead 6 API calls 16164->16165 16166 40875a 16165->16166 16166->16138 16173 40a63d 16167->16173 16169 40a685 16169->16071 16171 40a63d GetTickCount 16170->16171 16172 40a696 16171->16172 16172->16071 16174 40a645 16173->16174 16175 40a64d 16173->16175 16174->16169 16176 40a66e 16175->16176 16177 40a65e GetTickCount 16175->16177 16176->16169 16177->16176 16194 40a4c7 GetTickCount 16178->16194 16181 40c300 GetTickCount 16183 40c337 16181->16183 16182 40c326 16182->16183 16186 40c32b GetTickCount 16182->16186 16188 40c363 GetTickCount 16183->16188 16193 40c45e 16183->16193 16184 40c4d2 16184->16055 16185 40c4ab InterlockedIncrement CreateThread 16185->16184 16187 40c4cb CloseHandle 16185->16187 16199 40b535 16185->16199 16186->16183 16187->16184 16189 40c373 16188->16189 16188->16193 16190 40c378 GetTickCount 16189->16190 16191 40c37f 16189->16191 16190->16191 16192 40c43b GetTickCount 16191->16192 16192->16193 16193->16184 16193->16185 16195 40a4f7 InterlockedExchange 16194->16195 16196 40a500 16195->16196 16197 40a4e4 GetTickCount 16195->16197 16196->16181 16196->16182 16196->16193 16197->16196 16198 40a4ef Sleep 16197->16198 16198->16195 16200 40b566 16199->16200 16201 40ebcc 4 API calls 16200->16201 16202 40b587 16201->16202 16203 40ebcc 4 API calls 16202->16203 16254 40b590 16203->16254 16204 40bdcd InterlockedDecrement 16205 40bde2 16204->16205 16207 40ec2e codecvt 4 API calls 16205->16207 16208 40bdea 16207->16208 16209 40ec2e codecvt 4 API calls 16208->16209 16211 40bdf2 16209->16211 16210 40bdb7 Sleep 16210->16254 16213 40be05 16211->16213 16214 40ec2e codecvt 4 API calls 16211->16214 16212 40bdcc 16212->16204 16214->16213 16215 40ebed 8 API calls 16215->16254 16218 40b6b6 lstrlenA 16218->16254 16219 4030b5 2 API calls 16219->16254 16220 40e819 11 API calls 16220->16254 16221 40b6ed lstrcpyA 16274 405ce1 16221->16274 16224 40b731 lstrlenA 16224->16254 16225 40b71f lstrcmpA 16225->16224 16225->16254 16226 40b772 GetTickCount 16226->16254 16227 40bd49 InterlockedIncrement 16368 40a628 16227->16368 16230 4038f0 6 API calls 16230->16254 16231 40bc5b InterlockedIncrement 16231->16254 16232 40b7ce InterlockedIncrement 16284 40acd7 16232->16284 16235 40b912 GetTickCount 16235->16254 16236 40b826 InterlockedIncrement 16236->16226 16237 40b932 GetTickCount 16239 40bc6d InterlockedIncrement 16237->16239 16237->16254 16238 40bcdc closesocket 16238->16254 16239->16254 16240 405ce1 22 API calls 16240->16254 16242 40bba6 InterlockedIncrement 16242->16254 16245 40bc4c closesocket 16245->16254 16248 40ba71 wsprintfA 16302 40a7c1 16248->16302 16249 405ded 12 API calls 16249->16254 16251 40ab81 lstrcpynA InterlockedIncrement 16251->16254 16252 40a7c1 22 API calls 16252->16254 16253 40ef1e lstrlenA 16253->16254 16254->16204 16254->16210 16254->16212 16254->16215 16254->16218 16254->16219 16254->16220 16254->16221 16254->16224 16254->16225 16254->16226 16254->16227 16254->16230 16254->16231 16254->16232 16254->16235 16254->16236 16254->16237 16254->16238 16254->16240 16254->16242 16254->16245 16254->16248 16254->16249 16254->16251 16254->16252 16254->16253 16255 40a688 GetTickCount 16254->16255 16256 403e10 16254->16256 16259 403e4f 16254->16259 16262 40384f 16254->16262 16282 40a7a3 inet_ntoa 16254->16282 16289 40abee 16254->16289 16301 401feb GetTickCount 16254->16301 16322 403cfb 16254->16322 16325 40b3c5 16254->16325 16356 40ab81 16254->16356 16255->16254 16257 4030fa 4 API calls 16256->16257 16258 403e1d 16257->16258 16258->16254 16260 4030fa 4 API calls 16259->16260 16261 403e5c 16260->16261 16261->16254 16263 4030fa 4 API calls 16262->16263 16265 403863 16263->16265 16264 4038b2 16264->16254 16265->16264 16266 4038b9 16265->16266 16267 403889 16265->16267 16377 4035f9 16266->16377 16371 403718 16267->16371 16272 403718 6 API calls 16272->16264 16273 4035f9 6 API calls 16273->16264 16275 405cf4 16274->16275 16276 405cec 16274->16276 16278 404bd1 4 API calls 16275->16278 16383 404bd1 GetTickCount 16276->16383 16279 405d02 16278->16279 16388 405472 16279->16388 16283 40a7b9 16282->16283 16283->16254 16285 40f315 14 API calls 16284->16285 16286 40aceb 16285->16286 16287 40acff 16286->16287 16288 40f315 14 API calls 16286->16288 16287->16254 16288->16287 16290 40abfb 16289->16290 16293 40ac65 16290->16293 16451 402f22 16290->16451 16292 40f315 14 API calls 16292->16293 16293->16292 16294 40ac8a 16293->16294 16295 40ac6f 16293->16295 16294->16254 16297 40ab81 2 API calls 16295->16297 16296 40ac23 16296->16293 16298 402684 2 API calls 16296->16298 16299 40ac81 16297->16299 16298->16296 16459 4038f0 16299->16459 16301->16254 16303 40a87d lstrlenA send 16302->16303 16307 40a7df 16302->16307 16304 40a899 16303->16304 16305 40a8bf 16303->16305 16308 40a8a5 wsprintfA 16304->16308 16321 40a89e 16304->16321 16309 40a8c4 send 16305->16309 16314 40a8f2 16305->16314 16306 40a80a 16306->16303 16307->16303 16307->16306 16311 40a7fa wsprintfA 16307->16311 16307->16314 16308->16321 16312 40a8d8 wsprintfA 16309->16312 16309->16314 16310 40a978 recv 16310->16314 16315 40a982 16310->16315 16311->16306 16312->16321 16313 40a9b0 wsprintfA 16313->16321 16314->16310 16314->16313 16314->16315 16316 4030b5 2 API calls 16315->16316 16315->16321 16317 40ab05 16316->16317 16318 40e819 11 API calls 16317->16318 16319 40ab17 16318->16319 16320 40a7a3 inet_ntoa 16319->16320 16320->16321 16321->16254 16323 4030fa 4 API calls 16322->16323 16324 403d0b 16323->16324 16324->16254 16326 405ce1 22 API calls 16325->16326 16327 40b3e6 16326->16327 16328 405ce1 22 API calls 16327->16328 16330 40b404 16328->16330 16329 40b440 16331 40ef7c 3 API calls 16329->16331 16330->16329 16332 40ef7c 3 API calls 16330->16332 16333 40b458 wsprintfA 16331->16333 16334 40b42b 16332->16334 16335 40ef7c 3 API calls 16333->16335 16336 40ef7c 3 API calls 16334->16336 16337 40b480 16335->16337 16336->16329 16338 40ef7c 3 API calls 16337->16338 16339 40b493 16338->16339 16340 40ef7c 3 API calls 16339->16340 16341 40b4bb 16340->16341 16473 40ad89 GetLocalTime SystemTimeToFileTime 16341->16473 16345 40b4cc 16346 40ef7c 3 API calls 16345->16346 16347 40b4dd 16346->16347 16348 40b211 7 API calls 16347->16348 16349 40b4ec 16348->16349 16350 40ef7c 3 API calls 16349->16350 16351 40b4fd 16350->16351 16352 40b211 7 API calls 16351->16352 16353 40b509 16352->16353 16354 40ef7c 3 API calls 16353->16354 16355 40b51a 16354->16355 16355->16254 16357 40abe9 GetTickCount 16356->16357 16359 40ab8c 16356->16359 16361 40a51d 16357->16361 16358 40aba8 lstrcpynA 16358->16359 16359->16357 16359->16358 16360 40abe1 InterlockedIncrement 16359->16360 16360->16359 16362 40a4c7 4 API calls 16361->16362 16363 40a52c 16362->16363 16364 40a542 GetTickCount 16363->16364 16366 40a539 GetTickCount 16363->16366 16364->16366 16367 40a56c 16366->16367 16367->16254 16369 40a4c7 4 API calls 16368->16369 16370 40a633 16369->16370 16370->16254 16372 40f04e 4 API calls 16371->16372 16374 40372a 16372->16374 16373 403847 16373->16264 16373->16272 16374->16373 16375 4037b3 GetCurrentThreadId 16374->16375 16375->16374 16376 4037c8 GetCurrentThreadId 16375->16376 16376->16374 16378 40f04e 4 API calls 16377->16378 16382 40360c 16378->16382 16379 4036f1 16379->16264 16379->16273 16380 4036da GetCurrentThreadId 16380->16379 16381 4036e5 GetCurrentThreadId 16380->16381 16381->16379 16382->16379 16382->16380 16384 404bff InterlockedExchange 16383->16384 16385 404c08 16384->16385 16386 404bec GetTickCount 16384->16386 16385->16275 16386->16385 16387 404bf7 Sleep 16386->16387 16387->16384 16407 404763 16388->16407 16390 405b58 16417 404699 16390->16417 16393 404763 lstrlenA 16394 405b6e 16393->16394 16438 404f9f 16394->16438 16396 405b79 16396->16254 16398 405549 lstrlenA 16406 40548a 16398->16406 16400 40558d lstrcpynA 16400->16406 16401 404ae6 8 API calls 16401->16406 16402 405a9f lstrcpyA 16402->16406 16403 405472 13 API calls 16403->16406 16404 405935 lstrcpynA 16404->16406 16405 4058e7 lstrcpyA 16405->16406 16406->16390 16406->16400 16406->16401 16406->16402 16406->16403 16406->16404 16406->16405 16411 404ae6 16406->16411 16415 40ef7c lstrlenA lstrlenA lstrlenA 16406->16415 16409 40477a 16407->16409 16408 404859 16408->16406 16409->16408 16410 40480d lstrlenA 16409->16410 16410->16409 16412 404af3 16411->16412 16414 404b03 16411->16414 16413 40ebed 8 API calls 16412->16413 16413->16414 16414->16398 16416 40efb4 16415->16416 16416->16406 16443 4045b3 16417->16443 16420 4045b3 7 API calls 16421 4046c6 16420->16421 16422 4045b3 7 API calls 16421->16422 16423 4046d8 16422->16423 16424 4045b3 7 API calls 16423->16424 16425 4046ea 16424->16425 16426 4045b3 7 API calls 16425->16426 16427 4046ff 16426->16427 16428 4045b3 7 API calls 16427->16428 16429 404711 16428->16429 16430 4045b3 7 API calls 16429->16430 16431 404723 16430->16431 16432 40ef7c 3 API calls 16431->16432 16433 404735 16432->16433 16434 40ef7c 3 API calls 16433->16434 16435 40474a 16434->16435 16436 40ef7c 3 API calls 16435->16436 16437 40475c 16436->16437 16437->16393 16439 404fac 16438->16439 16441 404fb0 16438->16441 16439->16396 16440 404ffd 16440->16396 16441->16440 16442 404fd5 IsBadCodePtr 16441->16442 16442->16441 16444 4045c1 16443->16444 16445 4045c8 16443->16445 16446 40ebcc 4 API calls 16444->16446 16447 4045e1 16445->16447 16448 40ebcc 4 API calls 16445->16448 16446->16445 16449 404691 16447->16449 16450 40ef7c 3 API calls 16447->16450 16448->16447 16449->16420 16450->16447 16466 402d21 GetModuleHandleA 16451->16466 16454 402fcf GetProcessHeap HeapFree 16458 402f44 16454->16458 16455 402f4f 16457 402f6b GetProcessHeap HeapFree 16455->16457 16456 402f85 16456->16454 16456->16456 16457->16458 16458->16296 16460 403900 16459->16460 16461 403980 16459->16461 16462 4030fa 4 API calls 16460->16462 16461->16294 16465 40390a 16462->16465 16463 40391b GetCurrentThreadId 16463->16465 16464 403939 GetCurrentThreadId 16464->16465 16465->16461 16465->16463 16465->16464 16467 402d46 LoadLibraryA 16466->16467 16468 402d5b GetProcAddress 16466->16468 16467->16468 16470 402d54 16467->16470 16468->16470 16472 402d6b 16468->16472 16469 402d97 GetProcessHeap HeapAlloc 16469->16470 16469->16472 16470->16455 16470->16456 16470->16458 16471 402db5 lstrcpynA 16471->16472 16472->16469 16472->16470 16472->16471 16474 40adbf 16473->16474 16498 40ad08 gethostname 16474->16498 16477 4030b5 2 API calls 16478 40add3 16477->16478 16479 40a7a3 inet_ntoa 16478->16479 16486 40ade4 16478->16486 16479->16486 16480 40ae85 wsprintfA 16481 40ef7c 3 API calls 16480->16481 16482 40aebb 16481->16482 16484 40ef7c 3 API calls 16482->16484 16483 40ae36 wsprintfA wsprintfA 16485 40ef7c 3 API calls 16483->16485 16487 40aed2 16484->16487 16485->16486 16486->16480 16486->16483 16488 40b211 16487->16488 16489 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16488->16489 16490 40b2af GetLocalTime 16488->16490 16491 40b2d2 16489->16491 16490->16491 16492 40b2d9 SystemTimeToFileTime 16491->16492 16493 40b31c GetTimeZoneInformation 16491->16493 16494 40b2ec 16492->16494 16495 40b33a wsprintfA 16493->16495 16496 40b312 FileTimeToSystemTime 16494->16496 16495->16345 16496->16493 16499 40ad71 16498->16499 16504 40ad26 lstrlenA 16498->16504 16501 40ad85 16499->16501 16502 40ad79 lstrcpyA 16499->16502 16501->16477 16502->16501 16503 40ad68 lstrlenA 16503->16499 16504->16499 16504->16503 16506 40f428 14 API calls 16505->16506 16507 40198a 16506->16507 16508 401990 closesocket 16507->16508 16509 401998 16507->16509 16508->16509 16509->16099 16511 402d21 6 API calls 16510->16511 16512 402f01 16511->16512 16516 402f0f 16512->16516 16526 402df2 GetModuleHandleA 16512->16526 16513 402684 2 API calls 16515 402f1d 16513->16515 16515->16104 16516->16513 16517 402f1f 16516->16517 16517->16104 16522 401c80 16518->16522 16519 401cc2 wsprintfA 16521 402684 2 API calls 16519->16521 16520 401d1c 16520->16520 16523 401d47 wsprintfA 16520->16523 16521->16522 16522->16519 16522->16520 16525 401d79 16522->16525 16524 402684 2 API calls 16523->16524 16524->16525 16525->16096 16527 402e10 LoadLibraryA 16526->16527 16528 402e0b 16526->16528 16529 402e17 16527->16529 16528->16527 16528->16529 16530 402ef1 16529->16530 16531 402e28 GetProcAddress 16529->16531 16530->16516 16531->16530 16532 402e3e GetProcessHeap HeapAlloc 16531->16532 16533 402e62 16532->16533 16533->16530 16534 402ede GetProcessHeap HeapFree 16533->16534 16535 402e7f htons inet_addr 16533->16535 16536 402ea5 gethostbyname 16533->16536 16538 402ceb 16533->16538 16534->16530 16535->16533 16535->16536 16536->16533 16539 402cf2 16538->16539 16541 402d1c 16539->16541 16542 402d0e Sleep 16539->16542 16543 402a62 GetProcessHeap HeapAlloc 16539->16543 16541->16533 16542->16539 16542->16541 16544 402a92 16543->16544 16545 402a99 socket 16543->16545 16544->16539 16546 402cd3 GetProcessHeap HeapFree 16545->16546 16547 402ab4 16545->16547 16546->16544 16547->16546 16557 402abd 16547->16557 16548 402adb htons 16563 4026ff 16548->16563 16550 402b04 select 16550->16557 16551 402ca4 16552 402cb3 GetProcessHeap HeapFree closesocket 16551->16552 16552->16544 16553 402b3f recv 16553->16557 16554 402b66 htons 16554->16551 16554->16557 16555 402b87 htons 16555->16551 16555->16557 16557->16548 16557->16550 16557->16551 16557->16552 16557->16553 16557->16554 16557->16555 16559 402bf3 GetProcessHeap HeapAlloc 16557->16559 16560 402c17 htons 16557->16560 16562 402c4d GetProcessHeap HeapFree 16557->16562 16570 402923 16557->16570 16582 402904 16557->16582 16559->16557 16578 402871 16560->16578 16562->16557 16564 40271d 16563->16564 16565 402717 16563->16565 16567 40272b GetTickCount htons 16564->16567 16566 40ebcc 4 API calls 16565->16566 16566->16564 16568 4027cc htons htons sendto 16567->16568 16569 40278a 16567->16569 16568->16557 16569->16568 16571 402944 16570->16571 16572 40293d 16570->16572 16586 402816 htons 16571->16586 16572->16557 16574 402871 htons 16577 402950 16574->16577 16575 4029bd htons htons htons 16575->16572 16576 4029f6 GetProcessHeap HeapAlloc 16575->16576 16576->16572 16576->16577 16577->16572 16577->16574 16577->16575 16579 4028e3 16578->16579 16581 402889 16578->16581 16579->16557 16580 4028c3 htons 16580->16579 16580->16581 16581->16579 16581->16580 16583 402921 16582->16583 16584 402908 16582->16584 16583->16557 16585 402909 GetProcessHeap HeapFree 16584->16585 16585->16583 16585->16585 16587 402836 16586->16587 16588 40286b 16586->16588 16587->16588 16589 40285c htons 16587->16589 16588->16577 16589->16587 16589->16588 16591 406bc0 16590->16591 16592 406bbc 16590->16592 16593 40ebcc 4 API calls 16591->16593 16595 406bd4 16591->16595 16592->16128 16594 406be4 16593->16594 16594->16595 16596 406c07 CreateFileA 16594->16596 16597 406bfc 16594->16597 16595->16128 16599 406c34 WriteFile 16596->16599 16600 406c2a 16596->16600 16598 40ec2e codecvt 4 API calls 16597->16598 16598->16595 16602 406c49 CloseHandle DeleteFileA 16599->16602 16603 406c5a CloseHandle 16599->16603 16601 40ec2e codecvt 4 API calls 16600->16601 16601->16595 16602->16600 16604 40ec2e codecvt 4 API calls 16603->16604 16604->16595 17300 2698037 17301 2698041 17300->17301 17302 26987e1 3 API calls 17301->17302 17303 2698059 17302->17303 14912 2610005 14917 261092b GetPEB 14912->14917 14914 2610030 14919 261003c 14914->14919 14918 2610972 14917->14918 14918->14914 14920 2610049 14919->14920 14934 2610e0f SetErrorMode SetErrorMode 14920->14934 14925 2610265 14926 26102ce VirtualProtect 14925->14926 14927 261030b 14926->14927 14928 2610439 VirtualFree 14927->14928 14932 26105f4 LoadLibraryA 14928->14932 14933 26104be 14928->14933 14929 26104e3 LoadLibraryA 14929->14933 14931 26108c7 14932->14931 14933->14929 14933->14932 14935 2610223 14934->14935 14936 2610d90 14935->14936 14937 2610dad 14936->14937 14938 2610dbb GetPEB 14937->14938 14939 2610238 VirtualAlloc 14937->14939 14938->14939 14939->14925
                                                                                        APIs
                                                                                        • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                        • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                          • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                          • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                          • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                        • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                        • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                        • ExitProcess.KERNEL32 ref: 00409C06
                                                                                        • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                        • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                        • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                        • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                        • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                        • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                        • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                        • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                        • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                        • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                        • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                        • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                        • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                        • wsprintfA.USER32 ref: 0040A0B6
                                                                                        • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                        • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                        • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                        • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                        • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                        • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                        • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                          • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,004122F8,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                          • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                          • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                        • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                        • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                        • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                        • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                        • DeleteFileA.KERNEL32(C:\Users\user\Desktop\2IFYYPRUgO.exe), ref: 0040A407
                                                                                        • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                        • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                        • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                        • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                        • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                        • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                        • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                        • String ID: "$"$"$%X%08X$C:\Users\user\Desktop\2IFYYPRUgO.exe$C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exe$D$P$\$chxnvqnu
                                                                                        • API String ID: 2089075347-2356712690
                                                                                        • Opcode ID: 69071e7f72711d21cff6056459b1329949a0fa875525a2a87badba31d3a6a59d
                                                                                        • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                        • Opcode Fuzzy Hash: 69071e7f72711d21cff6056459b1329949a0fa875525a2a87badba31d3a6a59d
                                                                                        • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 486 40637c-406384 487 406386-406389 486->487 488 40638a-4063b4 GetModuleHandleA VirtualAlloc 486->488 489 4063f5-4063f7 488->489 490 4063b6-4063d4 call 40ee08 VirtualAllocEx 488->490 491 40640b-40640f 489->491 490->489 494 4063d6-4063f3 call 4062b7 WriteProcessMemory 490->494 494->489 497 4063f9-40640a 494->497 497->491
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                        • VirtualAllocEx.KERNELBASE(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                        • WriteProcessMemory.KERNELBASE(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                        • String ID:
                                                                                        • API String ID: 1965334864-0
                                                                                        • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                        • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                        • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                        • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 264 4073ff-407419 265 40741b 264->265 266 40741d-407422 264->266 265->266 267 407424 266->267 268 407426-40742b 266->268 267->268 269 407430-407435 268->269 270 40742d 268->270 271 407437 269->271 272 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 269->272 270->269 271->272 277 407487-40749d call 40ee2a 272->277 278 4077f9-4077fe call 40ee2a 272->278 283 407703-40770e RegEnumKeyA 277->283 284 407801 278->284 285 4074a2-4074b1 call 406cad 283->285 286 407714-40771d RegCloseKey 283->286 287 407804-407808 284->287 290 4074b7-4074cc call 40f1a5 285->290 291 4076ed-407700 285->291 286->284 290->291 294 4074d2-4074f8 RegOpenKeyExA 290->294 291->283 295 407727-40772a 294->295 296 4074fe-407530 call 402544 RegQueryValueExA 294->296 297 407755-407764 call 40ee2a 295->297 298 40772c-407740 call 40ef00 295->298 296->295 305 407536-40753c 296->305 306 4076df-4076e2 297->306 307 407742-407745 RegCloseKey 298->307 308 40774b-40774e 298->308 309 40753f-407544 305->309 306->291 310 4076e4-4076e7 RegCloseKey 306->310 307->308 312 4077ec-4077f7 RegCloseKey 308->312 309->309 311 407546-40754b 309->311 310->291 311->297 313 407551-40756b call 40ee95 311->313 312->287 313->297 316 407571-407593 call 402544 call 40ee95 313->316 321 407753 316->321 322 407599-4075a0 316->322 321->297 323 4075a2-4075c6 call 40ef00 call 40ed03 322->323 324 4075c8-4075d7 call 40ed03 322->324 329 4075d8-4075da 323->329 324->329 331 4075dc 329->331 332 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 329->332 331->332 342 407626-40762b 332->342 342->342 343 40762d-407634 342->343 344 407637-40763c 343->344 344->344 345 40763e-407642 344->345 346 407644-407656 call 40ed77 345->346 347 40765c-407673 call 40ed23 345->347 346->347 352 407769-40777c call 40ef00 346->352 353 407680 347->353 354 407675-40767e 347->354 359 4077e3-4077e6 RegCloseKey 352->359 356 407683-40768e call 406cad 353->356 354->356 361 407722-407725 356->361 362 407694-4076bf call 40f1a5 call 406c96 356->362 359->312 363 4076dd 361->363 368 4076c1-4076c7 362->368 369 4076d8 362->369 363->306 368->369 370 4076c9-4076d2 368->370 369->363 370->369 371 40777e-407797 GetFileAttributesExA 370->371 372 407799 371->372 373 40779a-40779f 371->373 372->373 374 4077a1 373->374 375 4077a3-4077a8 373->375 374->375 376 4077c4-4077c8 375->376 377 4077aa-4077c0 call 40ee08 375->377 379 4077d7-4077dc 376->379 380 4077ca-4077d6 call 40ef00 376->380 377->376 382 4077e0-4077e2 379->382 383 4077de 379->383 380->379 382->359 383->382
                                                                                        APIs
                                                                                        • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,75920F10,00000000), ref: 00407472
                                                                                        • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,75920F10,00000000), ref: 004074F0
                                                                                        • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,75920F10,00000000), ref: 00407528
                                                                                        • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,75920F10,00000000), ref: 004076E7
                                                                                        • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                        • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 00407717
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,75920F10,00000000), ref: 00407745
                                                                                        • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 004077EF
                                                                                          • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                        • RegCloseKey.KERNELBASE(?), ref: 004077E6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                        • String ID: "
                                                                                        • API String ID: 3433985886-123907689
                                                                                        • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                        • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                        • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                        • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 386 261003c-2610047 387 2610049 386->387 388 261004c-2610263 call 2610a3f call 2610e0f call 2610d90 VirtualAlloc 386->388 387->388 403 2610265-2610289 call 2610a69 388->403 404 261028b-2610292 388->404 409 26102ce-26103c2 VirtualProtect call 2610cce call 2610ce7 403->409 405 26102a1-26102b0 404->405 408 26102b2-26102cc 405->408 405->409 408->405 415 26103d1-26103e0 409->415 416 26103e2-2610437 call 2610ce7 415->416 417 2610439-26104b8 VirtualFree 415->417 416->415 418 26105f4-26105fe 417->418 419 26104be-26104cd 417->419 422 2610604-261060d 418->422 423 261077f-2610789 418->423 421 26104d3-26104dd 419->421 421->418 427 26104e3-2610505 LoadLibraryA 421->427 422->423 428 2610613-2610637 422->428 425 26107a6-26107b0 423->425 426 261078b-26107a3 423->426 430 26107b6-26107cb 425->430 431 261086e-26108be LoadLibraryA 425->431 426->425 432 2610517-2610520 427->432 433 2610507-2610515 427->433 434 261063e-2610648 428->434 435 26107d2-26107d5 430->435 438 26108c7-26108f9 431->438 436 2610526-2610547 432->436 433->436 434->423 437 261064e-261065a 434->437 439 2610824-2610833 435->439 440 26107d7-26107e0 435->440 441 261054d-2610550 436->441 437->423 442 2610660-261066a 437->442 443 2610902-261091d 438->443 444 26108fb-2610901 438->444 450 2610839-261083c 439->450 445 26107e2 440->445 446 26107e4-2610822 440->446 447 26105e0-26105ef 441->447 448 2610556-261056b 441->448 449 261067a-2610689 442->449 444->443 445->439 446->435 447->421 451 261056d 448->451 452 261056f-261057a 448->452 453 2610750-261077a 449->453 454 261068f-26106b2 449->454 450->431 455 261083e-2610847 450->455 451->447 457 261059b-26105bb 452->457 458 261057c-2610599 452->458 453->434 459 26106b4-26106ed 454->459 460 26106ef-26106fc 454->460 461 2610849 455->461 462 261084b-261086c 455->462 469 26105bd-26105db 457->469 458->469 459->460 463 261074b 460->463 464 26106fe-2610748 460->464 461->431 462->450 463->449 464->463 469->441
                                                                                        APIs
                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0261024D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_2610000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual
                                                                                        • String ID: cess$kernel32.dll
                                                                                        • API String ID: 4275171209-1230238691
                                                                                        • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                        • Instruction ID: 5774ec0492e1ed75388dcceda0e4cbf8f0944c93cfc0f584de3cb1d391b68c67
                                                                                        • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                        • Instruction Fuzzy Hash: 1A526974A01229DFDB64CF68C985BACBBB1BF09304F1480D9E94DAB351DB30AA95DF14

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 470 40977c-4097b9 call 40ee2a CreateProcessA 473 4097c2-4097f3 call 40ee2a Wow64GetThreadContext 470->473 474 4097bb-4097bd 470->474 478 409801-40981c call 40637c 473->478 479 4097f5 473->479 475 409864-409866 474->475 481 4097f6-4097ff TerminateProcess 478->481 483 40981e-409839 WriteProcessMemory 478->483 479->481 481->474 483->479 484 40983b-409856 Wow64SetThreadContext 483->484 484->479 485 409858-409863 ResumeThread 484->485 485->475
                                                                                        APIs
                                                                                        • CreateProcessA.KERNELBASE(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,004122F8), ref: 004097B1
                                                                                        • Wow64GetThreadContext.KERNEL32(?,?,?,?,?,?,?,004122F8), ref: 004097EB
                                                                                        • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 004097F9
                                                                                        • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 00409831
                                                                                        • Wow64SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040984E
                                                                                        • ResumeThread.KERNELBASE(?,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040985B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ProcessThread$ContextWow64$CreateMemoryResumeTerminateWrite
                                                                                        • String ID: D
                                                                                        • API String ID: 2098669666-2746444292
                                                                                        • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                        • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                        • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                        • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 498 404000-404008 499 40400b-40402a CreateFileA 498->499 500 404057 499->500 501 40402c-404035 GetLastError 499->501 502 404059-40405c 500->502 503 404052 501->503 504 404037-40403a 501->504 505 404054-404056 502->505 503->505 504->503 506 40403c-40403f 504->506 506->502 507 404041-404050 Sleep 506->507 507->499 507->503
                                                                                        APIs
                                                                                        • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,004122F8,004042B6,00000000,00000001,004122F8,00000000,?,004098FD), ref: 00404021
                                                                                        • GetLastError.KERNEL32(?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 0040402C
                                                                                        • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404046
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateErrorFileLastSleep
                                                                                        • String ID:
                                                                                        • API String ID: 408151869-0
                                                                                        • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                        • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                        • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                        • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                        • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                        • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$CountFileInformationSystemTickVolume
                                                                                        • String ID:
                                                                                        • API String ID: 1209300637-0
                                                                                        • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                        • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                        • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                        • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 509 406e36-406e5d GetUserNameW 510 406ebe-406ec2 509->510 511 406e5f-406e95 LookupAccountNameW 509->511 511->510 512 406e97-406e9b 511->512 513 406ebb-406ebd 512->513 514 406e9d-406ea3 512->514 513->510 514->513 515 406ea5-406eaa 514->515 516 406eb7-406eb9 515->516 517 406eac-406eb0 515->517 516->510 517->513 518 406eb2-406eb5 517->518 518->513 518->516
                                                                                        APIs
                                                                                        • GetUserNameW.ADVAPI32(?,00401FA1), ref: 00406E55
                                                                                        • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,00000000,00000012), ref: 00406E8D
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Name$AccountLookupUser
                                                                                        • String ID:
                                                                                        • API String ID: 2370142434-0
                                                                                        • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                        • Instruction ID: d69833bf2c7126fc9b7bd4b1d5117f4fe90a033eeaed535c4400ab00b2689cfd
                                                                                        • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                        • Instruction Fuzzy Hash: 0211F776900218EBDF21CFD4C884ADFB7BCAB04741F1542B6E502F6290DB749B989BE4

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 519 26987e1-26987fa 520 26987fc-26987fe 519->520 521 2698800 520->521 522 2698805-2698811 CreateToolhelp32Snapshot 520->522 521->522 523 2698821-269882e Module32First 522->523 524 2698813-2698819 522->524 525 2698830-2698831 call 26984a0 523->525 526 2698837-269883f 523->526 524->523 529 269881b-269881f 524->529 530 2698836 525->530 529->520 529->523 530->526
                                                                                        APIs
                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02698809
                                                                                        • Module32First.KERNEL32(00000000,00000224), ref: 02698829
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2078985168.0000000002688000.00000040.00000020.00020000.00000000.sdmp, Offset: 02688000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_2688000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                        • String ID:
                                                                                        • API String ID: 3833638111-0
                                                                                        • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                        • Instruction ID: 80baa3811c3aad7c506449f83e275977686d371f2034f4fa7d654967663787c9
                                                                                        • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                        • Instruction Fuzzy Hash: EFF09635500710AFDB203BF9AD8CB6E76ECBF4A664F100539E646D61C0DF74E8454AB5

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 532 2610e0f-2610e24 SetErrorMode * 2 533 2610e26 532->533 534 2610e2b-2610e2c 532->534 533->534
                                                                                        APIs
                                                                                        • SetErrorMode.KERNELBASE(00000400,?,?,02610223,?,?), ref: 02610E19
                                                                                        • SetErrorMode.KERNELBASE(00000000,?,?,02610223,?,?), ref: 02610E1E
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_2610000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorMode
                                                                                        • String ID:
                                                                                        • API String ID: 2340568224-0
                                                                                        • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                        • Instruction ID: 323a148d031aa8979a0654940c3340b49206a3e0f742dbfe92ff6cd918eee192
                                                                                        • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                        • Instruction Fuzzy Hash: 25D0123114512877DB002A95DC09BCD7B1CDF05B66F048011FB0DD9180C770954046E5

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 535 406dc2-406dd5 536 406e33-406e35 535->536 537 406dd7-406df1 call 406cc9 call 40ef00 535->537 542 406df4-406df9 537->542 542->542 543 406dfb-406e00 542->543 544 406e02-406e22 GetVolumeInformationA 543->544 545 406e24 543->545 544->545 546 406e2e 544->546 545->546 546->536
                                                                                        APIs
                                                                                          • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                          • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                          • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                          • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                        • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                        • String ID:
                                                                                        • API String ID: 1823874839-0
                                                                                        • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                        • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                        • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                        • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 547 409892-4098c0 548 4098c2-4098c5 547->548 549 4098d9 547->549 548->549 550 4098c7-4098d7 548->550 551 4098e0-4098f1 SetServiceStatus 549->551 550->551
                                                                                        APIs
                                                                                        • SetServiceStatus.SECHOST(00413394), ref: 004098EB
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ServiceStatus
                                                                                        • String ID:
                                                                                        • API String ID: 3969395364-0
                                                                                        • Opcode ID: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                        • Instruction ID: dd676a4af3dd8f9e000b524091363a81fd6157f1888c947a943bd607f736cbf1
                                                                                        • Opcode Fuzzy Hash: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                        • Instruction Fuzzy Hash: 02F0F271514208EFCB18CF14E89869A7BA0F348706B20C83EE82AD2371CB749A80DF0D

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 552 26984a0-26984da call 26987b3 555 2698528 552->555 556 26984dc-269850f VirtualAlloc call 269852d 552->556 555->555 558 2698514-2698526 556->558 558->555
                                                                                        APIs
                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 026984F1
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2078985168.0000000002688000.00000040.00000020.00020000.00000000.sdmp, Offset: 02688000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_2688000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 4275171209-0
                                                                                        • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                        • Instruction ID: f9e6bf31ed66667501d1866ee0c0c4431064e3e6ec5d05f7f98a8d7a794bfa9f
                                                                                        • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                        • Instruction Fuzzy Hash: 86113979A00208EFDB01DF98CA85E98BBF5EF08351F0580A5F9489B361D775EA90DF90

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 559 4098f2-4098f4 560 4098f6-409902 call 404280 559->560 563 409904-409913 Sleep 560->563 564 409917 560->564 563->560 565 409915 563->565 566 409919-409942 call 402544 call 40977c 564->566 567 40995e-409960 564->567 565->564 571 409947-409957 call 40ee2a 566->571 571->567
                                                                                        APIs
                                                                                          • Part of subcall function 00404280: CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                        • Sleep.KERNEL32(000003E8,00000100,004122F8,0040A3C7), ref: 00409909
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateEventSleep
                                                                                        • String ID:
                                                                                        • API String ID: 3100162736-0
                                                                                        • Opcode ID: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                        • Instruction ID: e56085e6bf9507d1b9c0d1fa6774ae3e34a200a1ca8b69066151cd7271dcc025
                                                                                        • Opcode Fuzzy Hash: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                        • Instruction Fuzzy Hash: 58F05472A81360A6E62226566C07F8F19040B95B24F05417EF744BA2C395E8495141ED
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000), ref: 026165F6
                                                                                        • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 02616610
                                                                                        • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 02616631
                                                                                        • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 02616652
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_2610000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                        • String ID:
                                                                                        • API String ID: 1965334864-0
                                                                                        • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                        • Instruction ID: e6359c7c106158552dc72e23f537df794f8e037d0a8638377616cd0320c8a5bc
                                                                                        • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                        • Instruction Fuzzy Hash: 5D117375600258BFDB219F65DC45F9B3FACEB057A5F144024FA08E7251D7B1ED40CAA4
                                                                                        APIs
                                                                                        • ExitProcess.KERNEL32 ref: 02619E6D
                                                                                        • lstrcpy.KERNEL32(?,00000000), ref: 02619FE1
                                                                                        • lstrcat.KERNEL32(?,?), ref: 02619FF2
                                                                                        • lstrcat.KERNEL32(?,0041070C), ref: 0261A004
                                                                                        • GetFileAttributesExA.KERNEL32(?,?,?), ref: 0261A054
                                                                                        • DeleteFileA.KERNEL32(?), ref: 0261A09F
                                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 0261A0D6
                                                                                        • lstrcpy.KERNEL32 ref: 0261A12F
                                                                                        • lstrlen.KERNEL32(00000022), ref: 0261A13C
                                                                                        • GetTempPathA.KERNEL32(000001F4,?), ref: 02619F13
                                                                                          • Part of subcall function 02617029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 02617081
                                                                                          • Part of subcall function 02616F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\rwmckfcj,02617043), ref: 02616F4E
                                                                                          • Part of subcall function 02616F30: GetProcAddress.KERNEL32(00000000), ref: 02616F55
                                                                                          • Part of subcall function 02616F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02616F7B
                                                                                          • Part of subcall function 02616F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02616F92
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 0261A1A2
                                                                                        • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0261A1C5
                                                                                        • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 0261A214
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 0261A21B
                                                                                        • GetDriveTypeA.KERNEL32(?), ref: 0261A265
                                                                                        • lstrcat.KERNEL32(?,00000000), ref: 0261A29F
                                                                                        • lstrcat.KERNEL32(?,00410A34), ref: 0261A2C5
                                                                                        • lstrcat.KERNEL32(?,00000022), ref: 0261A2D9
                                                                                        • lstrcat.KERNEL32(?,00410A34), ref: 0261A2F4
                                                                                        • wsprintfA.USER32 ref: 0261A31D
                                                                                        • lstrcat.KERNEL32(?,00000000), ref: 0261A345
                                                                                        • lstrcat.KERNEL32(?,?), ref: 0261A364
                                                                                        • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 0261A387
                                                                                        • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 0261A398
                                                                                        • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0261A1D1
                                                                                          • Part of subcall function 02619966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 0261999D
                                                                                          • Part of subcall function 02619966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 026199BD
                                                                                          • Part of subcall function 02619966: RegCloseKey.ADVAPI32(?), ref: 026199C6
                                                                                        • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 0261A3DB
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 0261A3E2
                                                                                        • GetDriveTypeA.KERNEL32(00000022), ref: 0261A41D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_2610000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                        • String ID: "$"$"$D$P$\
                                                                                        • API String ID: 1653845638-2605685093
                                                                                        • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                        • Instruction ID: a428442591a48f7a5758b6520b6dd59f93fa78c3585de0315dd98221bc02c418
                                                                                        • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                        • Instruction Fuzzy Hash: 8BF155B1C41259AFDF11DBA0CD48FEF77BDAB08304F0844AAE609E2151E775AA85CF64
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 004010E1
                                                                                        • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 00401101
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 00401121
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00401140
                                                                                        • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 00401160
                                                                                        • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 00401180
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040119F
                                                                                        • GetProcAddress.KERNEL32(00000000,NtClose), ref: 004011BF
                                                                                        • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 004011DF
                                                                                        • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 004011FE
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressProc$LibraryLoad
                                                                                        • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                        • API String ID: 2238633743-3228201535
                                                                                        • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                        • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                        • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                        • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                        APIs
                                                                                        • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                        • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                        • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                        • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                        • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                        • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                        • wsprintfA.USER32 ref: 0040B3B7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                        • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                        • API String ID: 766114626-2976066047
                                                                                        • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                        • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                        • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                        • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 02617D21
                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 02617D46
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02617D7D
                                                                                        • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 02617DA2
                                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 02617DC0
                                                                                        • EqualSid.ADVAPI32(?,?), ref: 02617DD1
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 02617DE5
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02617DF3
                                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02617E03
                                                                                        • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 02617E12
                                                                                        • LocalFree.KERNEL32(00000000), ref: 02617E19
                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02617E35
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_2610000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                        • String ID: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exe$D
                                                                                        • API String ID: 2976863881-3421824669
                                                                                        • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                        • Instruction ID: e7bbb1a8db83492ccd64379e8a5bb20af06a80e0ac608be8dd40a425ef388ccd
                                                                                        • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                        • Instruction Fuzzy Hash: 38A16C71900259AFDF12CFA0DC88FEFBBB9FB08345F088169E505E6250D775AA85CB64
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,?,?), ref: 00407B16
                                                                                        • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                        • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                        • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                        • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                        • String ID: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exe$D
                                                                                        • API String ID: 2976863881-3421824669
                                                                                        • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                        • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                        • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                        • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                        • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                        • API String ID: 2400214276-165278494
                                                                                        • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                        • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                        • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                        • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                        APIs
                                                                                        • wsprintfA.USER32 ref: 0040A7FB
                                                                                        • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                        • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                        • wsprintfA.USER32 ref: 0040A8AF
                                                                                        • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                        • wsprintfA.USER32 ref: 0040A8E2
                                                                                        • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                        • wsprintfA.USER32 ref: 0040A9B9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$send$lstrlenrecv
                                                                                        • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                        • API String ID: 3650048968-2394369944
                                                                                        • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                        • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                        • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                        • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                        APIs
                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 02617A96
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02617ACD
                                                                                        • GetLengthSid.ADVAPI32(?), ref: 02617ADF
                                                                                        • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 02617B01
                                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 02617B1F
                                                                                        • EqualSid.ADVAPI32(?,?), ref: 02617B39
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 02617B4A
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02617B58
                                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02617B68
                                                                                        • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 02617B77
                                                                                        • LocalFree.KERNEL32(00000000), ref: 02617B7E
                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02617B9A
                                                                                        • GetAce.ADVAPI32(?,?,?), ref: 02617BCA
                                                                                        • EqualSid.ADVAPI32(?,?), ref: 02617BF1
                                                                                        • DeleteAce.ADVAPI32(?,?), ref: 02617C0A
                                                                                        • EqualSid.ADVAPI32(?,?), ref: 02617C2C
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 02617CB1
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02617CBF
                                                                                        • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 02617CD0
                                                                                        • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 02617CE0
                                                                                        • LocalFree.KERNEL32(00000000), ref: 02617CEE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_2610000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                        • String ID: D
                                                                                        • API String ID: 3722657555-2746444292
                                                                                        • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                        • Instruction ID: 9e59ed8d95d15a916874d7ebc3e673ef879492c354e686dc81b426dfa18adb53
                                                                                        • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                        • Instruction Fuzzy Hash: 89813D7190021AEFDB12CFA5DD84FEEFBB8AF08304F18816AE505E6250D775A685CB64
                                                                                        APIs
                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                        • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                        • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                        • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                        • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                        • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                        • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                        • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                        • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                        • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                        • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                        • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                        • String ID: D
                                                                                        • API String ID: 3722657555-2746444292
                                                                                        • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                        • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                        • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                        • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                        • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                        • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                        • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Value$CloseOpenQuery
                                                                                        • String ID: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exe$localcfg
                                                                                        • API String ID: 237177642-1775881337
                                                                                        • Opcode ID: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                        • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                        • Opcode Fuzzy Hash: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                        • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                        APIs
                                                                                        • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                        • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExecuteShelllstrlen
                                                                                        • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDGu$uac$useless$wusa.exe
                                                                                        • API String ID: 1628651668-3716895483
                                                                                        • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                        • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                        • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                        • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                        APIs
                                                                                        • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                        • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                        • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                        • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                        • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                          • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                        • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                        • API String ID: 4207808166-1381319158
                                                                                        • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                        • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                        • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                        • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                        APIs
                                                                                        • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                        • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                        • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                        • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                        • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                        • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                        • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                        • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                        • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                        • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                        • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                        • API String ID: 835516345-270533642
                                                                                        • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                        • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                        • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                        • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 0261865A
                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 0261867B
                                                                                        • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 026186A8
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 026186B1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_2610000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Value$CloseOpenQuery
                                                                                        • String ID: "$C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exe
                                                                                        • API String ID: 237177642-3619810148
                                                                                        • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                        • Instruction ID: 7321bf279ce5c8db16d4deb5f206279f022fb133ddab661458120649b34cf447
                                                                                        • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                        • Instruction Fuzzy Hash: 20C1B271900248BEFB11EBA4DC85EEF7BBDEF04304F184069F604E3150EB71AA949B69
                                                                                        APIs
                                                                                        • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7591F380), ref: 00402A83
                                                                                        • HeapAlloc.KERNEL32(00000000,?,7591F380), ref: 00402A86
                                                                                        • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                        • htons.WS2_32(00000000), ref: 00402ADB
                                                                                        • select.WS2_32 ref: 00402B28
                                                                                        • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                        • htons.WS2_32(?), ref: 00402B71
                                                                                        • htons.WS2_32(?), ref: 00402B8C
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                        • String ID:
                                                                                        • API String ID: 1639031587-0
                                                                                        • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                        • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                        • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                        • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                        APIs
                                                                                        • ShellExecuteExW.SHELL32(?), ref: 02611601
                                                                                        • lstrlenW.KERNEL32(-00000003), ref: 026117D8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_2610000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExecuteShelllstrlen
                                                                                        • String ID: $<$@$D
                                                                                        • API String ID: 1628651668-1974347203
                                                                                        • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                        • Instruction ID: fb05c152851a36c5fba60b57d09640f8df2a5e6e85837152509572213412e399
                                                                                        • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                        • Instruction Fuzzy Hash: FEF18EB15083419FD720CF64C888BABBBE5FB8A304F04896DF69997390D7B4E944CB56
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 026176D9
                                                                                        • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 02617757
                                                                                        • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 0261778F
                                                                                        • ___ascii_stricmp.LIBCMT ref: 026178B4
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 0261794E
                                                                                        • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0261796D
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 0261797E
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 026179AC
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 02617A56
                                                                                          • Part of subcall function 0261F40C: lstrlen.KERNEL32(000000E4,00000000,004122F8,000000E4,0261772A,?), ref: 0261F414
                                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 026179F6
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 02617A4D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_2610000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                        • String ID: "
                                                                                        • API String ID: 3433985886-123907689
                                                                                        • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                        • Instruction ID: 85714b4c115e1a531b6a0ce289825e617556dde5b282e38d512eaa8c77b1b569
                                                                                        • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                        • Instruction Fuzzy Hash: 23C19571900249AFDB12DFA4DC45FEEBBB9EF49310F1844A5E504E6290EB71EA84CF64
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,75920F10,?,75920F10,00000000), ref: 004070C2
                                                                                        • RegEnumValueA.ADVAPI32(75920F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,75920F10,00000000), ref: 0040719E
                                                                                        • RegCloseKey.ADVAPI32(75920F10,?,75920F10,00000000), ref: 004071B2
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 00407208
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 00407291
                                                                                        • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 004072D0
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 00407314
                                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 004073D8
                                                                                          • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                        • String ID: $"
                                                                                        • API String ID: 4293430545-3817095088
                                                                                        • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                        • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                        • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                        • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69
                                                                                        APIs
                                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 02612CED
                                                                                        • socket.WS2_32(00000002,00000002,00000011), ref: 02612D07
                                                                                        • htons.WS2_32(00000000), ref: 02612D42
                                                                                        • select.WS2_32 ref: 02612D8F
                                                                                        • recv.WS2_32(?,00000000,00001000,00000000), ref: 02612DB1
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02612E62
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_2610000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                        • String ID:
                                                                                        • API String ID: 127016686-0
                                                                                        • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                        • Instruction ID: a9e80077326e2c97af85a1a92b158be880c006ff6459b67855971a107850e935
                                                                                        • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                        • Instruction Fuzzy Hash: 2261E471904325AFC3209F64DC58B6BBBE8FB84745F08481DFD4497290D7B4E881CBA6
                                                                                        APIs
                                                                                        • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                          • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                          • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                          • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                          • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                          • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                          • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                        • wsprintfA.USER32 ref: 0040AEA5
                                                                                          • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                        • wsprintfA.USER32 ref: 0040AE4F
                                                                                        • wsprintfA.USER32 ref: 0040AE5E
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                        • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                        • API String ID: 3631595830-1816598006
                                                                                        • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                        • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                        • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                        • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(iphlpapi.dll,759223A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                        • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                        • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                        • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                        • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                        • htons.WS2_32(00000035), ref: 00402E88
                                                                                        • inet_addr.WS2_32(?), ref: 00402E93
                                                                                        • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                        • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                        • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                        • String ID: GetNetworkParams$iphlpapi.dll
                                                                                        • API String ID: 929413710-2099955842
                                                                                        • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                        • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                        • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                        • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                        APIs
                                                                                        • SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0040677E
                                                                                        • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0040679A
                                                                                        • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 004067B0
                                                                                        • SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 004067BF
                                                                                        • GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 004067D3
                                                                                        • ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,75920F10,00000000), ref: 00406807
                                                                                        • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040681F
                                                                                        • ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0040683E
                                                                                        • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040685C
                                                                                        • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,75920F10,00000000), ref: 0040688B
                                                                                        • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000,?,75920F10,00000000), ref: 00406906
                                                                                        • ReadFile.KERNEL32(000000FF,?,00000000,00408244,00000000,?,75920F10,00000000), ref: 0040691C
                                                                                        • CloseHandle.KERNEL32(000000FF,?,75920F10,00000000), ref: 00406971
                                                                                          • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                          • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                                        • String ID:
                                                                                        • API String ID: 2622201749-0
                                                                                        • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                        • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                        • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                        • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54
                                                                                        APIs
                                                                                        • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                        • wsprintfA.USER32 ref: 004093CE
                                                                                        • wsprintfA.USER32 ref: 0040940C
                                                                                        • wsprintfA.USER32 ref: 0040948D
                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                        • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                        • String ID: runas
                                                                                        • API String ID: 3696105349-4000483414
                                                                                        • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                        • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                        • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                        • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9
                                                                                        APIs
                                                                                        • wsprintfA.USER32 ref: 0040B467
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$wsprintf
                                                                                        • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                        • API String ID: 1220175532-2340906255
                                                                                        • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                        • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                        • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                        • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                        APIs
                                                                                        • GetVersionExA.KERNEL32 ref: 0261202D
                                                                                        • GetSystemInfo.KERNEL32(?), ref: 0261204F
                                                                                        • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 0261206A
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 02612071
                                                                                        • GetCurrentProcess.KERNEL32(?), ref: 02612082
                                                                                        • GetTickCount.KERNEL32 ref: 02612230
                                                                                          • Part of subcall function 02611E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 02611E7C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_2610000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                        • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                                        • API String ID: 4207808166-1391650218
                                                                                        • Opcode ID: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                        • Instruction ID: 039ddd67e863803909d2b0e88280d501452e4102ada36487f2ca94c3244c71c3
                                                                                        • Opcode Fuzzy Hash: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                        • Instruction Fuzzy Hash: 7D5193B0500784AFE330AF758C85F67BAECEB55704F08491DFE9682242D7B9B584CB69
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 00402078
                                                                                        • GetTickCount.KERNEL32 ref: 004020D4
                                                                                        • GetTickCount.KERNEL32 ref: 004020DB
                                                                                        • GetTickCount.KERNEL32 ref: 0040212B
                                                                                        • GetTickCount.KERNEL32 ref: 00402132
                                                                                        • GetTickCount.KERNEL32 ref: 00402142
                                                                                          • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,7508EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4), ref: 0040F089
                                                                                          • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,7508EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0040F093
                                                                                          • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                          • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                          • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                        • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                        • API String ID: 3976553417-1522128867
                                                                                        • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                        • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                        • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                        • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                        APIs
                                                                                        • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                        • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                        • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: closesockethtonssocket
                                                                                        • String ID: time_cfg
                                                                                        • API String ID: 311057483-2401304539
                                                                                        • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                        • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                        • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                        • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                        APIs
                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                        • ExitProcess.KERNEL32 ref: 00404121
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateEventExitProcess
                                                                                        • String ID:
                                                                                        • API String ID: 2404124870-0
                                                                                        • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                        • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                        • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                        • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                        APIs
                                                                                          • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                          • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                        • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                        • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                        • GetTickCount.KERNEL32 ref: 0040C363
                                                                                        • GetTickCount.KERNEL32 ref: 0040C378
                                                                                        • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                        • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                        • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                        • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 1553760989-1857712256
                                                                                        • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                        • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                        • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                        • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 02613068
                                                                                        • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 02613078
                                                                                        • GetProcAddress.KERNEL32(00000000,00410408), ref: 02613095
                                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 026130B6
                                                                                        • htons.WS2_32(00000035), ref: 026130EF
                                                                                        • inet_addr.WS2_32(?), ref: 026130FA
                                                                                        • gethostbyname.WS2_32(?), ref: 0261310D
                                                                                        • HeapFree.KERNEL32(00000000), ref: 0261314D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_2610000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                        • String ID: iphlpapi.dll
                                                                                        • API String ID: 2869546040-3565520932
                                                                                        • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                        • Instruction ID: fc02ab6c0b078852ac8506933ec1da377780785ae70f8c1e57317adc72346d45
                                                                                        • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                        • Instruction Fuzzy Hash: 4D310A31A00306ABDF119BB49C49BAE7BB8EF05324F1841A5F919E3390DB74E551CB58
                                                                                        APIs
                                                                                        • GetVersionExA.KERNEL32(?), ref: 026195A7
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 026195D5
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 026195DC
                                                                                        • wsprintfA.USER32 ref: 02619635
                                                                                        • wsprintfA.USER32 ref: 02619673
                                                                                        • wsprintfA.USER32 ref: 026196F4
                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 02619758
                                                                                        • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 0261978D
                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 026197D8
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_2610000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                        • String ID:
                                                                                        • API String ID: 3696105349-0
                                                                                        • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                        • Instruction ID: d7379f3dfab5426c98f2bbbab882f332f287a5967254d63b8ed3c8fb613448dc
                                                                                        • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                        • Instruction Fuzzy Hash: C0A19DB1900248AFEB25DFA0CC55FDA3BADEF04741F18442AFA05E2251E7B5E584CFA4
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                        • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                        • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                        • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                        • String ID: DnsQuery_A$dnsapi.dll
                                                                                        • API String ID: 3560063639-3847274415
                                                                                        • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                        • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                        • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                        • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                        APIs
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcmpi
                                                                                        • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                        • API String ID: 1586166983-1625972887
                                                                                        • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                        • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                        • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                        • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                        APIs
                                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,75918A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                        • GetDiskFreeSpaceA.KERNEL32(00409E9D,00409A60,?,?,?,004122F8,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                        • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                        • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                        • String ID:
                                                                                        • API String ID: 3188212458-0
                                                                                        • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                        • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                        • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                        • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69
                                                                                        APIs
                                                                                        • IsBadReadPtr.KERNEL32(?,00000008), ref: 026167C3
                                                                                        • htonl.WS2_32(?), ref: 026167DF
                                                                                        • htonl.WS2_32(?), ref: 026167EE
                                                                                        • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 026168F1
                                                                                        • ExitProcess.KERNEL32 ref: 026169BC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_2610000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Processhtonl$CurrentExitRead
                                                                                        • String ID: except_info$localcfg
                                                                                        • API String ID: 1430491713-3605449297
                                                                                        • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                        • Instruction ID: fa2fbed1f141b604fdeb049cf41dfe97e2249f1c75f383c2a53dd4290d81e8d0
                                                                                        • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                        • Instruction Fuzzy Hash: 83616E71A40208AFDB609FB4DC45FEA77E9FB08300F14846AFA6DD2161EB75A990CF54
                                                                                        APIs
                                                                                        • htons.WS2_32(0261CC84), ref: 0261F5B4
                                                                                        • socket.WS2_32(00000002,00000001,00000000), ref: 0261F5CE
                                                                                        • closesocket.WS2_32(00000000), ref: 0261F5DC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_2610000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: closesockethtonssocket
                                                                                        • String ID: time_cfg
                                                                                        • API String ID: 311057483-2401304539
                                                                                        • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                        • Instruction ID: 13c5b6c110c3139388a58556ba17a7bdc44f22bec0933804ffe69d36ca4fd6ac
                                                                                        • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                        • Instruction Fuzzy Hash: 31316E72900218ABDB10DFA5DC89DEE7BBCFF89310F14456AF915D3150E770AA818BE4
                                                                                        APIs
                                                                                        • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                        • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                        • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                        • wsprintfA.USER32 ref: 00407036
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                        • String ID: /%d$|
                                                                                        • API String ID: 676856371-4124749705
                                                                                        • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                        • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                        • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                        • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(?), ref: 02612FA1
                                                                                        • LoadLibraryA.KERNEL32(?), ref: 02612FB1
                                                                                        • GetProcAddress.KERNEL32(00000000,004103F0), ref: 02612FC8
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02613000
                                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 02613007
                                                                                        • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 02613032
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_2610000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                        • String ID: dnsapi.dll
                                                                                        • API String ID: 1242400761-3175542204
                                                                                        • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                        • Instruction ID: d85f8d14ae31e3e4dd18910e3748bb25aa5e6c16e927224d338220fcbb1b9b69
                                                                                        • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                        • Instruction Fuzzy Hash: 0921A171D40229BBCB219B54DC48AEEBBBCEF08B11F048461F906E7240D7B4AA9187E4
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                        • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                        • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                        • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                        • API String ID: 1082366364-3395550214
                                                                                        • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                        • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                        • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                        • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                        APIs
                                                                                        • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 02619A18
                                                                                        • GetThreadContext.KERNEL32(?,?), ref: 02619A52
                                                                                        • TerminateProcess.KERNEL32(?,00000000), ref: 02619A60
                                                                                        • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 02619A98
                                                                                        • SetThreadContext.KERNEL32(?,00010002), ref: 02619AB5
                                                                                        • ResumeThread.KERNEL32(?), ref: 02619AC2
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_2610000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                        • String ID: D
                                                                                        • API String ID: 2981417381-2746444292
                                                                                        • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                        • Instruction ID: 3adbf57ff7773a0d85b947bbd01f4eaeb2178b27659444ec678e88985656341b
                                                                                        • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                        • Instruction Fuzzy Hash: 44213BB1E02219BBDB119BA1DC09EEFBBBCEF04750F444061BA19E1190EB759A44CBA4
                                                                                        APIs
                                                                                        • inet_addr.WS2_32(004102D8), ref: 02611C18
                                                                                        • LoadLibraryA.KERNEL32(004102C8), ref: 02611C26
                                                                                        • GetProcessHeap.KERNEL32 ref: 02611C84
                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 02611C9D
                                                                                        • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 02611CC1
                                                                                        • HeapFree.KERNEL32(?,00000000,00000000), ref: 02611D02
                                                                                        • FreeLibrary.KERNEL32(?), ref: 02611D0B
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_2610000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                        • String ID:
                                                                                        • API String ID: 2324436984-0
                                                                                        • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                        • Instruction ID: 937f823c50db36ea6593985e3d175f139a75537f352e49acd4e969e945d17785
                                                                                        • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                        • Instruction Fuzzy Hash: 0C315E31D00219FFCB119FA4DC889EEBAB9EB46305B2844BAE605E2250D7B55E80DB94
                                                                                        APIs
                                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 02616CE4
                                                                                        • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02616D22
                                                                                        • GetLastError.KERNEL32 ref: 02616DA7
                                                                                        • CloseHandle.KERNEL32(?), ref: 02616DB5
                                                                                        • GetLastError.KERNEL32 ref: 02616DD6
                                                                                        • DeleteFileA.KERNEL32(?), ref: 02616DE7
                                                                                        • GetLastError.KERNEL32 ref: 02616DFD
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_2610000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                        • String ID:
                                                                                        • API String ID: 3873183294-0
                                                                                        • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                        • Instruction ID: ba36685e482cad1246b4353134d0ebb92c6c1a860f3c4759a8b2e37aebd1b677
                                                                                        • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                        • Instruction Fuzzy Hash: 8131237AD00249BFCB00DFA5DD44ADEBF7EEB48300F088069E611E32A0D770A6418B65
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\rwmckfcj,02617043), ref: 02616F4E
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 02616F55
                                                                                        • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02616F7B
                                                                                        • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02616F92
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_2610000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                        • String ID: C:\Windows\SysWOW64\$\\.\pipe\rwmckfcj
                                                                                        • API String ID: 1082366364-1206033897
                                                                                        • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                        • Instruction ID: 735d9eb027df61180605340d6988f01fcad2e846966826b4a2de34ad9a064fb7
                                                                                        • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                        • Instruction Fuzzy Hash: 452135617403803EF72257319C88FFB3E4D8F52765F1C80A9F804E6690DBD9A4D682AD
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_2610000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen
                                                                                        • String ID: $localcfg
                                                                                        • API String ID: 1659193697-2018645984
                                                                                        • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                        • Instruction ID: d107bfa2c9435e27208d45145c514475e64629a4b5b2f9d21126432efe107cc9
                                                                                        • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                        • Instruction Fuzzy Hash: 3E713871E01344AADF218BD4DD85FEE376AAB01319F2C402AF904A62D0DF62BDC4CB59
                                                                                        APIs
                                                                                          • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                          • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                          • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                          • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                        • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                        • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                        • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                        • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                        • String ID: flags_upd$localcfg
                                                                                        • API String ID: 204374128-3505511081
                                                                                        • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                        • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                        • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                        • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                        APIs
                                                                                          • Part of subcall function 0261DF6C: GetCurrentThreadId.KERNEL32 ref: 0261DFBA
                                                                                        • lstrcmp.KERNEL32(00410178,00000000), ref: 0261E8FA
                                                                                        • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,02616128), ref: 0261E950
                                                                                        • lstrcmp.KERNEL32(?,00000008), ref: 0261E989
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_2610000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                        • String ID: A$ A$ A
                                                                                        • API String ID: 2920362961-1846390581
                                                                                        • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                        • Instruction ID: 69986b6fe92590b8cca1ea8a79acfb1d8b5975a1cfe0ed06719f8ed09025ef64
                                                                                        • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                        • Instruction Fuzzy Hash: 6331BC31A007459FCB75CF24C884BAA7BE8EB09725F08892AE99587654D372F880CB85
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_2610000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Code
                                                                                        • String ID:
                                                                                        • API String ID: 3609698214-0
                                                                                        • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                        • Instruction ID: c3c250325527ba8b9ae982e3963c938b65232edce1e44862d4d2ecc46110ffcc
                                                                                        • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                        • Instruction Fuzzy Hash: BA216076108115FFDB149B70FC48EDF3FADDB49365B148525F502D1190EB71EA4096B8
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Code
                                                                                        • String ID:
                                                                                        • API String ID: 3609698214-0
                                                                                        • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                        • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                        • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                        • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                        APIs
                                                                                        • GetTempPathA.KERNEL32(00000400,?), ref: 026192E2
                                                                                        • wsprintfA.USER32 ref: 02619350
                                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02619375
                                                                                        • lstrlen.KERNEL32(?,?,00000000), ref: 02619389
                                                                                        • WriteFile.KERNEL32(00000000,?,00000000), ref: 02619394
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0261939B
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_2610000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                        • String ID:
                                                                                        • API String ID: 2439722600-0
                                                                                        • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                        • Instruction ID: 0b543809f75eb3f5a302b430a0b900b6df51f884b278a5b1d820f80f8e7e75af
                                                                                        • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                        • Instruction Fuzzy Hash: 051184B17402147FE7246731EC0DFEF3A6EDBC8B11F048069BF09E5090EEB59A418A68
                                                                                        APIs
                                                                                        • GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                        • wsprintfA.USER32 ref: 004090E9
                                                                                        • CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                        • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                        • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                        • String ID:
                                                                                        • API String ID: 2439722600-0
                                                                                        • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                        • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                        • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                        • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                        • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                        • Sleep.KERNEL32(00000000,?,75920F10,?,00000000,0040E538,?,75920F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                        • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 3819781495-0
                                                                                        • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                        • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                        • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                        • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 0261C6B4
                                                                                        • InterlockedIncrement.KERNEL32(0261C74B), ref: 0261C715
                                                                                        • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0261C747), ref: 0261C728
                                                                                        • CloseHandle.KERNEL32(00000000,?,0261C747,00413588,02618A77), ref: 0261C733
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_2610000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 1026198776-1857712256
                                                                                        • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                        • Instruction ID: 81627d23570bb100ce28012f81dabe9075870426df43f2b6a42b2991bd62cdea
                                                                                        • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                        • Instruction Fuzzy Hash: 9B518CB1A40B418FC7248F69C9D462ABBE9FB48300B64693FE18BC7A90D774F840CB51
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 0040815F
                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 00408187
                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 004081BE
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 00408210
                                                                                          • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0040677E
                                                                                          • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0040679A
                                                                                          • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 004067B0
                                                                                          • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 004067BF
                                                                                          • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 004067D3
                                                                                          • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,75920F10,00000000), ref: 00406807
                                                                                          • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040681F
                                                                                          • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0040683E
                                                                                          • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040685C
                                                                                          • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                          • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                        • String ID: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exe
                                                                                        • API String ID: 124786226-2411205763
                                                                                        • Opcode ID: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                        • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                        • Opcode Fuzzy Hash: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                        • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                        APIs
                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 026171E1
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02617228
                                                                                        • LocalFree.KERNEL32(?,?,?), ref: 02617286
                                                                                        • wsprintfA.USER32 ref: 0261729D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_2610000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                        • String ID: |
                                                                                        • API String ID: 2539190677-2343686810
                                                                                        • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                        • Instruction ID: fad81b6df7a659c36631617c3ba25fa3611afa948bde9daf47b11c6f7152742c
                                                                                        • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                        • Instruction Fuzzy Hash: 4C311A72900208BBDB01DFA8DC45BDA7BACEF04314F18C066F959DB200EB75E6498B94
                                                                                        APIs
                                                                                        • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                        • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                        • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                        • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$gethostnamelstrcpy
                                                                                        • String ID: LocalHost
                                                                                        • API String ID: 3695455745-3154191806
                                                                                        • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                        • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                        • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                        • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,004122F8), ref: 0040E3E6
                                                                                        • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                        • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                        • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                        • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: QueryValue$CloseOpen
                                                                                        • String ID:
                                                                                        • API String ID: 1586453840-0
                                                                                        • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                        • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                        • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                        • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                        APIs
                                                                                        • GetLocalTime.KERNEL32(?), ref: 0261B51A
                                                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0261B529
                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 0261B548
                                                                                        • GetTimeZoneInformation.KERNEL32(?), ref: 0261B590
                                                                                        • wsprintfA.USER32 ref: 0261B61E
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_2610000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                        • String ID:
                                                                                        • API String ID: 4026320513-0
                                                                                        • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                        • Instruction ID: 15d6b95d7fd125e3af2a84259e5af47986dd72d790a7e8b23b44dbe49d57ca9d
                                                                                        • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                        • Instruction Fuzzy Hash: 9A5120B1D0021CAACF18DFD5D8885EEBBB9BF48304F14816AF505B6150E7B85AC9CF98
                                                                                        APIs
                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                        • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                        • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseHandle$CreateEvent
                                                                                        • String ID:
                                                                                        • API String ID: 1371578007-0
                                                                                        • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                        • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                        • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                        • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                                        APIs
                                                                                        • IsBadReadPtr.KERNEL32(?,00000014), ref: 02616303
                                                                                        • LoadLibraryA.KERNEL32(?), ref: 0261632A
                                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 026163B1
                                                                                        • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 02616405
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_2610000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Read$AddressLibraryLoadProc
                                                                                        • String ID:
                                                                                        • API String ID: 2438460464-0
                                                                                        • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                        • Instruction ID: a3435f7e49f3e0b063e0a6b58528d568fccb2ede967e67d119da2454c1dc8c3f
                                                                                        • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                        • Instruction Fuzzy Hash: 8C413A79A00219EFDB14CF58C884BA9B7B8FF04358F188169E965D7390E771F951CB90
                                                                                        APIs
                                                                                        • IsBadReadPtr.KERNEL32(?,00000014), ref: 0040609C
                                                                                        • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                        • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                        • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Read$AddressLibraryLoadProc
                                                                                        • String ID:
                                                                                        • API String ID: 2438460464-0
                                                                                        • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                        • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                        • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                        • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                        • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                        • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                        • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                        APIs
                                                                                          • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                          • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                          • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                        • lstrcmpA.KERNEL32(75920F18,00000000,?,75920F10,00000000,?,00405EC1), ref: 0040E693
                                                                                        • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,75920F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                        • lstrcmpA.KERNEL32(?,00000008,?,75920F10,00000000,?,00405EC1), ref: 0040E722
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                        • String ID: A$ A
                                                                                        • API String ID: 3343386518-686259309
                                                                                        • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                        • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                        • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                        • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 0040272E
                                                                                        • htons.WS2_32(00000001), ref: 00402752
                                                                                        • htons.WS2_32(0000000F), ref: 004027D5
                                                                                        • htons.WS2_32(00000001), ref: 004027E3
                                                                                        • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                          • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                          • Part of subcall function 0040EBCC: HeapAlloc.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: htons$Heap$AllocCountProcessTicksendto
                                                                                        • String ID:
                                                                                        • API String ID: 1802437671-0
                                                                                        • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                        • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                        • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                        • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                        APIs
                                                                                        • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                        • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                        • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                        • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                        • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: setsockopt
                                                                                        • String ID:
                                                                                        • API String ID: 3981526788-0
                                                                                        • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                        • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                        • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                        • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 026193C6
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 026193CD
                                                                                        • CharToOemA.USER32(?,?), ref: 026193DB
                                                                                        • wsprintfA.USER32 ref: 02619410
                                                                                          • Part of subcall function 026192CB: GetTempPathA.KERNEL32(00000400,?), ref: 026192E2
                                                                                          • Part of subcall function 026192CB: wsprintfA.USER32 ref: 02619350
                                                                                          • Part of subcall function 026192CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02619375
                                                                                          • Part of subcall function 026192CB: lstrlen.KERNEL32(?,?,00000000), ref: 02619389
                                                                                          • Part of subcall function 026192CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 02619394
                                                                                          • Part of subcall function 026192CB: CloseHandle.KERNEL32(00000000), ref: 0261939B
                                                                                        • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 02619448
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_2610000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                        • String ID:
                                                                                        • API String ID: 3857584221-0
                                                                                        • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                        • Instruction ID: 5069e02735c60c11ddbbc03bc3b0cf85e4853bdc38b1f235a7b1715badb1d0c6
                                                                                        • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                        • Instruction Fuzzy Hash: CD019EF69001187BDB20A7619D89EDF3B7CDB95701F0000A6BB09E2080EAB4A6C48F75
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,004122F8), ref: 0040915F
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                        • CharToOemA.USER32(?,?), ref: 00409174
                                                                                        • wsprintfA.USER32 ref: 004091A9
                                                                                          • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                          • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                          • Part of subcall function 00409064: CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                          • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                          • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                          • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                        • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                        • String ID:
                                                                                        • API String ID: 3857584221-0
                                                                                        • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                        • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                        • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                        • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                        APIs
                                                                                        • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                        • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                        • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                        • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$lstrcmpi
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 1808961391-1857712256
                                                                                        • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                        • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                        • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                        • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                        • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                        • API String ID: 2574300362-1087626847
                                                                                        • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                        • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                        • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                        • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                        APIs
                                                                                          • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                          • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                        • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                        • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                        • String ID: hi_id$localcfg
                                                                                        • API String ID: 2777991786-2393279970
                                                                                        • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                        • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                        • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                        • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                        APIs
                                                                                        • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                        • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                        • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                        • String ID: *p@
                                                                                        • API String ID: 3429775523-2474123842
                                                                                        • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                        • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                        • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                        • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_2610000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: gethostbynameinet_addr
                                                                                        • String ID: time_cfg$u6A
                                                                                        • API String ID: 1594361348-1940331995
                                                                                        • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                        • Instruction ID: d43b75939b41592048fe0ca6c52da4e7ff184b729316fa9b1a1b1f3021383110
                                                                                        • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                        • Instruction Fuzzy Hash: BFE012306045219FDB509B2CF848ADA77E5EF4A230F098595F854D72A0C774ECC19754
                                                                                        APIs
                                                                                        • SetFileAttributesA.KERNEL32(?,00000080), ref: 026169E5
                                                                                        • SetFileAttributesA.KERNEL32(?,00000002), ref: 02616A26
                                                                                        • GetFileSize.KERNEL32(000000FF,00000000), ref: 02616A3A
                                                                                        • CloseHandle.KERNEL32(000000FF), ref: 02616BD8
                                                                                          • Part of subcall function 0261EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,02611DCF,?), ref: 0261EEA8
                                                                                          • Part of subcall function 0261EE95: HeapFree.KERNEL32(00000000), ref: 0261EEAF
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_2610000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                        • String ID:
                                                                                        • API String ID: 3384756699-0
                                                                                        • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                        • Instruction ID: 357780723b22bccbcad5ae1c38e4803498ef83cebc5d47abffc2aa03fc5ab711
                                                                                        • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                        • Instruction Fuzzy Hash: 2D71187590021DEFDF10DFA4CC80AEEBBB9FB04358F14856AE515A6290D730AE92DB60
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf
                                                                                        • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                        • API String ID: 2111968516-120809033
                                                                                        • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                        • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                        • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                        • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                        APIs
                                                                                        • RegCreateKeyExA.ADVAPI32(80000001,0261E50A,00000000,00000000,00000000,00020106,00000000,0261E50A,00000000,000000E4), ref: 0261E319
                                                                                        • RegSetValueExA.ADVAPI32(0261E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0261E38E
                                                                                        • RegDeleteValueA.ADVAPI32(0261E50A,?,?,?,?,?,000000C8,004122F8), ref: 0261E3BF
                                                                                        • RegCloseKey.ADVAPI32(0261E50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,0261E50A), ref: 0261E3C8
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_2610000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Value$CloseCreateDelete
                                                                                        • String ID:
                                                                                        • API String ID: 2667537340-0
                                                                                        • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                        • Instruction ID: e325552437fefec6247cb9df89fe0360f1a95a2c3d9e82bedb1b5976a74bf9aa
                                                                                        • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                        • Instruction Fuzzy Hash: F3214C71A0021DABDF209FA4EC89EDE7F79EF08750F088025F905E6160E372DA54DBA0
                                                                                        APIs
                                                                                        • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                        • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0040E127
                                                                                        • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,004122F8), ref: 0040E158
                                                                                        • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Value$CloseCreateDelete
                                                                                        • String ID:
                                                                                        • API String ID: 2667537340-0
                                                                                        • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                        • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                        • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                        • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                        APIs
                                                                                        • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 026141AB
                                                                                        • GetLastError.KERNEL32 ref: 026141B5
                                                                                        • WaitForSingleObject.KERNEL32(?,?), ref: 026141C6
                                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 026141D9
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_2610000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3373104450-0
                                                                                        • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                        • Instruction ID: 6ee90ddb55d8bf4d15105e189d5e7195892d33c589788df7612848ef858e4411
                                                                                        • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                        • Instruction Fuzzy Hash: DF01297651110AABDF02DF95ED85BEE3B6CEB18355F004061F901F2150DB70AA518BB5
                                                                                        APIs
                                                                                        • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0261421F
                                                                                        • GetLastError.KERNEL32 ref: 02614229
                                                                                        • WaitForSingleObject.KERNEL32(?,?), ref: 0261423A
                                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 0261424D
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_2610000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                        • String ID:
                                                                                        • API String ID: 888215731-0
                                                                                        • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                        • Instruction ID: c1864e4951c703adcdb6eeb943d700fe9dee77e41982586954dd6e1d7b183bb1
                                                                                        • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                        • Instruction Fuzzy Hash: 3C01A572511109ABDF01DF90ED84BEE7BACEB08355F148461F901E2150DB70AA948BB6
                                                                                        APIs
                                                                                        • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                        • GetLastError.KERNEL32 ref: 00403F4E
                                                                                        • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3373104450-0
                                                                                        • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                        • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                        • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                        • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                        APIs
                                                                                        • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                        • GetLastError.KERNEL32 ref: 00403FC2
                                                                                        • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                        • String ID:
                                                                                        • API String ID: 888215731-0
                                                                                        • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                        • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                        • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                        • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                        APIs
                                                                                        • lstrcmp.KERNEL32(?,80000009), ref: 0261E066
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_2610000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcmp
                                                                                        • String ID: A$ A$ A
                                                                                        • API String ID: 1534048567-1846390581
                                                                                        • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                        • Instruction ID: 9f9cd7b7188349a4ec7f47406cdf91a24f8a037ab8b45575a5ea5e454d969877
                                                                                        • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                        • Instruction Fuzzy Hash: E6F09632600742DBCB30CF25D884A82B7E9FF05326B48862BE954C3260D375F4E8CB51
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                        • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                        • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                        • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                        • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                        • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                        • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                        • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                        • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                        • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                        • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                        • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                        • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                        • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                        • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                        • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                        • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 00403103
                                                                                        • GetTickCount.KERNEL32 ref: 0040310F
                                                                                        • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                        • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                        • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                        • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 026183C6
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 02618477
                                                                                          • Part of subcall function 026169C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 026169E5
                                                                                          • Part of subcall function 026169C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 02616A26
                                                                                          • Part of subcall function 026169C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 02616A3A
                                                                                          • Part of subcall function 0261EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,02611DCF,?), ref: 0261EEA8
                                                                                          • Part of subcall function 0261EE95: HeapFree.KERNEL32(00000000), ref: 0261EEAF
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_2610000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                        • String ID: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exe
                                                                                        • API String ID: 359188348-2411205763
                                                                                        • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                        • Instruction ID: d0312ea22b43ca6d0f64d5cf53bbab9cfb60ec253943d7da28b916942b031b46
                                                                                        • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                        • Instruction Fuzzy Hash: DC4175B2900159BFEB10EBA09D81EFF777DEB04344F18446AE904D7110FBB16A548B54
                                                                                        APIs
                                                                                        • GetLocalTime.KERNEL32(?), ref: 0261AFFF
                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 0261B00D
                                                                                          • Part of subcall function 0261AF6F: gethostname.WS2_32(?,00000080), ref: 0261AF83
                                                                                          • Part of subcall function 0261AF6F: lstrcpy.KERNEL32(?,00410B90), ref: 0261AFE6
                                                                                          • Part of subcall function 0261331C: gethostname.WS2_32(?,00000080), ref: 0261333F
                                                                                          • Part of subcall function 0261331C: gethostbyname.WS2_32(?), ref: 02613349
                                                                                          • Part of subcall function 0261AA0A: inet_ntoa.WS2_32(00000000), ref: 0261AA10
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_2610000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                        • String ID: %OUTLOOK_BND_
                                                                                        • API String ID: 1981676241-3684217054
                                                                                        • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                        • Instruction ID: 2c55fce878c3543941cf21b0e74a3b32e18ea838921b649f483db7f156ac32d7
                                                                                        • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                        • Instruction Fuzzy Hash: 47412F7290034CABDB25EFA0DC45EEE3BADFF08304F18442AF92992151EA75E654CF58
                                                                                        APIs
                                                                                        • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 02619536
                                                                                        • Sleep.KERNEL32(000001F4), ref: 0261955D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_2610000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExecuteShellSleep
                                                                                        • String ID:
                                                                                        • API String ID: 4194306370-3916222277
                                                                                        • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                        • Instruction ID: e46d03455dce8af61e0cada6633579497bc06da0700ee18db5c627b7ca840db0
                                                                                        • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                        • Instruction Fuzzy Hash: C44116718093846FFB368B68D8AD7B63FE49B02318F1C41A5D482A72A2D7B46981C711
                                                                                        APIs
                                                                                        • WriteFile.KERNEL32(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                        • WriteFile.KERNEL32(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: FileWrite
                                                                                        • String ID: ,k@
                                                                                        • API String ID: 3934441357-1053005162
                                                                                        • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                        • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                        • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                        • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 0261B9D9
                                                                                        • InterlockedIncrement.KERNEL32(00413648), ref: 0261BA3A
                                                                                        • InterlockedIncrement.KERNEL32(?), ref: 0261BA94
                                                                                        • GetTickCount.KERNEL32 ref: 0261BB79
                                                                                        • GetTickCount.KERNEL32 ref: 0261BB99
                                                                                        • InterlockedIncrement.KERNEL32(?), ref: 0261BE15
                                                                                        • closesocket.WS2_32(00000000), ref: 0261BEB4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_2610000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountIncrementInterlockedTick$closesocket
                                                                                        • String ID: %FROM_EMAIL
                                                                                        • API String ID: 1869671989-2903620461
                                                                                        • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                        • Instruction ID: a0d8aafca14de9d2815d699dc372a146b6513ebc39b0f0ad8a632fce1ab55050
                                                                                        • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                        • Instruction Fuzzy Hash: 0031B171900248DFDF25DFA4DC84BEDB7B9EB48704F28405AFA24821A0DB71EA85CF54
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 536389180-1857712256
                                                                                        • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                        • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                                        • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                        • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                                        APIs
                                                                                        Strings
                                                                                        • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTickwsprintf
                                                                                        • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                        • API String ID: 2424974917-1012700906
                                                                                        • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                        • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                        • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                        • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                        APIs
                                                                                          • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                          • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                        • String ID: %FROM_EMAIL
                                                                                        • API String ID: 3716169038-2903620461
                                                                                        • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                        • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                        • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                        • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                        APIs
                                                                                        • GetUserNameW.ADVAPI32(?,?), ref: 026170BC
                                                                                        • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 026170F4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_2610000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Name$AccountLookupUser
                                                                                        • String ID: |
                                                                                        • API String ID: 2370142434-2343686810
                                                                                        • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                        • Instruction ID: c934aac9c002d020108046fbac3637c024ecac5409e9adfc9b79e1ae78a6dee6
                                                                                        • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                        • Instruction Fuzzy Hash: 43111E7290411CEBDF12CFE4DC85ADEF7BDAB09715F2841A6E501E6194D770AB88CBA0
                                                                                        APIs
                                                                                          • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                          • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                        • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                        • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 2777991786-1857712256
                                                                                        • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                        • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                        • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                        • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                        APIs
                                                                                        • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                        • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: IncrementInterlockedlstrcpyn
                                                                                        • String ID: %FROM_EMAIL
                                                                                        • API String ID: 224340156-2903620461
                                                                                        • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                        • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                        • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                        • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                        APIs
                                                                                        • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                        • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: gethostbyaddrinet_ntoa
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 2112563974-1857712256
                                                                                        • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                        • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                        • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                        • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                        APIs
                                                                                        • inet_addr.WS2_32(00000001), ref: 00402693
                                                                                        • gethostbyname.WS2_32(00000001), ref: 0040269F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: gethostbynameinet_addr
                                                                                        • String ID: time_cfg
                                                                                        • API String ID: 1594361348-2401304539
                                                                                        • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                        • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                        • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                        • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,7508EA50,80000001,00000000), ref: 0040EAF2
                                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040EB07
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID: ntdll.dll
                                                                                        • API String ID: 2574300362-2227199552
                                                                                        • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                        • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                        • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                        • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                        APIs
                                                                                          • Part of subcall function 02612F88: GetModuleHandleA.KERNEL32(?), ref: 02612FA1
                                                                                          • Part of subcall function 02612F88: LoadLibraryA.KERNEL32(?), ref: 02612FB1
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 026131DA
                                                                                        • HeapFree.KERNEL32(00000000), ref: 026131E1
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2078905030.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_2610000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                        • String ID:
                                                                                        • API String ID: 1017166417-0
                                                                                        • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                        • Instruction ID: 748d1f5a32de7caa2923327edfa77ad575e5d8efb0e77a5819cdfd431022425a
                                                                                        • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                        • Instruction Fuzzy Hash: E5519D7190028AAFCB059F64D884AEAB775FF05305F1841A9EC96C7310E732EA69CB94
                                                                                        APIs
                                                                                          • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                          • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                        • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2077700535.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_uscdfbek.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                        • String ID:
                                                                                        • API String ID: 1017166417-0
                                                                                        • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                        • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                        • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                        • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88

                                                                                        Execution Graph

                                                                                        Execution Coverage:14.6%
                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                        Signature Coverage:0.7%
                                                                                        Total number of Nodes:1808
                                                                                        Total number of Limit Nodes:18
                                                                                        execution_graph 7912 2d34ed3 7917 2d34c9a 7912->7917 7919 2d34cd8 7917->7919 7920 2d34ca9 7917->7920 7918 2d3ec2e codecvt 4 API calls 7918->7919 7920->7918 7921 2d35453 7926 2d3543a 7921->7926 7929 2d35048 7926->7929 7930 2d34bd1 4 API calls 7929->7930 7931 2d35056 7930->7931 7932 2d3ec2e codecvt 4 API calls 7931->7932 7933 2d3508b 7931->7933 7932->7933 8059 2d35d93 IsBadWritePtr 8060 2d35ddc 8059->8060 8061 2d35da8 8059->8061 8061->8060 8063 2d35389 8061->8063 8064 2d34bd1 4 API calls 8063->8064 8065 2d353a5 8064->8065 8066 2d34ae6 8 API calls 8065->8066 8069 2d353ad 8066->8069 8067 2d35407 8067->8060 8068 2d34ae6 8 API calls 8068->8069 8069->8067 8069->8068 7934 2d343d2 7936 2d343e0 7934->7936 7935 2d343ef 7936->7935 7938 2d31940 7936->7938 7939 2d3ec2e codecvt 4 API calls 7938->7939 7940 2d31949 7939->7940 7940->7935 8070 2d34e92 GetTickCount 8071 2d34ec0 InterlockedExchange 8070->8071 8072 2d34ec9 8071->8072 8073 2d34ead GetTickCount 8071->8073 8073->8072 8074 2d34eb8 Sleep 8073->8074 8074->8071 7941 2d38c51 7942 2d38c86 7941->7942 7943 2d38c5d 7941->7943 7944 2d38c8b lstrcmpA 7942->7944 7954 2d38c7b 7942->7954 7947 2d38c6e 7943->7947 7948 2d38c7d 7943->7948 7945 2d38c9e 7944->7945 7944->7954 7946 2d38cad 7945->7946 7950 2d3ec2e codecvt 4 API calls 7945->7950 7953 2d3ebcc 4 API calls 7946->7953 7946->7954 7955 2d38be7 7947->7955 7963 2d38bb3 7948->7963 7950->7946 7953->7954 7956 2d38bf2 7955->7956 7957 2d38c2a 7955->7957 7958 2d38bb3 6 API calls 7956->7958 7957->7954 7959 2d38bf8 7958->7959 7967 2d36410 7959->7967 7961 2d38c01 7961->7957 7982 2d36246 7961->7982 7964 2d38be4 7963->7964 7965 2d38bbc 7963->7965 7965->7964 7966 2d36246 6 API calls 7965->7966 7966->7964 7968 2d36421 7967->7968 7969 2d3641e 7967->7969 7970 2d3643a 7968->7970 7971 2d3643e VirtualAlloc 7968->7971 7969->7961 7970->7961 7972 2d36472 7971->7972 7973 2d3645b VirtualAlloc 7971->7973 7974 2d3ebcc 4 API calls 7972->7974 7973->7972 7981 2d364fb 7973->7981 7975 2d36479 7974->7975 7975->7981 7992 2d36069 7975->7992 7978 2d364da 7979 2d36246 6 API calls 7978->7979 7978->7981 7979->7981 7981->7961 7983 2d362b3 7982->7983 7987 2d36252 7982->7987 7983->7957 7984 2d36297 7985 2d362a0 VirtualFree 7984->7985 7986 2d362ad 7984->7986 7985->7986 7990 2d3ec2e codecvt 4 API calls 7986->7990 7987->7984 7988 2d3628f 7987->7988 7991 2d36281 FreeLibrary 7987->7991 7989 2d3ec2e codecvt 4 API calls 7988->7989 7989->7984 7990->7983 7991->7987 7993 2d36090 IsBadReadPtr 7992->7993 7995 2d36089 7992->7995 7993->7995 7999 2d360aa 7993->7999 7994 2d360c0 LoadLibraryA 7994->7995 7994->7999 7995->7978 8002 2d35f3f 7995->8002 7996 2d3ebcc 4 API calls 7996->7999 7997 2d3ebed 8 API calls 7997->7999 7998 2d36191 IsBadReadPtr 7998->7995 7998->7999 7999->7994 7999->7995 7999->7996 7999->7997 7999->7998 8000 2d36141 GetProcAddress 7999->8000 8001 2d36155 GetProcAddress 7999->8001 8000->7999 8001->7999 8003 2d35fe6 8002->8003 8005 2d35f61 8002->8005 8003->7978 8004 2d35fbf VirtualProtect 8004->8003 8004->8005 8005->8003 8005->8004 8075 2d36511 wsprintfA IsBadReadPtr 8076 2d3656a htonl htonl wsprintfA wsprintfA 8075->8076 8077 2d3674e 8075->8077 8081 2d365f3 8076->8081 8078 2d3e318 23 API calls 8077->8078 8079 2d36753 ExitProcess 8078->8079 8080 2d3668a GetCurrentProcess StackWalk64 8080->8081 8082 2d366a0 wsprintfA 8080->8082 8081->8080 8081->8082 8084 2d36652 wsprintfA 8081->8084 8083 2d366ba 8082->8083 8085 2d36712 wsprintfA 8083->8085 8086 2d366da wsprintfA 8083->8086 8087 2d366ed wsprintfA 8083->8087 8084->8081 8088 2d3e8a1 30 API calls 8085->8088 8086->8087 8087->8083 8089 2d36739 8088->8089 8090 2d3e318 23 API calls 8089->8090 8091 2d36741 8090->8091 8092 2d38314 8093 2d3675c 21 API calls 8092->8093 8094 2d38324 8093->8094 8006 2d3195b 8007 2d31971 8006->8007 8008 2d3196b 8006->8008 8009 2d3ec2e codecvt 4 API calls 8008->8009 8009->8007 8095 2d35099 8096 2d34bd1 4 API calls 8095->8096 8097 2d350a2 8096->8097 8098 2d3f483 WSAStartup 8099 2d35c05 IsBadWritePtr 8100 2d35c24 IsBadWritePtr 8099->8100 8107 2d35ca6 8099->8107 8101 2d35c32 8100->8101 8100->8107 8102 2d35c82 8101->8102 8103 2d34bd1 4 API calls 8101->8103 8104 2d34bd1 4 API calls 8102->8104 8103->8102 8105 2d35c90 8104->8105 8106 2d35472 18 API calls 8105->8106 8106->8107 8108 2d35b84 IsBadWritePtr 8109 2d35b99 8108->8109 8110 2d35b9d 8108->8110 8111 2d34bd1 4 API calls 8110->8111 8112 2d35bcc 8111->8112 8113 2d35472 18 API calls 8112->8113 8114 2d35be5 8113->8114 8115 2d3f304 8118 2d3f26d setsockopt setsockopt setsockopt setsockopt setsockopt 8115->8118 8117 2d3f312 8118->8117 8010 2d3444a 8011 2d34458 8010->8011 8012 2d3446a 8011->8012 8013 2d31940 4 API calls 8011->8013 8013->8012 8014 2d3e749 8015 2d3dd05 6 API calls 8014->8015 8016 2d3e751 8015->8016 8017 2d3e781 lstrcmpA 8016->8017 8018 2d3e799 8016->8018 8017->8016 8019 2d35e4d 8020 2d35048 8 API calls 8019->8020 8021 2d35e55 8020->8021 8022 2d35e64 8021->8022 8023 2d31940 4 API calls 8021->8023 8023->8022 8132 2d35e0d 8135 2d350dc 8132->8135 8134 2d35e20 8136 2d34bd1 4 API calls 8135->8136 8137 2d350f2 8136->8137 8138 2d34ae6 8 API calls 8137->8138 8144 2d350ff 8138->8144 8139 2d35130 8141 2d34ae6 8 API calls 8139->8141 8140 2d34ae6 8 API calls 8142 2d35110 lstrcmpA 8140->8142 8143 2d35138 8141->8143 8142->8139 8142->8144 8145 2d3516e 8143->8145 8147 2d3513e 8143->8147 8148 2d34ae6 8 API calls 8143->8148 8144->8139 8144->8140 8146 2d34ae6 8 API calls 8144->8146 8145->8147 8150 2d34ae6 8 API calls 8145->8150 8146->8144 8147->8134 8149 2d3515e 8148->8149 8149->8145 8152 2d34ae6 8 API calls 8149->8152 8151 2d351b6 8150->8151 8178 2d34a3d 8151->8178 8152->8145 8155 2d34ae6 8 API calls 8156 2d351c7 8155->8156 8157 2d34ae6 8 API calls 8156->8157 8158 2d351d7 8157->8158 8159 2d34ae6 8 API calls 8158->8159 8160 2d351e7 8159->8160 8160->8147 8161 2d34ae6 8 API calls 8160->8161 8162 2d35219 8161->8162 8163 2d34ae6 8 API calls 8162->8163 8164 2d35227 8163->8164 8165 2d34ae6 8 API calls 8164->8165 8166 2d3524f lstrcpyA 8165->8166 8167 2d34ae6 8 API calls 8166->8167 8170 2d35263 8167->8170 8168 2d34ae6 8 API calls 8169 2d35315 8168->8169 8171 2d34ae6 8 API calls 8169->8171 8170->8168 8172 2d35323 8171->8172 8173 2d34ae6 8 API calls 8172->8173 8175 2d35331 8173->8175 8174 2d34ae6 8 API calls 8174->8175 8175->8147 8175->8174 8176 2d34ae6 8 API calls 8175->8176 8177 2d35351 lstrcmpA 8176->8177 8177->8147 8177->8175 8179 2d34a53 8178->8179 8180 2d34a4a 8178->8180 8182 2d34a78 8179->8182 8183 2d3ebed 8 API calls 8179->8183 8181 2d3ebed 8 API calls 8180->8181 8181->8179 8184 2d34aa3 8182->8184 8185 2d34a8e 8182->8185 8183->8182 8186 2d34a9b 8184->8186 8187 2d3ebed 8 API calls 8184->8187 8185->8186 8188 2d3ec2e codecvt 4 API calls 8185->8188 8186->8155 8187->8186 8188->8186 8189 2d34c0d 8190 2d34ae6 8 API calls 8189->8190 8191 2d34c17 8190->8191 8192 2d3be31 lstrcmpiA 8193 2d3be55 lstrcmpiA 8192->8193 8198 2d3be71 8192->8198 8194 2d3be61 lstrcmpiA 8193->8194 8193->8198 8197 2d3bfc8 8194->8197 8194->8198 8195 2d3bf62 lstrcmpiA 8196 2d3bf77 lstrcmpiA 8195->8196 8200 2d3bf70 8195->8200 8199 2d3bf8c lstrcmpiA 8196->8199 8196->8200 8198->8195 8203 2d3ebcc 4 API calls 8198->8203 8199->8200 8200->8197 8201 2d3bfc2 8200->8201 8202 2d3ec2e codecvt 4 API calls 8200->8202 8204 2d3ec2e codecvt 4 API calls 8201->8204 8202->8200 8207 2d3beb6 8203->8207 8204->8197 8205 2d3ebcc 4 API calls 8205->8207 8206 2d3bf5a 8206->8195 8207->8195 8207->8197 8207->8205 8207->8206 8208 2d35d34 IsBadWritePtr 8209 2d35d47 8208->8209 8211 2d35d4a 8208->8211 8210 2d35389 12 API calls 8212 2d35d80 8210->8212 8211->8210 8040 2d34861 IsBadWritePtr 8041 2d34876 8040->8041 8042 2d39961 RegisterServiceCtrlHandlerA 8043 2d3997d 8042->8043 8050 2d399cb 8042->8050 8052 2d39892 8043->8052 8045 2d3999a 8046 2d399ba 8045->8046 8047 2d39892 SetServiceStatus 8045->8047 8048 2d39892 SetServiceStatus 8046->8048 8046->8050 8049 2d399aa 8047->8049 8048->8050 8049->8046 8051 2d398f2 41 API calls 8049->8051 8051->8046 8053 2d398c2 SetServiceStatus 8052->8053 8053->8045 8213 2d35e21 8214 2d35e36 8213->8214 8215 2d35e29 8213->8215 8216 2d350dc 17 API calls 8215->8216 8216->8214 8055 2d34960 8056 2d3496d 8055->8056 8058 2d3497d 8055->8058 8057 2d3ebed 8 API calls 8056->8057 8057->8058 8217 2d335a5 8218 2d330fa 4 API calls 8217->8218 8220 2d335b3 8218->8220 8219 2d335ea 8220->8219 8224 2d3355d 8220->8224 8222 2d335da 8222->8219 8223 2d3355d 4 API calls 8222->8223 8223->8219 8225 2d3f04e 4 API calls 8224->8225 8226 2d3356a 8225->8226 8226->8222 6140 2d39a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 6256 2d3ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6140->6256 6142 2d39a95 6143 2d39aa3 GetModuleHandleA GetModuleFileNameA 6142->6143 6148 2d3a3cc 6142->6148 6156 2d39ac4 6143->6156 6144 2d3a41c CreateThread WSAStartup 6257 2d3e52e 6144->6257 7331 2d3405e CreateEventA 6144->7331 6145 2d39afd GetCommandLineA 6157 2d39b22 6145->6157 6146 2d3a406 DeleteFileA 6146->6148 6149 2d3a40d 6146->6149 6148->6144 6148->6146 6148->6149 6152 2d3a3ed GetLastError 6148->6152 6149->6144 6150 2d3a445 6276 2d3eaaf 6150->6276 6152->6149 6154 2d3a3f8 Sleep 6152->6154 6153 2d3a44d 6280 2d31d96 6153->6280 6154->6146 6156->6145 6160 2d39c0c 6157->6160 6167 2d39b47 6157->6167 6158 2d3a457 6328 2d380c9 6158->6328 6520 2d396aa 6160->6520 6171 2d39b96 lstrlenA 6167->6171 6174 2d39b58 6167->6174 6168 2d3a1d2 6175 2d3a1e3 GetCommandLineA 6168->6175 6169 2d39c39 6172 2d3a167 GetModuleHandleA GetModuleFileNameA 6169->6172 6526 2d34280 CreateEventA 6169->6526 6171->6174 6173 2d39c05 ExitProcess 6172->6173 6177 2d3a189 6172->6177 6174->6173 6479 2d3675c 6174->6479 6200 2d3a205 6175->6200 6177->6173 6183 2d3a1b2 GetDriveTypeA 6177->6183 6183->6173 6186 2d3a1c5 6183->6186 6627 2d39145 GetModuleHandleA GetModuleFileNameA CharToOemA 6186->6627 6187 2d3675c 21 API calls 6189 2d39c79 6187->6189 6189->6172 6196 2d39ca0 GetTempPathA 6189->6196 6197 2d39e3e 6189->6197 6190 2d39bff 6190->6173 6192 2d3a49f GetTickCount 6193 2d3a491 6192->6193 6194 2d3a4be Sleep 6192->6194 6193->6192 6193->6194 6199 2d3a4b7 GetTickCount 6193->6199 6375 2d3c913 6193->6375 6194->6193 6196->6197 6198 2d39cba 6196->6198 6203 2d39e6b GetEnvironmentVariableA 6197->6203 6207 2d39e04 6197->6207 6552 2d399d2 lstrcpyA 6198->6552 6199->6194 6204 2d3a285 lstrlenA 6200->6204 6216 2d3a239 6200->6216 6203->6207 6208 2d39e7d 6203->6208 6204->6216 6622 2d3ec2e 6207->6622 6209 2d399d2 16 API calls 6208->6209 6210 2d39e9d 6209->6210 6210->6207 6215 2d39eb0 lstrcpyA lstrlenA 6210->6215 6213 2d39d5f 6566 2d36cc9 6213->6566 6214 2d3a3c2 6639 2d398f2 6214->6639 6218 2d39ef4 6215->6218 6635 2d36ec3 6216->6635 6221 2d36dc2 6 API calls 6218->6221 6225 2d39f03 6218->6225 6220 2d3a3c7 6220->6148 6221->6225 6222 2d3a39d StartServiceCtrlDispatcherA 6222->6214 6223 2d39d72 lstrcpyA lstrcatA lstrcatA 6224 2d39cf6 6223->6224 6575 2d39326 6224->6575 6226 2d39f32 RegOpenKeyExA 6225->6226 6227 2d39f48 RegSetValueExA RegCloseKey 6226->6227 6231 2d39f70 6226->6231 6227->6231 6228 2d3a35f 6228->6214 6228->6222 6236 2d39f9d GetModuleHandleA GetModuleFileNameA 6231->6236 6232 2d39e0c DeleteFileA 6232->6197 6233 2d39dde GetFileAttributesExA 6233->6232 6234 2d39df7 6233->6234 6234->6207 6612 2d396ff 6234->6612 6238 2d39fc2 6236->6238 6239 2d3a093 6236->6239 6238->6239 6245 2d39ff1 GetDriveTypeA 6238->6245 6240 2d3a103 CreateProcessA 6239->6240 6243 2d3a0a4 wsprintfA 6239->6243 6241 2d3a13a 6240->6241 6242 2d3a12a DeleteFileA 6240->6242 6241->6207 6248 2d396ff 3 API calls 6241->6248 6242->6241 6618 2d32544 6243->6618 6245->6239 6247 2d3a00d 6245->6247 6250 2d3a02d lstrcatA 6247->6250 6248->6207 6252 2d3a046 6250->6252 6253 2d3a052 lstrcatA 6252->6253 6254 2d3a064 lstrcatA 6252->6254 6253->6254 6254->6239 6255 2d3a081 lstrcatA 6254->6255 6255->6239 6256->6142 6646 2d3dd05 GetTickCount 6257->6646 6259 2d3e538 6654 2d3dbcf 6259->6654 6261 2d3e544 6262 2d3e555 GetFileSize 6261->6262 6266 2d3e5b8 6261->6266 6263 2d3e5b1 CloseHandle 6262->6263 6264 2d3e566 6262->6264 6263->6266 6678 2d3db2e 6264->6678 6664 2d3e3ca RegOpenKeyExA 6266->6664 6268 2d3e576 ReadFile 6268->6263 6270 2d3e58d 6268->6270 6682 2d3e332 6270->6682 6273 2d3e5f2 6274 2d3e3ca 19 API calls 6273->6274 6275 2d3e629 6273->6275 6274->6275 6275->6150 6277 2d3eaba 6276->6277 6278 2d3eabe 6276->6278 6277->6153 6278->6277 6279 2d3dd05 6 API calls 6278->6279 6279->6277 6281 2d3ee2a 6280->6281 6282 2d31db4 GetVersionExA 6281->6282 6283 2d31dd0 GetSystemInfo GetModuleHandleA GetProcAddress 6282->6283 6285 2d31e16 GetCurrentProcess 6283->6285 6286 2d31e24 6283->6286 6285->6286 6740 2d3e819 6286->6740 6288 2d31e3d 6289 2d3e819 11 API calls 6288->6289 6290 2d31e4e 6289->6290 6291 2d31e77 6290->6291 6781 2d3df70 6290->6781 6747 2d3ea84 6291->6747 6294 2d31e6c 6296 2d3df70 12 API calls 6294->6296 6296->6291 6297 2d3e819 11 API calls 6298 2d31e93 6297->6298 6751 2d3199c inet_addr LoadLibraryA 6298->6751 6301 2d3e819 11 API calls 6302 2d31eb9 6301->6302 6303 2d31ed8 6302->6303 6304 2d3f04e 4 API calls 6302->6304 6305 2d3e819 11 API calls 6303->6305 6306 2d31ec9 6304->6306 6307 2d31eee 6305->6307 6308 2d3ea84 30 API calls 6306->6308 6309 2d31f0a 6307->6309 6765 2d31b71 6307->6765 6308->6303 6311 2d3e819 11 API calls 6309->6311 6313 2d31f23 6311->6313 6312 2d31efd 6314 2d3ea84 30 API calls 6312->6314 6315 2d31f3f 6313->6315 6769 2d31bdf 6313->6769 6314->6309 6317 2d3e819 11 API calls 6315->6317 6319 2d31f5e 6317->6319 6321 2d31f77 6319->6321 6322 2d3ea84 30 API calls 6319->6322 6320 2d3ea84 30 API calls 6320->6315 6777 2d330b5 6321->6777 6322->6321 6325 2d36ec3 2 API calls 6327 2d31f8e GetTickCount 6325->6327 6327->6158 6329 2d36ec3 2 API calls 6328->6329 6330 2d380eb 6329->6330 6331 2d380f9 6330->6331 6332 2d380ef 6330->6332 6848 2d3704c 6331->6848 6835 2d37ee6 6332->6835 6335 2d380f4 6337 2d3675c 21 API calls 6335->6337 6347 2d38269 CreateThread 6335->6347 6336 2d38110 6336->6335 6338 2d38156 RegOpenKeyExA 6336->6338 6343 2d38244 6337->6343 6339 2d38216 6338->6339 6340 2d3816d RegQueryValueExA 6338->6340 6339->6335 6341 2d381f7 6340->6341 6342 2d3818d 6340->6342 6344 2d3820d RegCloseKey 6341->6344 6346 2d3ec2e codecvt 4 API calls 6341->6346 6342->6341 6348 2d3ebcc 4 API calls 6342->6348 6345 2d3ec2e codecvt 4 API calls 6343->6345 6343->6347 6344->6339 6345->6347 6353 2d381dd 6346->6353 6354 2d35e6c 6347->6354 7309 2d3877e 6347->7309 6349 2d381a0 6348->6349 6349->6344 6350 2d381aa RegQueryValueExA 6349->6350 6350->6341 6351 2d381c4 6350->6351 6352 2d3ebcc 4 API calls 6351->6352 6352->6353 6353->6344 6950 2d3ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6354->6950 6356 2d35e71 6951 2d3e654 6356->6951 6358 2d35ec1 6359 2d33132 6358->6359 6360 2d3df70 12 API calls 6359->6360 6361 2d3313b 6360->6361 6362 2d3c125 6361->6362 6962 2d3ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6362->6962 6364 2d3c12d 6365 2d3e654 13 API calls 6364->6365 6366 2d3c2bd 6365->6366 6367 2d3e654 13 API calls 6366->6367 6368 2d3c2c9 6367->6368 6369 2d3e654 13 API calls 6368->6369 6370 2d3a47a 6369->6370 6371 2d38db1 6370->6371 6372 2d38dbc 6371->6372 6373 2d3e654 13 API calls 6372->6373 6374 2d38dec Sleep 6373->6374 6374->6193 6376 2d3c92f 6375->6376 6377 2d3c93c 6376->6377 6974 2d3c517 6376->6974 6379 2d3ca2b 6377->6379 6380 2d3e819 11 API calls 6377->6380 6379->6193 6381 2d3c96a 6380->6381 6382 2d3e819 11 API calls 6381->6382 6383 2d3c97d 6382->6383 6384 2d3e819 11 API calls 6383->6384 6385 2d3c990 6384->6385 6386 2d3c9aa 6385->6386 6387 2d3ebcc 4 API calls 6385->6387 6386->6379 6963 2d32684 6386->6963 6387->6386 6392 2d3ca26 6991 2d3c8aa 6392->6991 6395 2d3ca44 6396 2d3ca4b closesocket 6395->6396 6397 2d3ca83 6395->6397 6396->6392 6398 2d3ea84 30 API calls 6397->6398 6399 2d3caac 6398->6399 6400 2d3f04e 4 API calls 6399->6400 6401 2d3cab2 6400->6401 6402 2d3ea84 30 API calls 6401->6402 6403 2d3caca 6402->6403 6404 2d3ea84 30 API calls 6403->6404 6405 2d3cad9 6404->6405 6995 2d3c65c 6405->6995 6408 2d3cb60 closesocket 6408->6379 6410 2d3dad2 closesocket 6411 2d3e318 23 API calls 6410->6411 6412 2d3dae0 6411->6412 6412->6379 6413 2d3df4c 20 API calls 6440 2d3cb70 6413->6440 6418 2d3e654 13 API calls 6418->6440 6424 2d3ea84 30 API calls 6424->6440 6425 2d3cc1c GetTempPathA 6425->6440 6426 2d3d569 closesocket Sleep 7042 2d3e318 6426->7042 6427 2d3d815 wsprintfA 6427->6440 6428 2d3c517 23 API calls 6428->6440 6430 2d3f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 6430->6440 6431 2d3e8a1 30 API calls 6431->6440 6432 2d3d582 ExitProcess 6433 2d3c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 6433->6440 6434 2d3cfe3 GetSystemDirectoryA 6434->6440 6435 2d3675c 21 API calls 6435->6440 6436 2d3d027 GetSystemDirectoryA 6436->6440 6437 2d3cfad GetEnvironmentVariableA 6437->6440 6438 2d3d105 lstrcatA 6438->6440 6439 2d3ef1e lstrlenA 6439->6440 6440->6410 6440->6413 6440->6418 6440->6424 6440->6425 6440->6426 6440->6427 6440->6428 6440->6430 6440->6431 6440->6433 6440->6434 6440->6435 6440->6436 6440->6437 6440->6438 6440->6439 6441 2d3ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 6440->6441 6442 2d3cc9f CreateFileA 6440->6442 6443 2d3d15b CreateFileA 6440->6443 6448 2d3d149 SetFileAttributesA 6440->6448 6450 2d3d36e GetEnvironmentVariableA 6440->6450 6451 2d3d1bf SetFileAttributesA 6440->6451 6452 2d38e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 6440->6452 6454 2d37ead 6 API calls 6440->6454 6455 2d3d22d GetEnvironmentVariableA 6440->6455 6457 2d3d3af lstrcatA 6440->6457 6459 2d37fcf 64 API calls 6440->6459 6460 2d3d3f2 CreateFileA 6440->6460 6467 2d3d4b1 CreateProcessA 6440->6467 6468 2d3d3e0 SetFileAttributesA 6440->6468 6469 2d3d26e lstrcatA 6440->6469 6471 2d3d2b1 CreateFileA 6440->6471 6473 2d37ee6 64 API calls 6440->6473 6474 2d3d452 SetFileAttributesA 6440->6474 6475 2d3d29f SetFileAttributesA 6440->6475 6478 2d3d31d SetFileAttributesA 6440->6478 7003 2d3c75d 6440->7003 7015 2d37e2f 6440->7015 7037 2d37ead 6440->7037 7047 2d331d0 6440->7047 7064 2d33c09 6440->7064 7074 2d33a00 6440->7074 7078 2d3e7b4 6440->7078 7081 2d3c06c 6440->7081 7087 2d36f5f GetUserNameA 6440->7087 7098 2d3e854 6440->7098 7108 2d37dd6 6440->7108 6441->6440 6442->6440 6444 2d3ccc6 WriteFile 6442->6444 6443->6440 6445 2d3d182 WriteFile CloseHandle 6443->6445 6446 2d3cced CloseHandle 6444->6446 6447 2d3cdcc CloseHandle 6444->6447 6445->6440 6453 2d3cd2f 6446->6453 6447->6440 6448->6443 6449 2d3cd16 wsprintfA 6449->6453 6450->6440 6451->6440 6452->6440 6453->6449 7024 2d37fcf 6453->7024 6454->6440 6455->6440 6457->6440 6457->6460 6459->6440 6460->6440 6463 2d3d415 WriteFile CloseHandle 6460->6463 6461 2d3cd81 WaitForSingleObject CloseHandle CloseHandle 6464 2d3f04e 4 API calls 6461->6464 6462 2d3cda5 6465 2d37ee6 64 API calls 6462->6465 6463->6440 6464->6462 6466 2d3cdbd DeleteFileA 6465->6466 6466->6440 6467->6440 6470 2d3d4e8 CloseHandle CloseHandle 6467->6470 6468->6460 6469->6440 6469->6471 6470->6440 6471->6440 6472 2d3d2d8 WriteFile CloseHandle 6471->6472 6472->6440 6473->6440 6474->6440 6475->6471 6478->6440 6480 2d36784 CreateFileA 6479->6480 6481 2d3677a SetFileAttributesA 6479->6481 6482 2d367b5 6480->6482 6483 2d367a4 CreateFileA 6480->6483 6481->6480 6484 2d367c5 6482->6484 6485 2d367ba SetFileAttributesA 6482->6485 6483->6482 6486 2d36977 6484->6486 6487 2d367cf GetFileSize 6484->6487 6485->6484 6486->6173 6507 2d36a60 CreateFileA 6486->6507 6488 2d367e5 6487->6488 6506 2d36965 6487->6506 6490 2d367ed ReadFile 6488->6490 6488->6506 6489 2d3696e CloseHandle 6489->6486 6491 2d36811 SetFilePointer 6490->6491 6490->6506 6492 2d3682a ReadFile 6491->6492 6491->6506 6493 2d36848 SetFilePointer 6492->6493 6492->6506 6494 2d36867 6493->6494 6493->6506 6495 2d368d5 6494->6495 6496 2d36878 ReadFile 6494->6496 6495->6489 6498 2d3ebcc 4 API calls 6495->6498 6497 2d368d0 6496->6497 6499 2d36891 6496->6499 6497->6495 6500 2d368f8 6498->6500 6499->6496 6499->6497 6501 2d36900 SetFilePointer 6500->6501 6500->6506 6502 2d3695a 6501->6502 6503 2d3690d ReadFile 6501->6503 6504 2d3ec2e codecvt 4 API calls 6502->6504 6503->6502 6505 2d36922 6503->6505 6504->6506 6505->6489 6506->6489 6508 2d36a8f GetDiskFreeSpaceA 6507->6508 6509 2d36b8c GetLastError 6507->6509 6511 2d36ac5 6508->6511 6519 2d36ad7 6508->6519 6510 2d36b86 6509->6510 6510->6190 7193 2d3eb0e 6511->7193 6515 2d36b56 CloseHandle 6515->6510 6518 2d36b65 GetLastError CloseHandle 6515->6518 6516 2d36b36 GetLastError CloseHandle 6517 2d36b7f DeleteFileA 6516->6517 6517->6510 6518->6517 7197 2d36987 6519->7197 6521 2d396b9 6520->6521 6522 2d373ff 17 API calls 6521->6522 6523 2d396e2 6522->6523 6524 2d396f7 6523->6524 6525 2d3704c 16 API calls 6523->6525 6524->6168 6524->6169 6525->6524 6527 2d342a5 6526->6527 6528 2d3429d 6526->6528 7203 2d33ecd 6527->7203 6528->6172 6528->6187 6530 2d342b0 7207 2d34000 6530->7207 6532 2d343c1 CloseHandle 6532->6528 6533 2d342b6 6533->6528 6533->6532 7213 2d33f18 WriteFile 6533->7213 6538 2d343ba CloseHandle 6538->6532 6539 2d34318 6540 2d33f18 4 API calls 6539->6540 6541 2d34331 6540->6541 6542 2d33f18 4 API calls 6541->6542 6543 2d3434a 6542->6543 6544 2d3ebcc 4 API calls 6543->6544 6545 2d34350 6544->6545 6546 2d33f18 4 API calls 6545->6546 6547 2d34389 6546->6547 6548 2d3ec2e codecvt 4 API calls 6547->6548 6549 2d3438f 6548->6549 6550 2d33f8c 4 API calls 6549->6550 6551 2d3439f CloseHandle CloseHandle 6550->6551 6551->6528 6553 2d399eb 6552->6553 6554 2d39a2f lstrcatA 6553->6554 6555 2d3ee2a 6554->6555 6556 2d39a4b lstrcatA 6555->6556 6557 2d36a60 13 API calls 6556->6557 6558 2d39a60 6557->6558 6558->6197 6558->6224 6559 2d36dc2 6558->6559 6560 2d36e33 6559->6560 6561 2d36dd7 6559->6561 6560->6213 6562 2d36cc9 5 API calls 6561->6562 6563 2d36ddc 6562->6563 6564 2d36e02 GetVolumeInformationA 6563->6564 6565 2d36e24 6563->6565 6564->6565 6565->6560 6567 2d36cdc GetModuleHandleA GetProcAddress 6566->6567 6572 2d36d8b 6566->6572 6568 2d36d12 GetSystemDirectoryA 6567->6568 6569 2d36cfd 6567->6569 6570 2d36d27 GetWindowsDirectoryA 6568->6570 6571 2d36d1e 6568->6571 6569->6568 6569->6572 6574 2d36d42 6570->6574 6571->6570 6571->6572 6572->6223 6573 2d3ef1e lstrlenA 6573->6572 6574->6573 7221 2d31910 6575->7221 6578 2d3934a GetModuleHandleA GetModuleFileNameA 6580 2d3937f 6578->6580 6581 2d393a4 6580->6581 6582 2d393d9 6580->6582 6583 2d393c3 wsprintfA 6581->6583 6584 2d39401 wsprintfA 6582->6584 6586 2d39415 6583->6586 6584->6586 6585 2d394a0 6587 2d36edd 5 API calls 6585->6587 6586->6585 6589 2d36cc9 5 API calls 6586->6589 6588 2d394ac 6587->6588 6590 2d3962f 6588->6590 6591 2d394e8 RegOpenKeyExA 6588->6591 6592 2d39439 6589->6592 6597 2d39646 6590->6597 7236 2d31820 6590->7236 6594 2d39502 6591->6594 6595 2d394fb 6591->6595 6599 2d3ef1e lstrlenA 6592->6599 6598 2d3951f RegQueryValueExA 6594->6598 6595->6590 6600 2d3958a 6595->6600 6606 2d395d6 6597->6606 7242 2d391eb 6597->7242 6601 2d39530 6598->6601 6602 2d39539 6598->6602 6603 2d39462 6599->6603 6600->6597 6604 2d39593 6600->6604 6605 2d3956e RegCloseKey 6601->6605 6607 2d39556 RegQueryValueExA 6602->6607 6608 2d3947e wsprintfA 6603->6608 6604->6606 7223 2d3f0e4 6604->7223 6605->6595 6606->6232 6606->6233 6607->6601 6607->6605 6608->6585 6610 2d395bb 6610->6606 7230 2d318e0 6610->7230 6613 2d32544 6612->6613 6614 2d3972d RegOpenKeyExA 6613->6614 6615 2d39740 6614->6615 6616 2d39765 6614->6616 6617 2d3974f RegDeleteValueA RegCloseKey 6615->6617 6616->6207 6617->6616 6619 2d32554 lstrcatA 6618->6619 6620 2d3ee2a 6619->6620 6621 2d3a0ec lstrcatA 6620->6621 6621->6240 6623 2d3ec37 6622->6623 6624 2d3a15d 6622->6624 6625 2d3eba0 codecvt 2 API calls 6623->6625 6624->6172 6624->6173 6626 2d3ec3d GetProcessHeap RtlFreeHeap 6625->6626 6626->6624 6628 2d32544 6627->6628 6629 2d3919e wsprintfA 6628->6629 6630 2d391bb 6629->6630 7280 2d39064 GetTempPathA 6630->7280 6633 2d391e7 6633->6190 6634 2d391d5 ShellExecuteA 6634->6633 6636 2d36ed5 6635->6636 6637 2d36ecc 6635->6637 6636->6228 6638 2d36e36 2 API calls 6637->6638 6638->6636 6640 2d398f6 6639->6640 6641 2d34280 30 API calls 6640->6641 6642 2d39904 Sleep 6640->6642 6643 2d39915 6640->6643 6641->6640 6642->6640 6642->6643 6645 2d39947 6643->6645 7287 2d3977c 6643->7287 6645->6220 6647 2d3dd41 InterlockedExchange 6646->6647 6648 2d3dd20 GetCurrentThreadId 6647->6648 6649 2d3dd4a 6647->6649 6650 2d3dd53 GetCurrentThreadId 6648->6650 6651 2d3dd2e GetTickCount 6648->6651 6649->6650 6650->6259 6652 2d3dd39 Sleep 6651->6652 6653 2d3dd4c 6651->6653 6652->6647 6653->6650 6655 2d3dbf0 6654->6655 6687 2d3db67 GetEnvironmentVariableA 6655->6687 6657 2d3dc19 6658 2d3dcda 6657->6658 6659 2d3db67 3 API calls 6657->6659 6658->6261 6660 2d3dc5c 6659->6660 6660->6658 6661 2d3db67 3 API calls 6660->6661 6662 2d3dc9b 6661->6662 6662->6658 6663 2d3db67 3 API calls 6662->6663 6663->6658 6665 2d3e3f4 6664->6665 6666 2d3e528 6664->6666 6667 2d3e434 RegQueryValueExA 6665->6667 6666->6273 6668 2d3e458 6667->6668 6669 2d3e51d RegCloseKey 6667->6669 6670 2d3e46e RegQueryValueExA 6668->6670 6669->6666 6670->6668 6671 2d3e488 6670->6671 6671->6669 6672 2d3db2e 8 API calls 6671->6672 6673 2d3e499 6672->6673 6673->6669 6674 2d3e4b9 RegQueryValueExA 6673->6674 6675 2d3e4e8 6673->6675 6674->6673 6674->6675 6675->6669 6676 2d3e332 14 API calls 6675->6676 6677 2d3e513 6676->6677 6677->6669 6679 2d3db55 6678->6679 6680 2d3db3a 6678->6680 6679->6263 6679->6268 6691 2d3ebed 6680->6691 6709 2d3f04e SystemTimeToFileTime GetSystemTimeAsFileTime 6682->6709 6684 2d3e3be 6684->6263 6686 2d3e342 6686->6684 6712 2d3de24 6686->6712 6688 2d3dbca 6687->6688 6689 2d3db89 lstrcpyA CreateFileA 6687->6689 6688->6657 6689->6657 6692 2d3ec01 6691->6692 6693 2d3ebf6 6691->6693 6703 2d3eba0 6692->6703 6700 2d3ebcc GetProcessHeap RtlAllocateHeap 6693->6700 6701 2d3eb74 2 API calls 6700->6701 6702 2d3ebe8 6701->6702 6702->6679 6704 2d3eba7 GetProcessHeap HeapSize 6703->6704 6705 2d3ebbf GetProcessHeap HeapReAlloc 6703->6705 6704->6705 6706 2d3eb74 6705->6706 6707 2d3eb7b GetProcessHeap HeapSize 6706->6707 6708 2d3eb93 6706->6708 6707->6708 6708->6679 6723 2d3eb41 6709->6723 6711 2d3f0b7 6711->6686 6713 2d3de3a 6712->6713 6716 2d3de4e 6713->6716 6732 2d3dd84 6713->6732 6716->6686 6717 2d3de9e 6717->6716 6718 2d3ebed 8 API calls 6717->6718 6719 2d3def6 6718->6719 6719->6716 6722 2d3ddcf lstrcmpA 6719->6722 6720 2d3de76 6736 2d3ddcf 6720->6736 6722->6716 6724 2d3eb61 6723->6724 6725 2d3eb4a 6723->6725 6724->6711 6728 2d3eae4 6725->6728 6727 2d3eb54 6727->6711 6727->6724 6729 2d3eb02 GetProcAddress 6728->6729 6730 2d3eaed LoadLibraryA 6728->6730 6729->6727 6730->6729 6731 2d3eb01 6730->6731 6731->6727 6733 2d3dd96 6732->6733 6734 2d3ddc5 6732->6734 6733->6734 6735 2d3ddad lstrcmpiA 6733->6735 6734->6717 6734->6720 6735->6733 6735->6734 6737 2d3dddd 6736->6737 6739 2d3de20 6736->6739 6738 2d3ddfa lstrcmpA 6737->6738 6737->6739 6738->6737 6739->6716 6741 2d3dd05 6 API calls 6740->6741 6742 2d3e821 6741->6742 6743 2d3dd84 lstrcmpiA 6742->6743 6744 2d3e82c 6743->6744 6745 2d3e844 6744->6745 6790 2d32480 6744->6790 6745->6288 6748 2d3ea98 6747->6748 6799 2d3e8a1 6748->6799 6750 2d31e84 6750->6297 6752 2d319d5 GetProcAddress GetProcAddress GetProcAddress 6751->6752 6753 2d319ce 6751->6753 6754 2d31ab3 FreeLibrary 6752->6754 6755 2d31a04 6752->6755 6753->6301 6754->6753 6755->6754 6756 2d31a14 GetBestInterface GetProcessHeap 6755->6756 6756->6753 6757 2d31a2e HeapAlloc 6756->6757 6757->6753 6758 2d31a42 GetAdaptersInfo 6757->6758 6759 2d31a62 6758->6759 6760 2d31a52 HeapReAlloc 6758->6760 6761 2d31aa1 FreeLibrary 6759->6761 6762 2d31a69 GetAdaptersInfo 6759->6762 6760->6759 6761->6753 6762->6761 6763 2d31a75 HeapFree 6762->6763 6763->6761 6827 2d31ac3 LoadLibraryA 6765->6827 6768 2d31bcf 6768->6312 6770 2d31ac3 13 API calls 6769->6770 6771 2d31c09 6770->6771 6772 2d31c5a 6771->6772 6773 2d31c0d GetComputerNameA 6771->6773 6772->6320 6774 2d31c45 GetVolumeInformationA 6773->6774 6775 2d31c1f 6773->6775 6774->6772 6775->6774 6776 2d31c41 6775->6776 6776->6772 6778 2d3ee2a 6777->6778 6779 2d330d0 gethostname gethostbyname 6778->6779 6780 2d31f82 6779->6780 6780->6325 6780->6327 6782 2d3dd05 6 API calls 6781->6782 6783 2d3df7c 6782->6783 6784 2d3dd84 lstrcmpiA 6783->6784 6788 2d3df89 6784->6788 6785 2d3dfc4 6785->6294 6786 2d3ddcf lstrcmpA 6786->6788 6787 2d3ec2e codecvt 4 API calls 6787->6788 6788->6785 6788->6786 6788->6787 6789 2d3dd84 lstrcmpiA 6788->6789 6789->6788 6793 2d32419 lstrlenA 6790->6793 6792 2d32491 6792->6745 6794 2d32474 6793->6794 6795 2d3243d lstrlenA 6793->6795 6794->6792 6796 2d32464 lstrlenA 6795->6796 6797 2d3244e lstrcmpiA 6795->6797 6796->6794 6796->6795 6797->6796 6798 2d3245c 6797->6798 6798->6794 6798->6796 6800 2d3dd05 6 API calls 6799->6800 6801 2d3e8b4 6800->6801 6802 2d3dd84 lstrcmpiA 6801->6802 6803 2d3e8c0 6802->6803 6804 2d3e90a 6803->6804 6805 2d3e8c8 lstrcpynA 6803->6805 6806 2d32419 4 API calls 6804->6806 6815 2d3ea27 6804->6815 6807 2d3e8f5 6805->6807 6808 2d3e926 lstrlenA lstrlenA 6806->6808 6820 2d3df4c 6807->6820 6809 2d3e96a 6808->6809 6810 2d3e94c lstrlenA 6808->6810 6814 2d3ebcc 4 API calls 6809->6814 6809->6815 6810->6809 6812 2d3e901 6813 2d3dd84 lstrcmpiA 6812->6813 6813->6804 6816 2d3e98f 6814->6816 6815->6750 6816->6815 6817 2d3df4c 20 API calls 6816->6817 6818 2d3ea1e 6817->6818 6819 2d3ec2e codecvt 4 API calls 6818->6819 6819->6815 6821 2d3dd05 6 API calls 6820->6821 6822 2d3df51 6821->6822 6823 2d3f04e 4 API calls 6822->6823 6824 2d3df58 6823->6824 6825 2d3de24 10 API calls 6824->6825 6826 2d3df63 6825->6826 6826->6812 6828 2d31ae2 GetProcAddress 6827->6828 6834 2d31b68 GetComputerNameA GetVolumeInformationA 6827->6834 6831 2d31af5 6828->6831 6828->6834 6829 2d31b1c GetAdaptersAddresses 6829->6831 6832 2d31b29 6829->6832 6830 2d3ebed 8 API calls 6830->6831 6831->6829 6831->6830 6831->6832 6832->6832 6833 2d3ec2e codecvt 4 API calls 6832->6833 6832->6834 6833->6834 6834->6768 6836 2d36ec3 2 API calls 6835->6836 6837 2d37ef4 6836->6837 6847 2d37fc9 6837->6847 6871 2d373ff 6837->6871 6839 2d37f16 6839->6847 6891 2d37809 GetUserNameA 6839->6891 6841 2d37f63 6841->6847 6915 2d3ef1e lstrlenA 6841->6915 6844 2d3ef1e lstrlenA 6845 2d37fb7 6844->6845 6917 2d37a95 RegOpenKeyExA 6845->6917 6847->6335 6849 2d37073 6848->6849 6850 2d370b9 RegOpenKeyExA 6849->6850 6851 2d370d0 6850->6851 6865 2d371b8 6850->6865 6852 2d36dc2 6 API calls 6851->6852 6855 2d370d5 6852->6855 6853 2d3719b RegEnumValueA 6854 2d371af RegCloseKey 6853->6854 6853->6855 6854->6865 6855->6853 6857 2d371d0 6855->6857 6948 2d3f1a5 lstrlenA 6855->6948 6858 2d37205 RegCloseKey 6857->6858 6859 2d37227 6857->6859 6858->6865 6860 2d372b8 ___ascii_stricmp 6859->6860 6861 2d3728e RegCloseKey 6859->6861 6862 2d372cd RegCloseKey 6860->6862 6863 2d372dd 6860->6863 6861->6865 6862->6865 6864 2d37311 RegCloseKey 6863->6864 6867 2d37335 6863->6867 6864->6865 6865->6336 6866 2d373d5 RegCloseKey 6868 2d373e4 6866->6868 6867->6866 6869 2d3737e GetFileAttributesExA 6867->6869 6870 2d37397 6867->6870 6869->6870 6870->6866 6872 2d3741b 6871->6872 6873 2d36dc2 6 API calls 6872->6873 6874 2d3743f 6873->6874 6875 2d37469 RegOpenKeyExA 6874->6875 6877 2d377f9 6875->6877 6880 2d37487 ___ascii_stricmp 6875->6880 6876 2d37703 RegEnumKeyA 6878 2d37714 RegCloseKey 6876->6878 6876->6880 6877->6839 6878->6877 6879 2d374d2 RegOpenKeyExA 6879->6880 6880->6876 6880->6879 6881 2d3772c 6880->6881 6882 2d37521 RegQueryValueExA 6880->6882 6886 2d376e4 RegCloseKey 6880->6886 6888 2d3f1a5 lstrlenA 6880->6888 6889 2d3777e GetFileAttributesExA 6880->6889 6890 2d37769 6880->6890 6883 2d37742 RegCloseKey 6881->6883 6884 2d3774b 6881->6884 6882->6880 6883->6884 6885 2d377ec RegCloseKey 6884->6885 6885->6877 6886->6880 6887 2d377e3 RegCloseKey 6887->6885 6888->6880 6889->6890 6890->6887 6892 2d37a8d 6891->6892 6893 2d3783d LookupAccountNameA 6891->6893 6892->6841 6893->6892 6894 2d37874 GetLengthSid GetFileSecurityA 6893->6894 6894->6892 6895 2d378a8 GetSecurityDescriptorOwner 6894->6895 6896 2d378c5 EqualSid 6895->6896 6897 2d3791d GetSecurityDescriptorDacl 6895->6897 6896->6897 6898 2d378dc LocalAlloc 6896->6898 6897->6892 6910 2d37941 6897->6910 6898->6897 6899 2d378ef InitializeSecurityDescriptor 6898->6899 6901 2d37916 LocalFree 6899->6901 6902 2d378fb SetSecurityDescriptorOwner 6899->6902 6900 2d3795b GetAce 6900->6910 6901->6897 6902->6901 6903 2d3790b SetFileSecurityA 6902->6903 6903->6901 6904 2d37980 EqualSid 6904->6910 6905 2d37a3d 6905->6892 6908 2d37a43 LocalAlloc 6905->6908 6906 2d379be EqualSid 6906->6910 6907 2d3799d DeleteAce 6907->6910 6908->6892 6909 2d37a56 InitializeSecurityDescriptor 6908->6909 6911 2d37a62 SetSecurityDescriptorDacl 6909->6911 6912 2d37a86 LocalFree 6909->6912 6910->6892 6910->6900 6910->6904 6910->6905 6910->6906 6910->6907 6911->6912 6913 2d37a73 SetFileSecurityA 6911->6913 6912->6892 6913->6912 6914 2d37a83 6913->6914 6914->6912 6916 2d37fa6 6915->6916 6916->6844 6918 2d37ac4 6917->6918 6919 2d37acb GetUserNameA 6917->6919 6918->6847 6920 2d37da7 RegCloseKey 6919->6920 6921 2d37aed LookupAccountNameA 6919->6921 6920->6918 6921->6920 6922 2d37b24 RegGetKeySecurity 6921->6922 6922->6920 6923 2d37b49 GetSecurityDescriptorOwner 6922->6923 6924 2d37b63 EqualSid 6923->6924 6925 2d37bb8 GetSecurityDescriptorDacl 6923->6925 6924->6925 6927 2d37b74 LocalAlloc 6924->6927 6926 2d37da6 6925->6926 6933 2d37bdc 6925->6933 6926->6920 6927->6925 6928 2d37b8a InitializeSecurityDescriptor 6927->6928 6929 2d37bb1 LocalFree 6928->6929 6930 2d37b96 SetSecurityDescriptorOwner 6928->6930 6929->6925 6930->6929 6932 2d37ba6 RegSetKeySecurity 6930->6932 6931 2d37bf8 GetAce 6931->6933 6932->6929 6933->6926 6933->6931 6934 2d37c1d EqualSid 6933->6934 6935 2d37cd9 6933->6935 6936 2d37c5f EqualSid 6933->6936 6937 2d37c3a DeleteAce 6933->6937 6934->6933 6935->6926 6938 2d37d5a LocalAlloc 6935->6938 6940 2d37cf2 RegOpenKeyExA 6935->6940 6936->6933 6937->6933 6938->6926 6939 2d37d70 InitializeSecurityDescriptor 6938->6939 6941 2d37d9f LocalFree 6939->6941 6942 2d37d7c SetSecurityDescriptorDacl 6939->6942 6940->6938 6945 2d37d0f 6940->6945 6941->6926 6942->6941 6943 2d37d8c RegSetKeySecurity 6942->6943 6943->6941 6944 2d37d9c 6943->6944 6944->6941 6946 2d37d43 RegSetValueExA 6945->6946 6946->6938 6947 2d37d54 6946->6947 6947->6938 6949 2d3f1c3 6948->6949 6949->6855 6950->6356 6952 2d3dd05 6 API calls 6951->6952 6953 2d3e65f 6952->6953 6954 2d3e6a5 6953->6954 6957 2d3e68c lstrcmpA 6953->6957 6955 2d3ebcc 4 API calls 6954->6955 6958 2d3e6f5 6954->6958 6956 2d3e6b0 6955->6956 6956->6958 6960 2d3e6b7 6956->6960 6961 2d3e6e0 lstrcpynA 6956->6961 6957->6953 6959 2d3e71d lstrcmpA 6958->6959 6958->6960 6959->6958 6960->6358 6961->6958 6962->6364 6964 2d32692 inet_addr 6963->6964 6965 2d3268e 6963->6965 6964->6965 6966 2d3269e gethostbyname 6964->6966 6967 2d3f428 6965->6967 6966->6965 7115 2d3f315 6967->7115 6970 2d3f43e 6971 2d3f473 recv 6970->6971 6972 2d3f458 6971->6972 6973 2d3f47c 6971->6973 6972->6971 6972->6973 6973->6395 6975 2d3c525 6974->6975 6976 2d3c532 6974->6976 6975->6976 6978 2d3ec2e codecvt 4 API calls 6975->6978 6977 2d3c548 6976->6977 7128 2d3e7ff 6976->7128 6980 2d3e7ff lstrcmpiA 6977->6980 6988 2d3c54f 6977->6988 6978->6976 6981 2d3c615 6980->6981 6982 2d3ebcc 4 API calls 6981->6982 6981->6988 6982->6988 6983 2d3c5d1 6986 2d3ebcc 4 API calls 6983->6986 6985 2d3e819 11 API calls 6987 2d3c5b7 6985->6987 6986->6988 6989 2d3f04e 4 API calls 6987->6989 6988->6377 6990 2d3c5bf 6989->6990 6990->6977 6990->6983 6993 2d3c8d2 6991->6993 6992 2d3c907 6992->6379 6993->6992 6994 2d3c517 23 API calls 6993->6994 6994->6992 6996 2d3c67d 6995->6996 6997 2d3c670 6995->6997 6999 2d3ebcc 4 API calls 6996->6999 7001 2d3c699 6996->7001 6998 2d3ebcc 4 API calls 6997->6998 6998->6996 6999->7001 7000 2d3c6f3 7000->6408 7000->6440 7001->7000 7002 2d3c73c send 7001->7002 7002->7000 7004 2d3c77d 7003->7004 7005 2d3c770 7003->7005 7006 2d3c799 7004->7006 7008 2d3ebcc 4 API calls 7004->7008 7007 2d3ebcc 4 API calls 7005->7007 7009 2d3c7b5 7006->7009 7010 2d3ebcc 4 API calls 7006->7010 7007->7004 7008->7006 7011 2d3f43e recv 7009->7011 7010->7009 7013 2d3c7cb 7011->7013 7012 2d3c7d3 7012->6440 7013->7012 7014 2d3f43e recv 7013->7014 7014->7012 7131 2d37db7 7015->7131 7018 2d3f04e 4 API calls 7020 2d37e4c 7018->7020 7019 2d37e70 7021 2d3f04e 4 API calls 7019->7021 7022 2d37e96 7019->7022 7020->7019 7023 2d3f04e 4 API calls 7020->7023 7021->7022 7022->6440 7023->7019 7025 2d36ec3 2 API calls 7024->7025 7026 2d37fdd 7025->7026 7027 2d373ff 17 API calls 7026->7027 7036 2d380c2 CreateProcessA 7026->7036 7028 2d37fff 7027->7028 7029 2d37809 21 API calls 7028->7029 7028->7036 7030 2d3804d 7029->7030 7031 2d3ef1e lstrlenA 7030->7031 7030->7036 7032 2d3809e 7031->7032 7033 2d3ef1e lstrlenA 7032->7033 7034 2d380af 7033->7034 7035 2d37a95 24 API calls 7034->7035 7035->7036 7036->6461 7036->6462 7038 2d37db7 2 API calls 7037->7038 7039 2d37eb8 7038->7039 7040 2d3f04e 4 API calls 7039->7040 7041 2d37ece DeleteFileA 7040->7041 7041->6440 7043 2d3dd05 6 API calls 7042->7043 7044 2d3e31d 7043->7044 7135 2d3e177 7044->7135 7046 2d3e326 7046->6432 7048 2d331f3 7047->7048 7058 2d331ec 7047->7058 7049 2d3ebcc 4 API calls 7048->7049 7063 2d331fc 7049->7063 7050 2d3344b 7051 2d33459 7050->7051 7052 2d3349d 7050->7052 7054 2d3f04e 4 API calls 7051->7054 7053 2d3ec2e codecvt 4 API calls 7052->7053 7053->7058 7055 2d3345f 7054->7055 7057 2d330fa 4 API calls 7055->7057 7056 2d3ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 7056->7063 7057->7058 7058->6440 7059 2d3344d 7060 2d3ec2e codecvt 4 API calls 7059->7060 7060->7050 7062 2d33141 lstrcmpiA 7062->7063 7063->7050 7063->7056 7063->7058 7063->7059 7063->7062 7161 2d330fa GetTickCount 7063->7161 7065 2d330fa 4 API calls 7064->7065 7066 2d33c1a 7065->7066 7067 2d33ce6 7066->7067 7166 2d33a72 7066->7166 7067->6440 7070 2d33a72 9 API calls 7071 2d33c5e 7070->7071 7071->7067 7072 2d33a72 9 API calls 7071->7072 7073 2d3ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7071->7073 7072->7071 7073->7071 7075 2d33a10 7074->7075 7076 2d330fa 4 API calls 7075->7076 7077 2d33a1a 7076->7077 7077->6440 7079 2d3dd05 6 API calls 7078->7079 7080 2d3e7be 7079->7080 7080->6440 7082 2d3c105 7081->7082 7083 2d3c07e wsprintfA 7081->7083 7082->6440 7175 2d3bfce GetTickCount wsprintfA 7083->7175 7085 2d3c0ef 7176 2d3bfce GetTickCount wsprintfA 7085->7176 7088 2d37047 7087->7088 7089 2d36f88 LookupAccountNameA 7087->7089 7088->6440 7091 2d37025 7089->7091 7092 2d36fcb 7089->7092 7177 2d36edd 7091->7177 7094 2d36fdb ConvertSidToStringSidA 7092->7094 7094->7091 7096 2d36ff1 7094->7096 7097 2d37013 LocalFree 7096->7097 7097->7091 7099 2d3dd05 6 API calls 7098->7099 7100 2d3e85c 7099->7100 7101 2d3dd84 lstrcmpiA 7100->7101 7102 2d3e867 7101->7102 7103 2d3e885 lstrcpyA 7102->7103 7188 2d324a5 7102->7188 7191 2d3dd69 7103->7191 7109 2d37db7 2 API calls 7108->7109 7110 2d37de1 7109->7110 7111 2d3f04e 4 API calls 7110->7111 7114 2d37e16 7110->7114 7112 2d37df2 7111->7112 7113 2d3f04e 4 API calls 7112->7113 7112->7114 7113->7114 7114->6440 7116 2d3ca1d 7115->7116 7117 2d3f33b 7115->7117 7116->6392 7116->6970 7118 2d3f347 htons socket 7117->7118 7119 2d3f382 ioctlsocket 7118->7119 7120 2d3f374 closesocket 7118->7120 7121 2d3f3aa connect select 7119->7121 7122 2d3f39d 7119->7122 7120->7116 7121->7116 7124 2d3f3f2 __WSAFDIsSet 7121->7124 7123 2d3f39f closesocket 7122->7123 7123->7116 7124->7123 7125 2d3f403 ioctlsocket 7124->7125 7127 2d3f26d setsockopt setsockopt setsockopt setsockopt setsockopt 7125->7127 7127->7116 7129 2d3dd84 lstrcmpiA 7128->7129 7130 2d3c58e 7129->7130 7130->6977 7130->6983 7130->6985 7132 2d37dc8 InterlockedExchange 7131->7132 7133 2d37dc0 Sleep 7132->7133 7134 2d37dd4 7132->7134 7133->7132 7134->7018 7134->7019 7136 2d3e184 7135->7136 7137 2d3e2e4 7136->7137 7138 2d3e223 7136->7138 7151 2d3dfe2 7136->7151 7137->7046 7138->7137 7140 2d3dfe2 8 API calls 7138->7140 7146 2d3e23c 7140->7146 7141 2d3e1be 7141->7138 7142 2d3dbcf 3 API calls 7141->7142 7143 2d3e1d6 7142->7143 7143->7138 7144 2d3e21a CloseHandle 7143->7144 7145 2d3e1f9 WriteFile 7143->7145 7144->7138 7145->7144 7147 2d3e213 7145->7147 7146->7137 7155 2d3e095 RegCreateKeyExA 7146->7155 7147->7144 7149 2d3e2a3 7149->7137 7150 2d3e095 4 API calls 7149->7150 7150->7137 7152 2d3dffc 7151->7152 7154 2d3e024 7151->7154 7153 2d3db2e 8 API calls 7152->7153 7152->7154 7153->7154 7154->7141 7156 2d3e172 7155->7156 7158 2d3e0c0 7155->7158 7156->7149 7157 2d3e13d 7159 2d3e14e RegDeleteValueA RegCloseKey 7157->7159 7158->7157 7160 2d3e115 RegSetValueExA 7158->7160 7159->7156 7160->7157 7160->7158 7162 2d33122 InterlockedExchange 7161->7162 7163 2d3310f GetTickCount 7162->7163 7164 2d3312e 7162->7164 7163->7164 7165 2d3311a Sleep 7163->7165 7164->7063 7165->7162 7167 2d3f04e 4 API calls 7166->7167 7168 2d33a83 7167->7168 7171 2d33bc0 7168->7171 7172 2d33b66 lstrlenA 7168->7172 7173 2d33ac1 7168->7173 7169 2d33be6 7170 2d3ec2e codecvt 4 API calls 7169->7170 7170->7173 7171->7169 7174 2d3ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7171->7174 7172->7168 7172->7173 7173->7067 7173->7070 7174->7171 7175->7085 7176->7082 7178 2d36eef AllocateAndInitializeSid 7177->7178 7179 2d36f55 wsprintfA 7177->7179 7180 2d36f44 7178->7180 7181 2d36f1c CheckTokenMembership 7178->7181 7179->7088 7180->7179 7185 2d36e36 GetUserNameW 7180->7185 7182 2d36f3b FreeSid 7181->7182 7183 2d36f2e 7181->7183 7182->7180 7183->7182 7186 2d36e5f LookupAccountNameW 7185->7186 7187 2d36e97 7185->7187 7186->7187 7187->7179 7189 2d32419 4 API calls 7188->7189 7190 2d324b6 7189->7190 7190->7103 7192 2d3dd79 lstrlenA 7191->7192 7192->6440 7194 2d3eb17 7193->7194 7195 2d3eb21 7193->7195 7196 2d3eae4 2 API calls 7194->7196 7195->6519 7196->7195 7199 2d369b9 WriteFile 7197->7199 7200 2d36a3c 7199->7200 7202 2d369ff 7199->7202 7200->6515 7200->6516 7201 2d36a10 WriteFile 7201->7200 7201->7202 7202->7200 7202->7201 7204 2d33ee2 7203->7204 7205 2d33edc 7203->7205 7204->6530 7206 2d36dc2 6 API calls 7205->7206 7206->7204 7208 2d3400b CreateFileA 7207->7208 7209 2d3402c GetLastError 7208->7209 7211 2d34052 7208->7211 7210 2d34037 7209->7210 7209->7211 7210->7211 7212 2d34041 Sleep 7210->7212 7211->6533 7212->7208 7212->7211 7214 2d33f4e GetLastError 7213->7214 7215 2d33f7c 7213->7215 7214->7215 7216 2d33f5b WaitForSingleObject GetOverlappedResult 7214->7216 7217 2d33f8c ReadFile 7215->7217 7216->7215 7218 2d33fc2 GetLastError 7217->7218 7220 2d33ff0 7217->7220 7219 2d33fcf WaitForSingleObject GetOverlappedResult 7218->7219 7218->7220 7219->7220 7220->6538 7220->6539 7222 2d31924 GetVersionExA 7221->7222 7222->6578 7224 2d3f0f1 7223->7224 7225 2d3f0ed 7223->7225 7226 2d3f0fa lstrlenA SysAllocStringByteLen 7224->7226 7227 2d3f119 7224->7227 7225->6610 7228 2d3f11c MultiByteToWideChar 7226->7228 7229 2d3f117 7226->7229 7227->7228 7228->7229 7229->6610 7231 2d31820 17 API calls 7230->7231 7232 2d318f2 7231->7232 7233 2d318f9 7232->7233 7247 2d31280 7232->7247 7233->6606 7235 2d31908 7235->6606 7259 2d31000 7236->7259 7238 2d31839 7239 2d31851 GetCurrentProcess 7238->7239 7240 2d3183d 7238->7240 7241 2d31864 7239->7241 7240->6597 7241->6597 7244 2d3920e 7242->7244 7246 2d39308 7242->7246 7243 2d392f1 Sleep 7243->7244 7244->7243 7245 2d392bf ShellExecuteA 7244->7245 7244->7246 7245->7244 7245->7246 7246->6606 7248 2d312e1 7247->7248 7249 2d316f9 GetLastError 7248->7249 7256 2d313a8 7248->7256 7250 2d31699 7249->7250 7250->7235 7251 2d31570 lstrlenW 7251->7256 7252 2d315be GetStartupInfoW 7252->7256 7253 2d315ff CreateProcessWithLogonW 7254 2d316bf GetLastError 7253->7254 7255 2d3163f WaitForSingleObject 7253->7255 7254->7250 7255->7256 7257 2d31659 CloseHandle 7255->7257 7256->7250 7256->7251 7256->7252 7256->7253 7258 2d31668 CloseHandle 7256->7258 7257->7256 7258->7256 7260 2d3100d LoadLibraryA 7259->7260 7262 2d31023 7259->7262 7261 2d31021 7260->7261 7260->7262 7261->7238 7263 2d310b5 GetProcAddress 7262->7263 7279 2d310ae 7262->7279 7264 2d310d1 GetProcAddress 7263->7264 7265 2d3127b 7263->7265 7264->7265 7266 2d310f0 GetProcAddress 7264->7266 7265->7238 7266->7265 7267 2d31110 GetProcAddress 7266->7267 7267->7265 7268 2d31130 GetProcAddress 7267->7268 7268->7265 7269 2d3114f GetProcAddress 7268->7269 7269->7265 7270 2d3116f GetProcAddress 7269->7270 7270->7265 7271 2d3118f GetProcAddress 7270->7271 7271->7265 7272 2d311ae GetProcAddress 7271->7272 7272->7265 7273 2d311ce GetProcAddress 7272->7273 7273->7265 7274 2d311ee GetProcAddress 7273->7274 7274->7265 7275 2d31209 GetProcAddress 7274->7275 7275->7265 7276 2d31225 GetProcAddress 7275->7276 7276->7265 7277 2d31241 GetProcAddress 7276->7277 7277->7265 7278 2d3125c GetProcAddress 7277->7278 7278->7265 7279->7238 7281 2d3908d 7280->7281 7282 2d390e2 wsprintfA 7281->7282 7283 2d3ee2a 7282->7283 7284 2d390fd CreateFileA 7283->7284 7285 2d3911a lstrlenA WriteFile CloseHandle 7284->7285 7286 2d3913f 7284->7286 7285->7286 7286->6633 7286->6634 7288 2d3ee2a 7287->7288 7289 2d39794 CreateProcessA 7288->7289 7290 2d397c2 7289->7290 7291 2d397bb 7289->7291 7292 2d397d4 GetThreadContext 7290->7292 7291->6645 7293 2d39801 7292->7293 7294 2d397f5 7292->7294 7301 2d3637c 7293->7301 7295 2d397f6 TerminateProcess 7294->7295 7295->7291 7297 2d39816 7297->7295 7298 2d3981e WriteProcessMemory 7297->7298 7298->7294 7299 2d3983b SetThreadContext 7298->7299 7299->7294 7300 2d39858 ResumeThread 7299->7300 7300->7291 7302 2d36386 7301->7302 7303 2d3638a GetModuleHandleA VirtualAlloc 7301->7303 7302->7297 7304 2d363b6 7303->7304 7305 2d363f5 7303->7305 7306 2d363be VirtualAllocEx 7304->7306 7305->7297 7306->7305 7307 2d363d6 7306->7307 7308 2d363df WriteProcessMemory 7307->7308 7308->7305 7310 2d38791 7309->7310 7311 2d3879f 7309->7311 7312 2d3f04e 4 API calls 7310->7312 7313 2d387bc 7311->7313 7314 2d3f04e 4 API calls 7311->7314 7312->7311 7315 2d3e819 11 API calls 7313->7315 7314->7313 7316 2d387d7 7315->7316 7329 2d38803 7316->7329 7464 2d326b2 gethostbyaddr 7316->7464 7319 2d387eb 7321 2d3e8a1 30 API calls 7319->7321 7319->7329 7321->7329 7324 2d3f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 7324->7329 7325 2d3e819 11 API calls 7325->7329 7326 2d388a0 Sleep 7326->7329 7327 2d326b2 2 API calls 7327->7329 7329->7324 7329->7325 7329->7326 7329->7327 7330 2d3e8a1 30 API calls 7329->7330 7361 2d38cee 7329->7361 7369 2d3c4d6 7329->7369 7372 2d3c4e2 7329->7372 7375 2d32011 7329->7375 7410 2d38328 7329->7410 7330->7329 7332 2d34084 7331->7332 7333 2d3407d 7331->7333 7334 2d33ecd 6 API calls 7332->7334 7335 2d3408f 7334->7335 7336 2d34000 3 API calls 7335->7336 7337 2d34095 7336->7337 7338 2d34130 7337->7338 7339 2d340c0 7337->7339 7340 2d33ecd 6 API calls 7338->7340 7344 2d33f18 4 API calls 7339->7344 7341 2d34159 CreateNamedPipeA 7340->7341 7342 2d34167 Sleep 7341->7342 7343 2d34188 ConnectNamedPipe 7341->7343 7342->7338 7345 2d34176 CloseHandle 7342->7345 7347 2d34195 GetLastError 7343->7347 7357 2d341ab 7343->7357 7346 2d340da 7344->7346 7345->7343 7348 2d33f8c 4 API calls 7346->7348 7349 2d3425e DisconnectNamedPipe 7347->7349 7347->7357 7350 2d340ec 7348->7350 7349->7343 7351 2d34127 CloseHandle 7350->7351 7352 2d34101 7350->7352 7351->7338 7354 2d33f18 4 API calls 7352->7354 7353 2d33f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 7353->7357 7355 2d3411c ExitProcess 7354->7355 7356 2d33f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 7356->7357 7357->7343 7357->7349 7357->7353 7357->7356 7358 2d3426a CloseHandle CloseHandle 7357->7358 7359 2d3e318 23 API calls 7358->7359 7360 2d3427b 7359->7360 7360->7360 7362 2d38d02 GetTickCount 7361->7362 7363 2d38dae 7361->7363 7362->7363 7366 2d38d19 7362->7366 7363->7329 7364 2d38da1 GetTickCount 7364->7363 7366->7364 7368 2d38d89 7366->7368 7469 2d3a677 7366->7469 7472 2d3a688 7366->7472 7368->7364 7480 2d3c2dc 7369->7480 7373 2d3c2dc 142 API calls 7372->7373 7374 2d3c4ec 7373->7374 7374->7329 7376 2d32020 7375->7376 7377 2d3202e 7375->7377 7378 2d3f04e 4 API calls 7376->7378 7379 2d3204b 7377->7379 7381 2d3f04e 4 API calls 7377->7381 7378->7377 7380 2d3206e GetTickCount 7379->7380 7382 2d3f04e 4 API calls 7379->7382 7383 2d32090 7380->7383 7384 2d320db GetTickCount 7380->7384 7381->7379 7387 2d32068 7382->7387 7388 2d320d4 GetTickCount 7383->7388 7392 2d32684 2 API calls 7383->7392 7399 2d320ce 7383->7399 7820 2d31978 7383->7820 7385 2d32132 GetTickCount GetTickCount 7384->7385 7386 2d320e7 7384->7386 7390 2d3f04e 4 API calls 7385->7390 7389 2d3212b GetTickCount 7386->7389 7401 2d31978 15 API calls 7386->7401 7402 2d32125 7386->7402 7810 2d32ef8 7386->7810 7387->7380 7388->7384 7389->7385 7391 2d32159 7390->7391 7394 2d3e854 13 API calls 7391->7394 7407 2d321b4 7391->7407 7392->7383 7396 2d3218e 7394->7396 7395 2d3f04e 4 API calls 7398 2d321d1 7395->7398 7400 2d3e819 11 API calls 7396->7400 7403 2d321f2 7398->7403 7405 2d3ea84 30 API calls 7398->7405 7399->7388 7404 2d3219c 7400->7404 7401->7386 7402->7389 7403->7329 7404->7407 7825 2d31c5f 7404->7825 7406 2d321ec 7405->7406 7408 2d3f04e 4 API calls 7406->7408 7407->7395 7408->7403 7411 2d37dd6 6 API calls 7410->7411 7412 2d3833c 7411->7412 7413 2d38340 7412->7413 7414 2d36ec3 2 API calls 7412->7414 7413->7329 7415 2d3834f 7414->7415 7416 2d3835c 7415->7416 7419 2d3846b 7415->7419 7417 2d373ff 17 API calls 7416->7417 7418 2d38373 7417->7418 7418->7413 7441 2d383ea RegOpenKeyExA 7418->7441 7451 2d38450 7418->7451 7422 2d384a7 RegOpenKeyExA 7419->7422 7419->7451 7420 2d38626 GetTempPathA 7438 2d38638 7420->7438 7421 2d3675c 21 API calls 7424 2d385df 7421->7424 7425 2d384c0 RegQueryValueExA 7422->7425 7426 2d3852f 7422->7426 7424->7420 7433 2d38768 7424->7433 7454 2d38671 7424->7454 7427 2d38521 RegCloseKey 7425->7427 7428 2d384dd 7425->7428 7431 2d38564 RegOpenKeyExA 7426->7431 7443 2d385a5 7426->7443 7427->7426 7428->7427 7435 2d3ebcc 4 API calls 7428->7435 7429 2d38762 7429->7433 7430 2d386ad 7430->7429 7432 2d37e2f 6 API calls 7430->7432 7434 2d38573 RegSetValueExA RegCloseKey 7431->7434 7431->7443 7444 2d386bb 7432->7444 7433->7413 7437 2d3ec2e codecvt 4 API calls 7433->7437 7434->7443 7440 2d384f0 7435->7440 7436 2d3875b DeleteFileA 7436->7429 7437->7413 7438->7454 7440->7427 7442 2d384f8 RegQueryValueExA 7440->7442 7445 2d383fd RegQueryValueExA 7441->7445 7441->7451 7442->7427 7446 2d38515 7442->7446 7447 2d3ec2e codecvt 4 API calls 7443->7447 7443->7451 7444->7436 7452 2d386e0 lstrcpyA lstrlenA 7444->7452 7448 2d3841e 7445->7448 7449 2d3842d RegSetValueExA 7445->7449 7450 2d3ec2e codecvt 4 API calls 7446->7450 7447->7451 7448->7449 7455 2d38447 RegCloseKey 7448->7455 7449->7455 7456 2d3851d 7450->7456 7451->7421 7451->7424 7453 2d37fcf 64 API calls 7452->7453 7457 2d38719 CreateProcessA 7453->7457 7897 2d36ba7 IsBadCodePtr 7454->7897 7455->7451 7456->7427 7458 2d3874f 7457->7458 7459 2d3873d CloseHandle CloseHandle 7457->7459 7460 2d37ee6 64 API calls 7458->7460 7459->7433 7461 2d38754 7460->7461 7462 2d37ead 6 API calls 7461->7462 7463 2d3875a 7462->7463 7463->7436 7465 2d326fb 7464->7465 7466 2d326cd 7464->7466 7465->7319 7467 2d326e1 inet_ntoa 7466->7467 7468 2d326de 7466->7468 7467->7468 7468->7319 7475 2d3a63d 7469->7475 7471 2d3a685 7471->7366 7473 2d3a63d GetTickCount 7472->7473 7474 2d3a696 7473->7474 7474->7366 7476 2d3a645 7475->7476 7477 2d3a64d 7475->7477 7476->7471 7478 2d3a65e GetTickCount 7477->7478 7479 2d3a66e 7477->7479 7478->7479 7479->7471 7497 2d3a4c7 GetTickCount 7480->7497 7483 2d3c47a 7488 2d3c4d2 7483->7488 7489 2d3c4ab InterlockedIncrement CreateThread 7483->7489 7484 2d3c300 GetTickCount 7486 2d3c337 7484->7486 7485 2d3c326 7485->7486 7487 2d3c32b GetTickCount 7485->7487 7486->7483 7490 2d3c363 GetTickCount 7486->7490 7487->7486 7488->7329 7489->7488 7491 2d3c4cb CloseHandle 7489->7491 7502 2d3b535 7489->7502 7490->7483 7492 2d3c373 7490->7492 7491->7488 7493 2d3c378 GetTickCount 7492->7493 7494 2d3c37f 7492->7494 7493->7494 7495 2d3c43b GetTickCount 7494->7495 7496 2d3c45e 7495->7496 7496->7483 7498 2d3a4f7 InterlockedExchange 7497->7498 7499 2d3a500 7498->7499 7500 2d3a4e4 GetTickCount 7498->7500 7499->7483 7499->7484 7499->7485 7500->7499 7501 2d3a4ef Sleep 7500->7501 7501->7498 7503 2d3b566 7502->7503 7504 2d3ebcc 4 API calls 7503->7504 7505 2d3b587 7504->7505 7506 2d3ebcc 4 API calls 7505->7506 7543 2d3b590 7506->7543 7507 2d3bdcd InterlockedDecrement 7508 2d3bde2 7507->7508 7510 2d3ec2e codecvt 4 API calls 7508->7510 7511 2d3bdea 7510->7511 7512 2d3ec2e codecvt 4 API calls 7511->7512 7514 2d3bdf2 7512->7514 7513 2d3bdb7 Sleep 7513->7543 7515 2d3be05 7514->7515 7517 2d3ec2e codecvt 4 API calls 7514->7517 7516 2d3bdcc 7516->7507 7517->7515 7518 2d3ebed 8 API calls 7518->7543 7521 2d3b6b6 lstrlenA 7521->7543 7522 2d330b5 2 API calls 7522->7543 7523 2d3b6ed lstrcpyA 7577 2d35ce1 7523->7577 7524 2d3e819 11 API calls 7524->7543 7527 2d3b731 lstrlenA 7527->7543 7528 2d3b71f lstrcmpA 7528->7527 7528->7543 7529 2d3b772 GetTickCount 7529->7543 7530 2d3bd49 InterlockedIncrement 7671 2d3a628 7530->7671 7533 2d3bc5b InterlockedIncrement 7533->7543 7534 2d3b7ce InterlockedIncrement 7587 2d3acd7 7534->7587 7535 2d338f0 6 API calls 7535->7543 7538 2d3b912 GetTickCount 7538->7543 7539 2d3b826 InterlockedIncrement 7539->7529 7540 2d3b932 GetTickCount 7542 2d3bc6d InterlockedIncrement 7540->7542 7540->7543 7541 2d3bcdc closesocket 7541->7543 7542->7543 7543->7507 7543->7513 7543->7516 7543->7518 7543->7521 7543->7522 7543->7523 7543->7524 7543->7527 7543->7528 7543->7529 7543->7530 7543->7533 7543->7534 7543->7535 7543->7538 7543->7539 7543->7540 7543->7541 7545 2d3bba6 InterlockedIncrement 7543->7545 7548 2d3bc4c closesocket 7543->7548 7550 2d35ce1 22 API calls 7543->7550 7551 2d3ba71 wsprintfA 7543->7551 7552 2d35ded 12 API calls 7543->7552 7553 2d3ab81 lstrcpynA InterlockedIncrement 7543->7553 7556 2d3a7c1 22 API calls 7543->7556 7557 2d3ef1e lstrlenA 7543->7557 7558 2d3a688 GetTickCount 7543->7558 7559 2d33e10 7543->7559 7562 2d33e4f 7543->7562 7565 2d3384f 7543->7565 7585 2d3a7a3 inet_ntoa 7543->7585 7592 2d3abee 7543->7592 7604 2d31feb GetTickCount 7543->7604 7625 2d33cfb 7543->7625 7628 2d3b3c5 7543->7628 7659 2d3ab81 7543->7659 7545->7543 7548->7543 7550->7543 7605 2d3a7c1 7551->7605 7552->7543 7553->7543 7556->7543 7557->7543 7558->7543 7560 2d330fa 4 API calls 7559->7560 7561 2d33e1d 7560->7561 7561->7543 7563 2d330fa 4 API calls 7562->7563 7564 2d33e5c 7563->7564 7564->7543 7566 2d330fa 4 API calls 7565->7566 7568 2d33863 7566->7568 7567 2d338b2 7567->7543 7568->7567 7569 2d338b9 7568->7569 7570 2d33889 7568->7570 7680 2d335f9 7569->7680 7674 2d33718 7570->7674 7575 2d33718 6 API calls 7575->7567 7576 2d335f9 6 API calls 7576->7567 7578 2d35cf4 7577->7578 7579 2d35cec 7577->7579 7581 2d34bd1 4 API calls 7578->7581 7686 2d34bd1 GetTickCount 7579->7686 7582 2d35d02 7581->7582 7691 2d35472 7582->7691 7586 2d3a7b9 7585->7586 7586->7543 7588 2d3f315 14 API calls 7587->7588 7589 2d3aceb 7588->7589 7590 2d3acff 7589->7590 7591 2d3f315 14 API calls 7589->7591 7590->7543 7591->7590 7593 2d3abfb 7592->7593 7596 2d3ac65 7593->7596 7754 2d32f22 7593->7754 7595 2d3f315 14 API calls 7595->7596 7596->7595 7597 2d3ac6f 7596->7597 7603 2d3ac8a 7596->7603 7598 2d3ab81 2 API calls 7597->7598 7599 2d3ac81 7598->7599 7762 2d338f0 7599->7762 7600 2d32684 2 API calls 7602 2d3ac23 7600->7602 7602->7596 7602->7600 7603->7543 7604->7543 7606 2d3a7df 7605->7606 7607 2d3a87d lstrlenA send 7605->7607 7606->7607 7613 2d3a7fa wsprintfA 7606->7613 7616 2d3a80a 7606->7616 7617 2d3a8f2 7606->7617 7608 2d3a899 7607->7608 7609 2d3a8bf 7607->7609 7610 2d3a8a5 wsprintfA 7608->7610 7624 2d3a89e 7608->7624 7611 2d3a8c4 send 7609->7611 7609->7617 7610->7624 7614 2d3a8d8 wsprintfA 7611->7614 7611->7617 7612 2d3a978 recv 7612->7617 7618 2d3a982 7612->7618 7613->7616 7614->7624 7615 2d3a9b0 wsprintfA 7615->7624 7616->7607 7617->7612 7617->7615 7617->7618 7619 2d330b5 2 API calls 7618->7619 7618->7624 7620 2d3ab05 7619->7620 7621 2d3e819 11 API calls 7620->7621 7622 2d3ab17 7621->7622 7623 2d3a7a3 inet_ntoa 7622->7623 7623->7624 7624->7543 7626 2d330fa 4 API calls 7625->7626 7627 2d33d0b 7626->7627 7627->7543 7629 2d35ce1 22 API calls 7628->7629 7630 2d3b3e6 7629->7630 7631 2d35ce1 22 API calls 7630->7631 7633 2d3b404 7631->7633 7632 2d3b440 7634 2d3ef7c 3 API calls 7632->7634 7633->7632 7635 2d3ef7c 3 API calls 7633->7635 7636 2d3b458 wsprintfA 7634->7636 7637 2d3b42b 7635->7637 7638 2d3ef7c 3 API calls 7636->7638 7639 2d3ef7c 3 API calls 7637->7639 7640 2d3b480 7638->7640 7639->7632 7641 2d3ef7c 3 API calls 7640->7641 7642 2d3b493 7641->7642 7643 2d3ef7c 3 API calls 7642->7643 7644 2d3b4bb 7643->7644 7778 2d3ad89 GetLocalTime SystemTimeToFileTime 7644->7778 7648 2d3b4cc 7649 2d3ef7c 3 API calls 7648->7649 7650 2d3b4dd 7649->7650 7651 2d3b211 7 API calls 7650->7651 7652 2d3b4ec 7651->7652 7653 2d3ef7c 3 API calls 7652->7653 7654 2d3b4fd 7653->7654 7655 2d3b211 7 API calls 7654->7655 7656 2d3b509 7655->7656 7657 2d3ef7c 3 API calls 7656->7657 7658 2d3b51a 7657->7658 7658->7543 7660 2d3ab8c 7659->7660 7661 2d3abe9 GetTickCount 7659->7661 7660->7661 7662 2d3aba8 lstrcpynA 7660->7662 7663 2d3abe1 InterlockedIncrement 7660->7663 7664 2d3a51d 7661->7664 7662->7660 7663->7660 7665 2d3a4c7 4 API calls 7664->7665 7666 2d3a52c 7665->7666 7667 2d3a542 GetTickCount 7666->7667 7668 2d3a539 GetTickCount 7666->7668 7667->7668 7670 2d3a56c 7668->7670 7670->7543 7672 2d3a4c7 4 API calls 7671->7672 7673 2d3a633 7672->7673 7673->7543 7675 2d3f04e 4 API calls 7674->7675 7677 2d3372a 7675->7677 7676 2d33847 7676->7567 7676->7575 7677->7676 7678 2d337b3 GetCurrentThreadId 7677->7678 7678->7677 7679 2d337c8 GetCurrentThreadId 7678->7679 7679->7677 7681 2d3f04e 4 API calls 7680->7681 7682 2d3360c 7681->7682 7683 2d336da GetCurrentThreadId 7682->7683 7685 2d336f1 7682->7685 7684 2d336e5 GetCurrentThreadId 7683->7684 7683->7685 7684->7685 7685->7567 7685->7576 7687 2d34bff InterlockedExchange 7686->7687 7688 2d34c08 7687->7688 7689 2d34bec GetTickCount 7687->7689 7688->7578 7689->7688 7690 2d34bf7 Sleep 7689->7690 7690->7687 7710 2d34763 7691->7710 7693 2d3548a 7694 2d35b58 7693->7694 7701 2d34ae6 8 API calls 7693->7701 7705 2d3558d lstrcpynA 7693->7705 7706 2d35a9f lstrcpyA 7693->7706 7707 2d35472 13 API calls 7693->7707 7708 2d35935 lstrcpynA 7693->7708 7709 2d358e7 lstrcpyA 7693->7709 7714 2d34ae6 7693->7714 7718 2d3ef7c lstrlenA lstrlenA lstrlenA 7693->7718 7720 2d34699 7694->7720 7697 2d34763 lstrlenA 7698 2d35b6e 7697->7698 7741 2d34f9f 7698->7741 7700 2d35b79 7700->7543 7701->7693 7703 2d35549 lstrlenA 7703->7693 7705->7693 7706->7693 7707->7693 7708->7693 7709->7693 7712 2d3477a 7710->7712 7711 2d34859 7711->7693 7712->7711 7713 2d3480d lstrlenA 7712->7713 7713->7712 7715 2d34af3 7714->7715 7717 2d34b03 7714->7717 7716 2d3ebed 8 API calls 7715->7716 7716->7717 7717->7703 7719 2d3efb4 7718->7719 7719->7693 7746 2d345b3 7720->7746 7723 2d345b3 7 API calls 7724 2d346c6 7723->7724 7725 2d345b3 7 API calls 7724->7725 7726 2d346d8 7725->7726 7727 2d345b3 7 API calls 7726->7727 7728 2d346ea 7727->7728 7729 2d345b3 7 API calls 7728->7729 7730 2d346ff 7729->7730 7731 2d345b3 7 API calls 7730->7731 7732 2d34711 7731->7732 7733 2d345b3 7 API calls 7732->7733 7734 2d34723 7733->7734 7735 2d3ef7c 3 API calls 7734->7735 7736 2d34735 7735->7736 7737 2d3ef7c 3 API calls 7736->7737 7738 2d3474a 7737->7738 7739 2d3ef7c 3 API calls 7738->7739 7740 2d3475c 7739->7740 7740->7697 7742 2d34fac 7741->7742 7745 2d34fb0 7741->7745 7742->7700 7743 2d34ffd 7743->7700 7744 2d34fd5 IsBadCodePtr 7744->7745 7745->7743 7745->7744 7747 2d345c1 7746->7747 7749 2d345c8 7746->7749 7748 2d3ebcc 4 API calls 7747->7748 7748->7749 7750 2d3ebcc 4 API calls 7749->7750 7752 2d345e1 7749->7752 7750->7752 7751 2d34691 7751->7723 7752->7751 7753 2d3ef7c 3 API calls 7752->7753 7753->7752 7769 2d32d21 GetModuleHandleA 7754->7769 7757 2d32fcf GetProcessHeap HeapFree 7761 2d32f44 7757->7761 7758 2d32f4f 7760 2d32f6b GetProcessHeap HeapFree 7758->7760 7759 2d32f85 7759->7757 7759->7759 7760->7761 7761->7602 7763 2d33900 7762->7763 7764 2d33980 7762->7764 7765 2d330fa 4 API calls 7763->7765 7764->7603 7768 2d3390a 7765->7768 7766 2d3391b GetCurrentThreadId 7766->7768 7767 2d33939 GetCurrentThreadId 7767->7768 7768->7764 7768->7766 7768->7767 7770 2d32d46 LoadLibraryA 7769->7770 7771 2d32d5b GetProcAddress 7769->7771 7770->7771 7772 2d32d54 7770->7772 7771->7772 7773 2d32d6b DnsQuery_A 7771->7773 7772->7758 7772->7759 7772->7761 7773->7772 7774 2d32d7d 7773->7774 7774->7772 7775 2d32d97 GetProcessHeap HeapAlloc 7774->7775 7775->7772 7777 2d32dac 7775->7777 7776 2d32db5 lstrcpynA 7776->7777 7777->7774 7777->7776 7779 2d3adbf 7778->7779 7803 2d3ad08 gethostname 7779->7803 7782 2d330b5 2 API calls 7783 2d3add3 7782->7783 7784 2d3a7a3 inet_ntoa 7783->7784 7791 2d3ade4 7783->7791 7784->7791 7785 2d3ae85 wsprintfA 7786 2d3ef7c 3 API calls 7785->7786 7788 2d3aebb 7786->7788 7787 2d3ae36 wsprintfA wsprintfA 7789 2d3ef7c 3 API calls 7787->7789 7790 2d3ef7c 3 API calls 7788->7790 7789->7791 7792 2d3aed2 7790->7792 7791->7785 7791->7787 7793 2d3b211 7792->7793 7794 2d3b2bb FileTimeToLocalFileTime FileTimeToSystemTime 7793->7794 7795 2d3b2af GetLocalTime 7793->7795 7796 2d3b2d2 7794->7796 7795->7796 7797 2d3b2d9 SystemTimeToFileTime 7796->7797 7798 2d3b31c GetTimeZoneInformation 7796->7798 7799 2d3b2ec 7797->7799 7800 2d3b33a wsprintfA 7798->7800 7801 2d3b312 FileTimeToSystemTime 7799->7801 7800->7648 7801->7798 7804 2d3ad71 7803->7804 7809 2d3ad26 lstrlenA 7803->7809 7806 2d3ad85 7804->7806 7807 2d3ad79 lstrcpyA 7804->7807 7806->7782 7807->7806 7808 2d3ad68 lstrlenA 7808->7804 7809->7804 7809->7808 7811 2d32d21 7 API calls 7810->7811 7812 2d32f01 7811->7812 7813 2d32f06 7812->7813 7814 2d32f14 7812->7814 7833 2d32df2 GetModuleHandleA 7813->7833 7816 2d32684 2 API calls 7814->7816 7818 2d32f1d 7816->7818 7818->7386 7819 2d32f1f 7819->7386 7821 2d3f428 14 API calls 7820->7821 7822 2d3198a 7821->7822 7823 2d31990 closesocket 7822->7823 7824 2d31998 7822->7824 7823->7824 7824->7383 7829 2d31c80 7825->7829 7826 2d31d1c 7826->7826 7830 2d31d47 wsprintfA 7826->7830 7827 2d31cc2 wsprintfA 7828 2d32684 2 API calls 7827->7828 7828->7829 7829->7826 7829->7827 7831 2d31d79 7829->7831 7832 2d32684 2 API calls 7830->7832 7831->7407 7832->7831 7834 2d32e10 LoadLibraryA 7833->7834 7835 2d32e0b 7833->7835 7836 2d32e17 7834->7836 7835->7834 7835->7836 7837 2d32ef1 7836->7837 7838 2d32e28 GetProcAddress 7836->7838 7837->7814 7837->7819 7838->7837 7839 2d32e3e GetProcessHeap HeapAlloc 7838->7839 7841 2d32e62 7839->7841 7840 2d32ede GetProcessHeap HeapFree 7840->7837 7841->7837 7841->7840 7842 2d32e7f htons inet_addr 7841->7842 7843 2d32ea5 gethostbyname 7841->7843 7845 2d32ceb 7841->7845 7842->7841 7842->7843 7843->7841 7846 2d32cf2 7845->7846 7848 2d32d1c 7846->7848 7849 2d32d0e Sleep 7846->7849 7850 2d32a62 GetProcessHeap HeapAlloc 7846->7850 7848->7841 7849->7846 7849->7848 7851 2d32a92 7850->7851 7852 2d32a99 socket 7850->7852 7851->7846 7853 2d32cd3 GetProcessHeap HeapFree 7852->7853 7854 2d32ab4 7852->7854 7853->7851 7854->7853 7868 2d32abd 7854->7868 7855 2d32adb htons 7870 2d326ff 7855->7870 7857 2d32b04 select 7857->7868 7858 2d32cb3 GetProcessHeap HeapFree closesocket 7858->7851 7859 2d32b3f recv 7859->7868 7860 2d32b66 htons 7861 2d32ca4 7860->7861 7860->7868 7861->7858 7862 2d32b87 htons 7862->7861 7862->7868 7865 2d32bf3 GetProcessHeap HeapAlloc 7865->7868 7866 2d32c17 htons 7885 2d32871 7866->7885 7868->7855 7868->7857 7868->7858 7868->7859 7868->7860 7868->7861 7868->7862 7868->7865 7868->7866 7869 2d32c4d GetProcessHeap HeapFree 7868->7869 7877 2d32923 7868->7877 7889 2d32904 7868->7889 7869->7868 7871 2d3271d 7870->7871 7872 2d32717 7870->7872 7874 2d3272b GetTickCount htons 7871->7874 7873 2d3ebcc 4 API calls 7872->7873 7873->7871 7875 2d327cc htons htons sendto 7874->7875 7876 2d3278a 7874->7876 7875->7868 7876->7875 7878 2d32944 7877->7878 7880 2d3293d 7877->7880 7893 2d32816 htons 7878->7893 7880->7868 7881 2d32871 htons 7882 2d32950 7881->7882 7882->7880 7882->7881 7883 2d329bd htons htons htons 7882->7883 7883->7880 7884 2d329f6 GetProcessHeap HeapAlloc 7883->7884 7884->7880 7884->7882 7886 2d328e3 7885->7886 7888 2d32889 7885->7888 7886->7868 7887 2d328c3 htons 7887->7886 7887->7888 7888->7886 7888->7887 7890 2d32921 7889->7890 7891 2d32908 7889->7891 7890->7868 7892 2d32909 GetProcessHeap HeapFree 7891->7892 7892->7890 7892->7892 7894 2d3286b 7893->7894 7895 2d32836 7893->7895 7894->7882 7895->7894 7896 2d3285c htons 7895->7896 7896->7894 7896->7895 7898 2d36bc0 7897->7898 7899 2d36bbc 7897->7899 7900 2d36bd4 7898->7900 7901 2d3ebcc 4 API calls 7898->7901 7899->7430 7900->7430 7902 2d36be4 7901->7902 7902->7900 7903 2d36c07 CreateFileA 7902->7903 7904 2d36bfc 7902->7904 7905 2d36c34 WriteFile 7903->7905 7906 2d36c2a 7903->7906 7907 2d3ec2e codecvt 4 API calls 7904->7907 7909 2d36c5a CloseHandle 7905->7909 7910 2d36c49 CloseHandle DeleteFileA 7905->7910 7908 2d3ec2e codecvt 4 API calls 7906->7908 7907->7900 7908->7900 7911 2d3ec2e codecvt 4 API calls 7909->7911 7910->7906 7911->7900 8227 2d35029 8232 2d34a02 8227->8232 8233 2d34a12 8232->8233 8237 2d34a18 8232->8237 8234 2d3ec2e codecvt 4 API calls 8233->8234 8234->8237 8235 2d34a26 8236 2d34a34 8235->8236 8239 2d3ec2e codecvt 4 API calls 8235->8239 8237->8235 8238 2d3ec2e codecvt 4 API calls 8237->8238 8238->8235 8239->8236
                                                                                        APIs
                                                                                        • closesocket.WS2_32(?), ref: 02D3CA4E
                                                                                        • closesocket.WS2_32(?), ref: 02D3CB63
                                                                                        • GetTempPathA.KERNEL32(00000120,?), ref: 02D3CC28
                                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02D3CCB4
                                                                                        • WriteFile.KERNEL32(02D3A4B3,?,-000000E8,?,00000000), ref: 02D3CCDC
                                                                                        • CloseHandle.KERNEL32(02D3A4B3), ref: 02D3CCED
                                                                                        • wsprintfA.USER32 ref: 02D3CD21
                                                                                        • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 02D3CD77
                                                                                        • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 02D3CD89
                                                                                        • CloseHandle.KERNEL32(?), ref: 02D3CD98
                                                                                        • CloseHandle.KERNEL32(?), ref: 02D3CD9D
                                                                                        • DeleteFileA.KERNEL32(?), ref: 02D3CDC4
                                                                                        • CloseHandle.KERNEL32(02D3A4B3), ref: 02D3CDCC
                                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 02D3CFB1
                                                                                        • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 02D3CFEF
                                                                                        • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 02D3D033
                                                                                        • lstrcatA.KERNEL32(?,04500108), ref: 02D3D10C
                                                                                        • SetFileAttributesA.KERNEL32(?,00000080), ref: 02D3D155
                                                                                        • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 02D3D171
                                                                                        • WriteFile.KERNEL32(00000000,0450012C,?,?,00000000), ref: 02D3D195
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 02D3D19C
                                                                                        • SetFileAttributesA.KERNEL32(?,00000002), ref: 02D3D1C8
                                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 02D3D231
                                                                                        • lstrcatA.KERNEL32(?,04500108,?,?,?,?,?,?,?,00000100), ref: 02D3D27C
                                                                                        • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 02D3D2AB
                                                                                        • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 02D3D2C7
                                                                                        • WriteFile.KERNEL32(00000000,0450012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 02D3D2EB
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 02D3D2F2
                                                                                        • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 02D3D326
                                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 02D3D372
                                                                                        • lstrcatA.KERNEL32(?,04500108,?,?,?,?,?,?,?,00000100), ref: 02D3D3BD
                                                                                        • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 02D3D3EC
                                                                                        • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 02D3D408
                                                                                        • WriteFile.KERNEL32(00000000,0450012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 02D3D428
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 02D3D42F
                                                                                        • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 02D3D45B
                                                                                        • CreateProcessA.KERNEL32(?,02D40264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 02D3D4DE
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 02D3D4F4
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 02D3D4FC
                                                                                        • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 02D3D513
                                                                                        • closesocket.WS2_32(?), ref: 02D3D56C
                                                                                        • Sleep.KERNEL32(000003E8), ref: 02D3D577
                                                                                        • ExitProcess.KERNEL32 ref: 02D3D583
                                                                                        • wsprintfA.USER32 ref: 02D3D81F
                                                                                          • Part of subcall function 02D3C65C: send.WS2_32(00000000,?,00000000), ref: 02D3C74B
                                                                                        • closesocket.WS2_32(?), ref: 02D3DAD5
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                        • String ID: &^{$.dat$.sys$4$@$C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exe$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                        • API String ID: 562065436-3195193897
                                                                                        • Opcode ID: fdcb9e8f904f1b80b97d37e2be4c8c75b3d726aac895a5054bfdb4a2e69a8ba5
                                                                                        • Instruction ID: 080062dd92b586adc6e1ba94e25725bbd895cf241de5417f8ed280ac7c2ac60f
                                                                                        • Opcode Fuzzy Hash: fdcb9e8f904f1b80b97d37e2be4c8c75b3d726aac895a5054bfdb4a2e69a8ba5
                                                                                        • Instruction Fuzzy Hash: C1B2A372D44249AFEB16DFA4DD88FEA7BFAEB04304F14046AEA45A2380D7709D55CF60
                                                                                        APIs
                                                                                        • SetErrorMode.KERNELBASE(00000003), ref: 02D39A7F
                                                                                        • SetErrorMode.KERNELBASE(00000003), ref: 02D39A83
                                                                                        • SetUnhandledExceptionFilter.KERNEL32(02D36511), ref: 02D39A8A
                                                                                          • Part of subcall function 02D3EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 02D3EC5E
                                                                                          • Part of subcall function 02D3EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 02D3EC72
                                                                                          • Part of subcall function 02D3EC54: GetTickCount.KERNEL32 ref: 02D3EC78
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 02D39AB3
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 02D39ABA
                                                                                        • GetCommandLineA.KERNEL32 ref: 02D39AFD
                                                                                        • lstrlenA.KERNEL32(?), ref: 02D39B99
                                                                                        • ExitProcess.KERNEL32 ref: 02D39C06
                                                                                        • GetTempPathA.KERNEL32(000001F4,?), ref: 02D39CAC
                                                                                        • lstrcpyA.KERNEL32(?,00000000), ref: 02D39D7A
                                                                                        • lstrcatA.KERNEL32(?,?), ref: 02D39D8B
                                                                                        • lstrcatA.KERNEL32(?,02D4070C), ref: 02D39D9D
                                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 02D39DED
                                                                                        • DeleteFileA.KERNEL32(00000022), ref: 02D39E38
                                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 02D39E6F
                                                                                        • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 02D39EC8
                                                                                        • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 02D39ED5
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 02D39F3B
                                                                                        • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 02D39F5E
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 02D39F6A
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 02D39FAD
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 02D39FB4
                                                                                        • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 02D39FFE
                                                                                        • lstrcatA.KERNEL32(00000022,00000000), ref: 02D3A038
                                                                                        • lstrcatA.KERNEL32(00000022,02D40A34), ref: 02D3A05E
                                                                                        • lstrcatA.KERNEL32(00000022,00000022), ref: 02D3A072
                                                                                        • lstrcatA.KERNEL32(00000022,02D40A34), ref: 02D3A08D
                                                                                        • wsprintfA.USER32 ref: 02D3A0B6
                                                                                        • lstrcatA.KERNEL32(00000022,00000000), ref: 02D3A0DE
                                                                                        • lstrcatA.KERNEL32(00000022,?), ref: 02D3A0FD
                                                                                        • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 02D3A120
                                                                                        • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 02D3A131
                                                                                        • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 02D3A174
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 02D3A17B
                                                                                        • GetDriveTypeA.KERNEL32(00000022), ref: 02D3A1B6
                                                                                        • GetCommandLineA.KERNEL32 ref: 02D3A1E5
                                                                                          • Part of subcall function 02D399D2: lstrcpyA.KERNEL32(?,?,00000100,02D422F8,00000000,?,02D39E9D,?,00000022,?,?,?,?,?,?,?), ref: 02D399DF
                                                                                          • Part of subcall function 02D399D2: lstrcatA.KERNEL32(00000022,00000000,?,?,02D39E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 02D39A3C
                                                                                          • Part of subcall function 02D399D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,02D39E9D,?,00000022,?,?,?), ref: 02D39A52
                                                                                        • lstrlenA.KERNEL32(?), ref: 02D3A288
                                                                                        • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 02D3A3B7
                                                                                        • GetLastError.KERNEL32 ref: 02D3A3ED
                                                                                        • Sleep.KERNELBASE(000003E8), ref: 02D3A400
                                                                                        • DeleteFileA.KERNELBASE(02D433D8), ref: 02D3A407
                                                                                        • CreateThread.KERNELBASE(00000000,00000000,02D3405E,00000000,00000000,00000000), ref: 02D3A42C
                                                                                        • WSAStartup.WS2_32(00001010,?), ref: 02D3A43A
                                                                                        • CreateThread.KERNELBASE(00000000,00000000,02D3877E,00000000,00000000,00000000), ref: 02D3A469
                                                                                        • Sleep.KERNELBASE(00000BB8), ref: 02D3A48A
                                                                                        • GetTickCount.KERNEL32 ref: 02D3A49F
                                                                                        • GetTickCount.KERNEL32 ref: 02D3A4B7
                                                                                        • Sleep.KERNELBASE(00001A90), ref: 02D3A4C3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                        • String ID: "$"$"$%X%08X$C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exe$D$P$\$chxnvqnu
                                                                                        • API String ID: 2089075347-1845463428
                                                                                        • Opcode ID: 0874d4ae63829d5a4470ac5021b4a2cf2fef0304460b10d76ce919c2394b9805
                                                                                        • Instruction ID: 80917907ad3d8245bc209a09ab555c2df0eda4a39121b9e2bca32e26e650caa4
                                                                                        • Opcode Fuzzy Hash: 0874d4ae63829d5a4470ac5021b4a2cf2fef0304460b10d76ce919c2394b9805
                                                                                        • Instruction Fuzzy Hash: 245250B2D40259AFDB269FA0DC49AEE7BBDEF04304F1444A6E649E2341E7709E44CF61

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 905 2d3199c-2d319cc inet_addr LoadLibraryA 906 2d319d5-2d319fe GetProcAddress * 3 905->906 907 2d319ce-2d319d0 905->907 909 2d31ab3-2d31ab6 FreeLibrary 906->909 910 2d31a04-2d31a06 906->910 908 2d31abf-2d31ac2 907->908 912 2d31abc 909->912 910->909 911 2d31a0c-2d31a0e 910->911 911->909 913 2d31a14-2d31a28 GetBestInterface GetProcessHeap 911->913 914 2d31abe 912->914 913->912 915 2d31a2e-2d31a40 HeapAlloc 913->915 914->908 915->912 916 2d31a42-2d31a50 GetAdaptersInfo 915->916 917 2d31a62-2d31a67 916->917 918 2d31a52-2d31a60 HeapReAlloc 916->918 919 2d31aa1-2d31aad FreeLibrary 917->919 920 2d31a69-2d31a73 GetAdaptersInfo 917->920 918->917 919->912 921 2d31aaf-2d31ab1 919->921 920->919 922 2d31a75 920->922 921->914 923 2d31a77-2d31a80 922->923 924 2d31a82-2d31a86 923->924 925 2d31a8a-2d31a91 923->925 924->923 926 2d31a88 924->926 927 2d31a93 925->927 928 2d31a96-2d31a9b HeapFree 925->928 926->928 927->928 928->919
                                                                                        APIs
                                                                                        • inet_addr.WS2_32(123.45.67.89), ref: 02D319B1
                                                                                        • LoadLibraryA.KERNELBASE(Iphlpapi.dll,?,?,?,?,00000001,02D31E9E), ref: 02D319BF
                                                                                        • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 02D319E2
                                                                                        • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 02D319ED
                                                                                        • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 02D319F9
                                                                                        • GetBestInterface.IPHLPAPI(?,?,?,?,?,?,00000001,02D31E9E), ref: 02D31A1B
                                                                                        • GetProcessHeap.KERNEL32(?,?,?,?,00000001,02D31E9E), ref: 02D31A1D
                                                                                        • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,02D31E9E), ref: 02D31A36
                                                                                        • GetAdaptersInfo.IPHLPAPI(00000000,02D31E9E,?,?,?,?,00000001,02D31E9E), ref: 02D31A4A
                                                                                        • HeapReAlloc.KERNEL32(?,00000000,00000000,02D31E9E,?,?,?,?,00000001,02D31E9E), ref: 02D31A5A
                                                                                        • GetAdaptersInfo.IPHLPAPI(00000000,02D31E9E,?,?,?,?,00000001,02D31E9E), ref: 02D31A6E
                                                                                        • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,02D31E9E), ref: 02D31A9B
                                                                                        • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,02D31E9E), ref: 02D31AA4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AddressProc$AdaptersAllocFreeInfoLibrary$BestInterfaceLoadProcessinet_addr
                                                                                        • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                        • API String ID: 293628436-270533642
                                                                                        • Opcode ID: 1759554a6d6f940cb845b5f4ea7d9e54919deefa8d93f2ac004e2f49417193fd
                                                                                        • Instruction ID: ced131813058df51c27044455b2f6efb5a1acd02eb93f94e8f24d16b37e8baab
                                                                                        • Opcode Fuzzy Hash: 1759554a6d6f940cb845b5f4ea7d9e54919deefa8d93f2ac004e2f49417193fd
                                                                                        • Instruction Fuzzy Hash: 10315036D4425AAFDB169FE4DC889BEBBB9EF45207F144579E605E2300D7708E41CBA0

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 696 2d37a95-2d37ac2 RegOpenKeyExA 697 2d37ac4-2d37ac6 696->697 698 2d37acb-2d37ae7 GetUserNameA 696->698 699 2d37db4-2d37db6 697->699 700 2d37da7-2d37db3 RegCloseKey 698->700 701 2d37aed-2d37b1e LookupAccountNameA 698->701 700->699 701->700 702 2d37b24-2d37b43 RegGetKeySecurity 701->702 702->700 703 2d37b49-2d37b61 GetSecurityDescriptorOwner 702->703 704 2d37b63-2d37b72 EqualSid 703->704 705 2d37bb8-2d37bd6 GetSecurityDescriptorDacl 703->705 704->705 708 2d37b74-2d37b88 LocalAlloc 704->708 706 2d37da6 705->706 707 2d37bdc-2d37be1 705->707 706->700 707->706 709 2d37be7-2d37bf2 707->709 708->705 710 2d37b8a-2d37b94 InitializeSecurityDescriptor 708->710 709->706 713 2d37bf8-2d37c08 GetAce 709->713 711 2d37bb1-2d37bb2 LocalFree 710->711 712 2d37b96-2d37ba4 SetSecurityDescriptorOwner 710->712 711->705 712->711 714 2d37ba6-2d37bab RegSetKeySecurity 712->714 715 2d37cc6 713->715 716 2d37c0e-2d37c1b 713->716 714->711 717 2d37cc9-2d37cd3 715->717 718 2d37c4f-2d37c52 716->718 719 2d37c1d-2d37c2f EqualSid 716->719 717->713 720 2d37cd9-2d37cdc 717->720 723 2d37c54-2d37c5e 718->723 724 2d37c5f-2d37c71 EqualSid 718->724 721 2d37c31-2d37c34 719->721 722 2d37c36-2d37c38 719->722 720->706 725 2d37ce2-2d37ce8 720->725 721->719 721->722 722->718 726 2d37c3a-2d37c4d DeleteAce 722->726 723->724 727 2d37c73-2d37c84 724->727 728 2d37c86 724->728 730 2d37d5a-2d37d6e LocalAlloc 725->730 731 2d37cea-2d37cf0 725->731 726->717 729 2d37c8b-2d37c8e 727->729 728->729 732 2d37c90-2d37c96 729->732 733 2d37c9d-2d37c9f 729->733 730->706 734 2d37d70-2d37d7a InitializeSecurityDescriptor 730->734 731->730 735 2d37cf2-2d37d0d RegOpenKeyExA 731->735 732->733 736 2d37ca1-2d37ca5 733->736 737 2d37ca7-2d37cc3 733->737 738 2d37d9f-2d37da0 LocalFree 734->738 739 2d37d7c-2d37d8a SetSecurityDescriptorDacl 734->739 735->730 740 2d37d0f-2d37d16 735->740 736->715 736->737 737->715 738->706 739->738 741 2d37d8c-2d37d9a RegSetKeySecurity 739->741 742 2d37d19-2d37d1e 740->742 741->738 743 2d37d9c 741->743 742->742 744 2d37d20-2d37d52 call 2d32544 RegSetValueExA 742->744 743->738 744->730 747 2d37d54 744->747 747->730
                                                                                        APIs
                                                                                        • RegOpenKeyExA.KERNELBASE(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 02D37ABA
                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 02D37ADF
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,02D4070C,?,?,?), ref: 02D37B16
                                                                                        • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 02D37B3B
                                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 02D37B59
                                                                                        • EqualSid.ADVAPI32(?,00000022), ref: 02D37B6A
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 02D37B7E
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02D37B8C
                                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02D37B9C
                                                                                        • RegSetKeySecurity.KERNELBASE(00000000,00000001,00000000), ref: 02D37BAB
                                                                                        • LocalFree.KERNEL32(00000000), ref: 02D37BB2
                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,02D37FC9,?,00000000), ref: 02D37BCE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                        • String ID: C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exe$D
                                                                                        • API String ID: 2976863881-3421824669
                                                                                        • Opcode ID: a9560e664e2b63efaac977f1268869e2167beebc3d17c1173b45be5922e00502
                                                                                        • Instruction ID: e5c10dfd6f8b12432e3c7ca8f1ff1c668978861ebcf4455d6109c6adf6cced1b
                                                                                        • Opcode Fuzzy Hash: a9560e664e2b63efaac977f1268869e2167beebc3d17c1173b45be5922e00502
                                                                                        • Instruction Fuzzy Hash: 7DA13AB5D40619EBEF228FA0DC88FEEBBB9FB44305F144469EA05E2240D7359E55CB60

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 748 2d37809-2d37837 GetUserNameA 749 2d37a8e-2d37a94 748->749 750 2d3783d-2d3786e LookupAccountNameA 748->750 750->749 751 2d37874-2d378a2 GetLengthSid GetFileSecurityA 750->751 751->749 752 2d378a8-2d378c3 GetSecurityDescriptorOwner 751->752 753 2d378c5-2d378da EqualSid 752->753 754 2d3791d-2d3793b GetSecurityDescriptorDacl 752->754 753->754 757 2d378dc-2d378ed LocalAlloc 753->757 755 2d37941-2d37946 754->755 756 2d37a8d 754->756 755->756 758 2d3794c-2d37955 755->758 756->749 757->754 759 2d378ef-2d378f9 InitializeSecurityDescriptor 757->759 758->756 760 2d3795b-2d3796b GetAce 758->760 761 2d37916-2d37917 LocalFree 759->761 762 2d378fb-2d37909 SetSecurityDescriptorOwner 759->762 763 2d37971-2d3797e 760->763 764 2d37a2a 760->764 761->754 762->761 765 2d3790b-2d37910 SetFileSecurityA 762->765 766 2d37980-2d37992 EqualSid 763->766 767 2d379ae-2d379b1 763->767 768 2d37a2d-2d37a37 764->768 765->761 769 2d37994-2d37997 766->769 770 2d37999-2d3799b 766->770 772 2d379b3-2d379bd 767->772 773 2d379be-2d379d0 EqualSid 767->773 768->760 771 2d37a3d-2d37a41 768->771 769->766 769->770 770->767 774 2d3799d-2d379ac DeleteAce 770->774 771->756 775 2d37a43-2d37a54 LocalAlloc 771->775 772->773 776 2d379d2-2d379e3 773->776 777 2d379e5 773->777 774->768 775->756 778 2d37a56-2d37a60 InitializeSecurityDescriptor 775->778 779 2d379ea-2d379ed 776->779 777->779 780 2d37a62-2d37a71 SetSecurityDescriptorDacl 778->780 781 2d37a86-2d37a87 LocalFree 778->781 782 2d379f8-2d379fb 779->782 783 2d379ef-2d379f5 779->783 780->781 786 2d37a73-2d37a81 SetFileSecurityA 780->786 781->756 784 2d37a03-2d37a0e 782->784 785 2d379fd-2d37a01 782->785 783->782 787 2d37a10-2d37a17 784->787 788 2d37a19-2d37a24 784->788 785->764 785->784 786->781 789 2d37a83 786->789 790 2d37a27 787->790 788->790 789->781 790->764
                                                                                        APIs
                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 02D3782F
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02D37866
                                                                                        • GetLengthSid.ADVAPI32(?), ref: 02D37878
                                                                                        • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 02D3789A
                                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,02D37F63,?), ref: 02D378B8
                                                                                        • EqualSid.ADVAPI32(?,02D37F63), ref: 02D378D2
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 02D378E3
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02D378F1
                                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02D37901
                                                                                        • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 02D37910
                                                                                        • LocalFree.KERNEL32(00000000), ref: 02D37917
                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02D37933
                                                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 02D37963
                                                                                        • EqualSid.ADVAPI32(?,02D37F63), ref: 02D3798A
                                                                                        • DeleteAce.ADVAPI32(?,00000000), ref: 02D379A3
                                                                                        • EqualSid.ADVAPI32(?,02D37F63), ref: 02D379C5
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 02D37A4A
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02D37A58
                                                                                        • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 02D37A69
                                                                                        • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 02D37A79
                                                                                        • LocalFree.KERNEL32(00000000), ref: 02D37A87
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                        • String ID: D
                                                                                        • API String ID: 3722657555-2746444292
                                                                                        • Opcode ID: 9f310fa6f0db3acadc01d293617e858d4613f9b28725e65d42f3418547762b5f
                                                                                        • Instruction ID: 740d0e064ef7239506847b6076745c26c3ce2a662eeffe3a2a366393fc3c5c81
                                                                                        • Opcode Fuzzy Hash: 9f310fa6f0db3acadc01d293617e858d4613f9b28725e65d42f3418547762b5f
                                                                                        • Instruction Fuzzy Hash: 47812CB1D40619ABEB22CFA4DD84FEEBBBCEF08345F14456AE605E2240D7349A55CB60

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 791 2d38328-2d3833e call 2d37dd6 794 2d38340-2d38343 791->794 795 2d38348-2d38356 call 2d36ec3 791->795 796 2d3877b-2d3877d 794->796 799 2d3846b-2d38474 795->799 800 2d3835c-2d38378 call 2d373ff 795->800 802 2d385c2-2d385ce 799->802 803 2d3847a-2d38480 799->803 811 2d38464-2d38466 800->811 812 2d3837e-2d38384 800->812 805 2d385d0-2d385da call 2d3675c 802->805 806 2d38615-2d38620 802->806 803->802 807 2d38486-2d384ba call 2d32544 RegOpenKeyExA 803->807 819 2d385df-2d385eb 805->819 809 2d386a7-2d386b0 call 2d36ba7 806->809 810 2d38626-2d3864c GetTempPathA call 2d38274 call 2d3eca5 806->810 821 2d38543-2d38571 call 2d32544 RegOpenKeyExA 807->821 822 2d384c0-2d384db RegQueryValueExA 807->822 830 2d38762 809->830 831 2d386b6-2d386bd call 2d37e2f 809->831 849 2d38671-2d386a4 call 2d32544 call 2d3ef00 call 2d3ee2a 810->849 850 2d3864e-2d3866f call 2d3eca5 810->850 818 2d38779-2d3877a 811->818 812->811 817 2d3838a-2d3838d 812->817 817->811 825 2d38393-2d38399 817->825 818->796 819->806 820 2d385ed-2d385ef 819->820 820->806 826 2d385f1-2d385fa 820->826 843 2d38573-2d3857b 821->843 844 2d385a5-2d385b7 call 2d3ee2a 821->844 828 2d38521-2d3852d RegCloseKey 822->828 829 2d384dd-2d384e1 822->829 833 2d3839c-2d383a1 825->833 826->806 834 2d385fc-2d3860f call 2d324c2 826->834 828->821 840 2d3852f-2d38541 call 2d3eed1 828->840 829->828 836 2d384e3-2d384e6 829->836 838 2d38768-2d3876b 830->838 860 2d386c3-2d3873b call 2d3ee2a * 2 lstrcpyA lstrlenA call 2d37fcf CreateProcessA 831->860 861 2d3875b-2d3875c DeleteFileA 831->861 833->833 841 2d383a3-2d383af 833->841 834->806 834->838 836->828 845 2d384e8-2d384f6 call 2d3ebcc 836->845 847 2d38776-2d38778 838->847 848 2d3876d-2d38775 call 2d3ec2e 838->848 840->821 840->844 852 2d383b3-2d383ba 841->852 853 2d383b1 841->853 857 2d3857e-2d38583 843->857 844->802 878 2d385b9-2d385c1 call 2d3ec2e 844->878 845->828 877 2d384f8-2d38513 RegQueryValueExA 845->877 847->818 848->847 849->809 850->849 854 2d38450-2d3845f call 2d3ee2a 852->854 855 2d383c0-2d383fb call 2d32544 RegOpenKeyExA 852->855 853->852 854->802 855->854 882 2d383fd-2d3841c RegQueryValueExA 855->882 857->857 868 2d38585-2d3859f RegSetValueExA RegCloseKey 857->868 899 2d3874f-2d3875a call 2d37ee6 call 2d37ead 860->899 900 2d3873d-2d3874d CloseHandle * 2 860->900 861->830 868->844 877->828 883 2d38515-2d3851e call 2d3ec2e 877->883 878->802 887 2d3841e-2d38421 882->887 888 2d3842d-2d38441 RegSetValueExA 882->888 883->828 887->888 894 2d38423-2d38426 887->894 895 2d38447-2d3844a RegCloseKey 888->895 894->888 898 2d38428-2d3842b 894->898 895->854 898->888 898->895 899->861 900->838
                                                                                        APIs
                                                                                        • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 02D383F3
                                                                                        • RegQueryValueExA.KERNELBASE(02D40750,?,00000000,?,02D38893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 02D38414
                                                                                        • RegSetValueExA.KERNELBASE(02D40750,?,00000000,00000004,02D38893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 02D38441
                                                                                        • RegCloseKey.ADVAPI32(02D40750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 02D3844A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Value$CloseOpenQuery
                                                                                        • String ID: &^{$C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exe$localcfg
                                                                                        • API String ID: 237177642-1430710465
                                                                                        • Opcode ID: 024b51877407e719083d78be4e711f6393b26b426da5d6e662e30bd2407bc0f9
                                                                                        • Instruction ID: 0186cc02878ea7e50aa7af88bce7fe0575237707319426ebb52d4dd997773506
                                                                                        • Opcode Fuzzy Hash: 024b51877407e719083d78be4e711f6393b26b426da5d6e662e30bd2407bc0f9
                                                                                        • Instruction Fuzzy Hash: 39C17DB6D40149BFEB12AFA4DC84EEE7BBEEB04345F144465FA01E2240EB709E54DB21

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • GetVersionExA.KERNEL32 ref: 02D31DC6
                                                                                        • GetSystemInfo.KERNELBASE(?), ref: 02D31DE8
                                                                                        • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 02D31E03
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 02D31E0A
                                                                                        • GetCurrentProcess.KERNEL32(?), ref: 02D31E1B
                                                                                        • GetTickCount.KERNEL32 ref: 02D31FC9
                                                                                          • Part of subcall function 02D31BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 02D31C15
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                        • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                        • API String ID: 4207808166-1381319158
                                                                                        • Opcode ID: 150575e33fc7031c881fdb2b43edd1de4604870fa12106926d874c87cb6169fa
                                                                                        • Instruction ID: 9b319fe988cb9e94996bb73682198be0cb3a651c9777ba7d7b15a08b4674b784
                                                                                        • Opcode Fuzzy Hash: 150575e33fc7031c881fdb2b43edd1de4604870fa12106926d874c87cb6169fa
                                                                                        • Instruction Fuzzy Hash: 5651A1B19043446FE321AF65CC89B27BBECEF85709F04091DE68A92382D775ED04CA71

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 999 2d373ff-2d37419 1000 2d3741b 999->1000 1001 2d3741d-2d37422 999->1001 1000->1001 1002 2d37426-2d3742b 1001->1002 1003 2d37424 1001->1003 1004 2d37430-2d37435 1002->1004 1005 2d3742d 1002->1005 1003->1002 1006 2d37437 1004->1006 1007 2d3743a-2d37481 call 2d36dc2 call 2d32544 RegOpenKeyExA 1004->1007 1005->1004 1006->1007 1012 2d37487-2d3749d call 2d3ee2a 1007->1012 1013 2d377f9-2d377fe call 2d3ee2a 1007->1013 1018 2d37703-2d3770e RegEnumKeyA 1012->1018 1019 2d37801 1013->1019 1020 2d374a2-2d374b1 call 2d36cad 1018->1020 1021 2d37714-2d3771d RegCloseKey 1018->1021 1022 2d37804-2d37808 1019->1022 1025 2d374b7-2d374cc call 2d3f1a5 1020->1025 1026 2d376ed-2d37700 1020->1026 1021->1019 1025->1026 1029 2d374d2-2d374f8 RegOpenKeyExA 1025->1029 1026->1018 1030 2d37727-2d3772a 1029->1030 1031 2d374fe-2d37530 call 2d32544 RegQueryValueExA 1029->1031 1032 2d37755-2d37764 call 2d3ee2a 1030->1032 1033 2d3772c-2d37740 call 2d3ef00 1030->1033 1031->1030 1039 2d37536-2d3753c 1031->1039 1044 2d376df-2d376e2 1032->1044 1041 2d37742-2d37745 RegCloseKey 1033->1041 1042 2d3774b-2d3774e 1033->1042 1043 2d3753f-2d37544 1039->1043 1041->1042 1046 2d377ec-2d377f7 RegCloseKey 1042->1046 1043->1043 1045 2d37546-2d3754b 1043->1045 1044->1026 1047 2d376e4-2d376e7 RegCloseKey 1044->1047 1045->1032 1048 2d37551-2d3756b call 2d3ee95 1045->1048 1046->1022 1047->1026 1048->1032 1051 2d37571-2d37593 call 2d32544 call 2d3ee95 1048->1051 1056 2d37753 1051->1056 1057 2d37599-2d375a0 1051->1057 1056->1032 1058 2d375a2-2d375c6 call 2d3ef00 call 2d3ed03 1057->1058 1059 2d375c8-2d375d7 call 2d3ed03 1057->1059 1064 2d375d8-2d375da 1058->1064 1059->1064 1067 2d375df-2d37623 call 2d3ee95 call 2d32544 call 2d3ee95 call 2d3ee2a 1064->1067 1068 2d375dc 1064->1068 1077 2d37626-2d3762b 1067->1077 1068->1067 1077->1077 1078 2d3762d-2d37634 1077->1078 1079 2d37637-2d3763c 1078->1079 1079->1079 1080 2d3763e-2d37642 1079->1080 1081 2d37644-2d37656 call 2d3ed77 1080->1081 1082 2d3765c-2d37673 call 2d3ed23 1080->1082 1081->1082 1087 2d37769-2d3777c call 2d3ef00 1081->1087 1088 2d37680 1082->1088 1089 2d37675-2d3767e 1082->1089 1094 2d377e3-2d377e6 RegCloseKey 1087->1094 1091 2d37683-2d3768e call 2d36cad 1088->1091 1089->1091 1096 2d37722-2d37725 1091->1096 1097 2d37694-2d376bf call 2d3f1a5 call 2d36c96 1091->1097 1094->1046 1098 2d376dd 1096->1098 1103 2d376c1-2d376c7 1097->1103 1104 2d376d8 1097->1104 1098->1044 1103->1104 1105 2d376c9-2d376d2 1103->1105 1104->1098 1105->1104 1106 2d3777e-2d37797 GetFileAttributesExA 1105->1106 1107 2d3779a-2d3779f 1106->1107 1108 2d37799 1106->1108 1109 2d377a3-2d377a8 1107->1109 1110 2d377a1 1107->1110 1108->1107 1111 2d377c4-2d377c8 1109->1111 1112 2d377aa-2d377c0 call 2d3ee08 1109->1112 1110->1109 1114 2d377d7-2d377dc 1111->1114 1115 2d377ca-2d377d6 call 2d3ef00 1111->1115 1112->1111 1118 2d377e0-2d377e2 1114->1118 1119 2d377de 1114->1119 1115->1114 1118->1094 1119->1118
                                                                                        APIs
                                                                                        • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,75920F10,00000000), ref: 02D37472
                                                                                        • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,75920F10,00000000), ref: 02D374F0
                                                                                        • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,75920F10,00000000), ref: 02D37528
                                                                                        • ___ascii_stricmp.LIBCMT ref: 02D3764D
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,75920F10,00000000), ref: 02D376E7
                                                                                        • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 02D37706
                                                                                        • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 02D37717
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,75920F10,00000000), ref: 02D37745
                                                                                        • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 02D377EF
                                                                                          • Part of subcall function 02D3F1A5: lstrlenA.KERNEL32(000000C8,000000E4,02D422F8,000000C8,02D37150,?), ref: 02D3F1AD
                                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 02D3778F
                                                                                        • RegCloseKey.KERNELBASE(?), ref: 02D377E6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                        • String ID: "
                                                                                        • API String ID: 3433985886-123907689
                                                                                        • Opcode ID: 758890cc15e8c16fde6feb68404e30692d9136b125b7b8507cec39f60d8075cd
                                                                                        • Instruction ID: be3db89e1ffde6a4bac50ab697f7e7b3de979bf18b7f8fe91c307219fab4227a
                                                                                        • Opcode Fuzzy Hash: 758890cc15e8c16fde6feb68404e30692d9136b125b7b8507cec39f60d8075cd
                                                                                        • Instruction Fuzzy Hash: 2AC171B2940649AFEB229FA4DC44FEEBBB9EF45310F1404A5E504E6290EB71DE54CF60

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1121 2d3675c-2d36778 1122 2d36784-2d367a2 CreateFileA 1121->1122 1123 2d3677a-2d3677e SetFileAttributesA 1121->1123 1124 2d367b5-2d367b8 1122->1124 1125 2d367a4-2d367b2 CreateFileA 1122->1125 1123->1122 1126 2d367c5-2d367c9 1124->1126 1127 2d367ba-2d367bf SetFileAttributesA 1124->1127 1125->1124 1128 2d36977-2d36986 1126->1128 1129 2d367cf-2d367df GetFileSize 1126->1129 1127->1126 1130 2d367e5-2d367e7 1129->1130 1131 2d3696b 1129->1131 1130->1131 1133 2d367ed-2d3680b ReadFile 1130->1133 1132 2d3696e-2d36971 CloseHandle 1131->1132 1132->1128 1133->1131 1134 2d36811-2d36824 SetFilePointer 1133->1134 1134->1131 1135 2d3682a-2d36842 ReadFile 1134->1135 1135->1131 1136 2d36848-2d36861 SetFilePointer 1135->1136 1136->1131 1137 2d36867-2d36876 1136->1137 1138 2d368d5-2d368df 1137->1138 1139 2d36878-2d3688f ReadFile 1137->1139 1138->1132 1140 2d368e5-2d368eb 1138->1140 1141 2d368d2 1139->1141 1142 2d36891-2d3689e 1139->1142 1145 2d368f0-2d368fe call 2d3ebcc 1140->1145 1146 2d368ed 1140->1146 1141->1138 1143 2d368a0-2d368b5 1142->1143 1144 2d368b7-2d368ba 1142->1144 1147 2d368bd-2d368c3 1143->1147 1144->1147 1145->1131 1153 2d36900-2d3690b SetFilePointer 1145->1153 1146->1145 1149 2d368c5 1147->1149 1150 2d368c8-2d368ce 1147->1150 1149->1150 1150->1139 1152 2d368d0 1150->1152 1152->1138 1154 2d3695a-2d36969 call 2d3ec2e 1153->1154 1155 2d3690d-2d36920 ReadFile 1153->1155 1154->1132 1155->1154 1157 2d36922-2d36958 1155->1157 1157->1132
                                                                                        APIs
                                                                                        • SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 02D3677E
                                                                                        • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 02D3679A
                                                                                        • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 02D367B0
                                                                                        • SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 02D367BF
                                                                                        • GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 02D367D3
                                                                                        • ReadFile.KERNELBASE(000000FF,?,00000040,02D38244,00000000,?,75920F10,00000000), ref: 02D36807
                                                                                        • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 02D3681F
                                                                                        • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 02D3683E
                                                                                        • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 02D3685C
                                                                                        • ReadFile.KERNEL32(000000FF,?,00000028,02D38244,00000000,?,75920F10,00000000), ref: 02D3688B
                                                                                        • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,75920F10,00000000), ref: 02D36906
                                                                                        • ReadFile.KERNEL32(000000FF,?,00000000,02D38244,00000000,?,75920F10,00000000), ref: 02D3691C
                                                                                        • CloseHandle.KERNELBASE(000000FF,?,75920F10,00000000), ref: 02D36971
                                                                                          • Part of subcall function 02D3EC2E: GetProcessHeap.KERNEL32(00000000,02D3EA27,00000000,02D3EA27,00000000), ref: 02D3EC41
                                                                                          • Part of subcall function 02D3EC2E: RtlFreeHeap.NTDLL(00000000), ref: 02D3EC48
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                                        • String ID:
                                                                                        • API String ID: 2622201749-0
                                                                                        • Opcode ID: d12863f0ff5a53d8cd17c2a6a9ed9b23a8cfa65ef5bf9ce7660a317e78bf124b
                                                                                        • Instruction ID: cc63ad953e6be06bf3ab69384732c170a473ff3298f2ef95eb99d8e0c71f350e
                                                                                        • Opcode Fuzzy Hash: d12863f0ff5a53d8cd17c2a6a9ed9b23a8cfa65ef5bf9ce7660a317e78bf124b
                                                                                        • Instruction Fuzzy Hash: 0571F871D00219FFDF158FA4CC84AEEBBB9FB08354F10456AE515A6290E7309E52DFA4

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1159 2d3f315-2d3f332 1160 2d3f334-2d3f336 1159->1160 1161 2d3f33b-2d3f372 call 2d3ee2a htons socket 1159->1161 1162 2d3f424-2d3f427 1160->1162 1165 2d3f382-2d3f39b ioctlsocket 1161->1165 1166 2d3f374-2d3f37d closesocket 1161->1166 1167 2d3f3aa-2d3f3f0 connect select 1165->1167 1168 2d3f39d 1165->1168 1166->1162 1170 2d3f3f2-2d3f401 __WSAFDIsSet 1167->1170 1171 2d3f421 1167->1171 1169 2d3f39f-2d3f3a8 closesocket 1168->1169 1172 2d3f423 1169->1172 1170->1169 1173 2d3f403-2d3f416 ioctlsocket call 2d3f26d 1170->1173 1171->1172 1172->1162 1175 2d3f41b-2d3f41f 1173->1175 1175->1172
                                                                                        APIs
                                                                                        • htons.WS2_32(02D3CA1D), ref: 02D3F34D
                                                                                        • socket.WS2_32(00000002,00000001,00000000), ref: 02D3F367
                                                                                        • closesocket.WS2_32(00000000), ref: 02D3F375
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: closesockethtonssocket
                                                                                        • String ID: time_cfg
                                                                                        • API String ID: 311057483-2401304539
                                                                                        • Opcode ID: 293f0d92404d803de27c654531fdab6374a6e62e39b9d51a6fe611051cdfa48b
                                                                                        • Instruction ID: f1dc2c379eff33673368d138c82eca43a3e7d603645ba823c2745d1ee972110e
                                                                                        • Opcode Fuzzy Hash: 293f0d92404d803de27c654531fdab6374a6e62e39b9d51a6fe611051cdfa48b
                                                                                        • Instruction Fuzzy Hash: B3313B76D4011CAFDB119FA5DC849EE7BBCFB49354F104566FA15E2240E7709A418BA0

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1176 2d3405e-2d3407b CreateEventA 1177 2d34084-2d340a8 call 2d33ecd call 2d34000 1176->1177 1178 2d3407d-2d34081 1176->1178 1183 2d34130-2d3413e call 2d3ee2a 1177->1183 1184 2d340ae-2d340be call 2d3ee2a 1177->1184 1189 2d3413f-2d34165 call 2d33ecd CreateNamedPipeA 1183->1189 1184->1183 1190 2d340c0-2d340f1 call 2d3eca5 call 2d33f18 call 2d33f8c 1184->1190 1195 2d34167-2d34174 Sleep 1189->1195 1196 2d34188-2d34193 ConnectNamedPipe 1189->1196 1208 2d340f3-2d340ff 1190->1208 1209 2d34127-2d3412a CloseHandle 1190->1209 1195->1189 1198 2d34176-2d34182 CloseHandle 1195->1198 1200 2d34195-2d341a5 GetLastError 1196->1200 1201 2d341ab-2d341c0 call 2d33f8c 1196->1201 1198->1196 1200->1201 1204 2d3425e-2d34265 DisconnectNamedPipe 1200->1204 1201->1196 1207 2d341c2-2d341f2 call 2d33f18 call 2d33f8c 1201->1207 1204->1196 1207->1204 1217 2d341f4-2d34200 1207->1217 1208->1209 1210 2d34101-2d34121 call 2d33f18 ExitProcess 1208->1210 1209->1183 1217->1204 1218 2d34202-2d34215 call 2d33f8c 1217->1218 1218->1204 1221 2d34217-2d3421b 1218->1221 1221->1204 1222 2d3421d-2d34230 call 2d33f8c 1221->1222 1222->1204 1225 2d34232-2d34236 1222->1225 1225->1196 1226 2d3423c-2d34251 call 2d33f18 1225->1226 1229 2d34253-2d34259 1226->1229 1230 2d3426a-2d34276 CloseHandle * 2 call 2d3e318 1226->1230 1229->1196 1232 2d3427b 1230->1232 1232->1232
                                                                                        APIs
                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 02D34070
                                                                                        • ExitProcess.KERNEL32 ref: 02D34121
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateEventExitProcess
                                                                                        • String ID:
                                                                                        • API String ID: 2404124870-0
                                                                                        • Opcode ID: edfa4e9893accfe436745de38271ba643f15bd9375a52c8aa52cb6e3dca50250
                                                                                        • Instruction ID: 6bd999b44afd5a50eeb79f2863be345fe69e0c4d901cf20bcd5e3575768be7f8
                                                                                        • Opcode Fuzzy Hash: edfa4e9893accfe436745de38271ba643f15bd9375a52c8aa52cb6e3dca50250
                                                                                        • Instruction Fuzzy Hash: E6516DB1D40219BBEB22AAA0CD85FAF7BBDEB11755F100055FA14F62C0E7749E01CBA1

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1233 2d32d21-2d32d44 GetModuleHandleA 1234 2d32d46-2d32d52 LoadLibraryA 1233->1234 1235 2d32d5b-2d32d69 GetProcAddress 1233->1235 1234->1235 1236 2d32d54-2d32d56 1234->1236 1235->1236 1237 2d32d6b-2d32d7b DnsQuery_A 1235->1237 1238 2d32dee-2d32df1 1236->1238 1237->1236 1239 2d32d7d-2d32d88 1237->1239 1240 2d32deb 1239->1240 1241 2d32d8a-2d32d8b 1239->1241 1240->1238 1242 2d32d90-2d32d95 1241->1242 1243 2d32de2-2d32de8 1242->1243 1244 2d32d97-2d32daa GetProcessHeap HeapAlloc 1242->1244 1243->1242 1245 2d32dea 1243->1245 1244->1245 1246 2d32dac-2d32dd9 call 2d3ee2a lstrcpynA 1244->1246 1245->1240 1249 2d32de0 1246->1249 1250 2d32ddb-2d32dde 1246->1250 1249->1243 1250->1243
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,02D32F01,?,02D320FF,02D42000), ref: 02D32D3A
                                                                                        • LoadLibraryA.KERNEL32(?), ref: 02D32D4A
                                                                                        • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 02D32D61
                                                                                        • DnsQuery_A.DNSAPI(00000000,0000000F,00000000,00000000,?,00000000), ref: 02D32D77
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 02D32D99
                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 02D32DA0
                                                                                        • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 02D32DCB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcessQuery_lstrcpyn
                                                                                        • String ID: DnsQuery_A$dnsapi.dll
                                                                                        • API String ID: 233223969-3847274415
                                                                                        • Opcode ID: df399e4d7ba3d4e751d096bb72221714915bc91941c4b5f796d5442e909656fa
                                                                                        • Instruction ID: ba8e5e242ff0b302d2c34a167514d44f7a1b87bec132984438f271f8b474bea5
                                                                                        • Opcode Fuzzy Hash: df399e4d7ba3d4e751d096bb72221714915bc91941c4b5f796d5442e909656fa
                                                                                        • Instruction Fuzzy Hash: 0B216075D41625ABCB229F55EC48AAEBBB8EF08B55F104412FE45E7300D7B0AD85CBD0

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1251 2d380c9-2d380ed call 2d36ec3 1254 2d380f9-2d38115 call 2d3704c 1251->1254 1255 2d380ef call 2d37ee6 1251->1255 1260 2d38225-2d3822b 1254->1260 1261 2d3811b-2d38121 1254->1261 1258 2d380f4 1255->1258 1258->1260 1262 2d3822d-2d38233 1260->1262 1263 2d3826c-2d38273 1260->1263 1261->1260 1264 2d38127-2d3812a 1261->1264 1262->1263 1265 2d38235-2d3823f call 2d3675c 1262->1265 1264->1260 1266 2d38130-2d38167 call 2d32544 RegOpenKeyExA 1264->1266 1269 2d38244-2d3824b 1265->1269 1272 2d38216-2d38222 call 2d3ee2a 1266->1272 1273 2d3816d-2d3818b RegQueryValueExA 1266->1273 1269->1263 1271 2d3824d-2d38269 call 2d324c2 call 2d3ec2e 1269->1271 1271->1263 1272->1260 1276 2d381f7-2d381fe 1273->1276 1277 2d3818d-2d38191 1273->1277 1280 2d38200-2d38206 call 2d3ec2e 1276->1280 1281 2d3820d-2d38210 RegCloseKey 1276->1281 1277->1276 1282 2d38193-2d38196 1277->1282 1289 2d3820c 1280->1289 1281->1272 1282->1276 1285 2d38198-2d381a8 call 2d3ebcc 1282->1285 1285->1281 1291 2d381aa-2d381c2 RegQueryValueExA 1285->1291 1289->1281 1291->1276 1292 2d381c4-2d381ca 1291->1292 1293 2d381cd-2d381d2 1292->1293 1293->1293 1294 2d381d4-2d381e5 call 2d3ebcc 1293->1294 1294->1281 1297 2d381e7-2d381f5 call 2d3ef00 1294->1297 1297->1289
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 02D3815F
                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,02D3A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 02D38187
                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,02D3A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 02D381BE
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 02D38210
                                                                                          • Part of subcall function 02D3675C: SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 02D3677E
                                                                                          • Part of subcall function 02D3675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 02D3679A
                                                                                          • Part of subcall function 02D3675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 02D367B0
                                                                                          • Part of subcall function 02D3675C: SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 02D367BF
                                                                                          • Part of subcall function 02D3675C: GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 02D367D3
                                                                                          • Part of subcall function 02D3675C: ReadFile.KERNELBASE(000000FF,?,00000040,02D38244,00000000,?,75920F10,00000000), ref: 02D36807
                                                                                          • Part of subcall function 02D3675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 02D3681F
                                                                                          • Part of subcall function 02D3675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 02D3683E
                                                                                          • Part of subcall function 02D3675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 02D3685C
                                                                                          • Part of subcall function 02D3EC2E: GetProcessHeap.KERNEL32(00000000,02D3EA27,00000000,02D3EA27,00000000), ref: 02D3EC41
                                                                                          • Part of subcall function 02D3EC2E: RtlFreeHeap.NTDLL(00000000), ref: 02D3EC48
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                        • String ID: &^{$C:\Windows\SysWOW64\chxnvqnu\uscdfbek.exe
                                                                                        • API String ID: 124786226-1851784633
                                                                                        • Opcode ID: 55b9f417b721782404b2c8d6ac36fca16bfe2961c444a142ce60ebaf07cff122
                                                                                        • Instruction ID: 8b922c1183d46548398a21274f359d88f055600a695640d763ac24e166615291
                                                                                        • Opcode Fuzzy Hash: 55b9f417b721782404b2c8d6ac36fca16bfe2961c444a142ce60ebaf07cff122
                                                                                        • Instruction Fuzzy Hash: 04417EB6D41149BFEB12AFA0DD84EAE77ADEB04304F14486AF901E2340E7709E54DB61

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1300 2d31ac3-2d31adc LoadLibraryA 1301 2d31ae2-2d31af3 GetProcAddress 1300->1301 1302 2d31b6b-2d31b70 1300->1302 1303 2d31af5-2d31b01 1301->1303 1304 2d31b6a 1301->1304 1305 2d31b1c-2d31b27 GetAdaptersAddresses 1303->1305 1304->1302 1306 2d31b03-2d31b12 call 2d3ebed 1305->1306 1307 2d31b29-2d31b2b 1305->1307 1306->1307 1315 2d31b14-2d31b1b 1306->1315 1308 2d31b5b-2d31b5e 1307->1308 1309 2d31b2d-2d31b32 1307->1309 1312 2d31b69 1308->1312 1313 2d31b60-2d31b68 call 2d3ec2e 1308->1313 1311 2d31b34-2d31b3b 1309->1311 1309->1312 1316 2d31b54-2d31b59 1311->1316 1317 2d31b3d-2d31b52 1311->1317 1312->1304 1313->1312 1315->1305 1316->1308 1316->1311 1317->1316 1317->1317
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02D31AD4
                                                                                        • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02D31AE9
                                                                                        • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02D31B20
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AdaptersAddressAddressesLibraryLoadProc
                                                                                        • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                        • API String ID: 3646706440-1087626847
                                                                                        • Opcode ID: 4b683013ae0f35692c3368e5be0b0777b0701d64622186567985f66d166be279
                                                                                        • Instruction ID: 1ced93574bcacca8e40537369fc3739a75ed8b5e460f828abc53ac75657e5106
                                                                                        • Opcode Fuzzy Hash: 4b683013ae0f35692c3368e5be0b0777b0701d64622186567985f66d166be279
                                                                                        • Instruction Fuzzy Hash: 5E11D375E01128AFDB279BA9DC848EDFBBAEB45B51F144456E509E3340E730DE40CB90

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1320 2d3e3ca-2d3e3ee RegOpenKeyExA 1321 2d3e3f4-2d3e3fb 1320->1321 1322 2d3e528-2d3e52d 1320->1322 1323 2d3e3fe-2d3e403 1321->1323 1323->1323 1324 2d3e405-2d3e40f 1323->1324 1325 2d3e411-2d3e413 1324->1325 1326 2d3e414-2d3e452 call 2d3ee08 call 2d3f1ed RegQueryValueExA 1324->1326 1325->1326 1331 2d3e458-2d3e486 call 2d3f1ed RegQueryValueExA 1326->1331 1332 2d3e51d-2d3e527 RegCloseKey 1326->1332 1335 2d3e488-2d3e48a 1331->1335 1332->1322 1335->1332 1336 2d3e490-2d3e4a1 call 2d3db2e 1335->1336 1336->1332 1339 2d3e4a3-2d3e4a6 1336->1339 1340 2d3e4a9-2d3e4d3 call 2d3f1ed RegQueryValueExA 1339->1340 1343 2d3e4d5-2d3e4da 1340->1343 1344 2d3e4e8-2d3e4ea 1340->1344 1343->1344 1345 2d3e4dc-2d3e4e6 1343->1345 1344->1332 1346 2d3e4ec-2d3e516 call 2d32544 call 2d3e332 1344->1346 1345->1340 1345->1344 1346->1332
                                                                                        APIs
                                                                                        • RegOpenKeyExA.KERNELBASE(80000001,02D3E5F2,00000000,00020119,02D3E5F2,02D422F8), ref: 02D3E3E6
                                                                                        • RegQueryValueExA.ADVAPI32(02D3E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 02D3E44E
                                                                                        • RegQueryValueExA.ADVAPI32(02D3E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 02D3E482
                                                                                        • RegQueryValueExA.ADVAPI32(02D3E5F2,?,00000000,?,80000001,?), ref: 02D3E4CF
                                                                                        • RegCloseKey.ADVAPI32(02D3E5F2,?,?,?,?,000000C8,000000E4), ref: 02D3E520
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: QueryValue$CloseOpen
                                                                                        • String ID:
                                                                                        • API String ID: 1586453840-0
                                                                                        • Opcode ID: 9c12a545a8483ef26fb6a31716621ecaf0fc2dcfbc89a796f407a2f27b0f1048
                                                                                        • Instruction ID: 13a8336cf9a4736dcb8c1b88aca16552b0aef6b14a5a0a1efe7d73e50dddc959
                                                                                        • Opcode Fuzzy Hash: 9c12a545a8483ef26fb6a31716621ecaf0fc2dcfbc89a796f407a2f27b0f1048
                                                                                        • Instruction Fuzzy Hash: 3B41D7B2D0021DAFDF129F98DC84DEEBBB9EF08345F144566EA10E2290E3319E55DB60

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1351 2d3f26d-2d3f303 setsockopt * 5
                                                                                        APIs
                                                                                        • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 02D3F2A0
                                                                                        • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 02D3F2C0
                                                                                        • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 02D3F2DD
                                                                                        • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 02D3F2EC
                                                                                        • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 02D3F2FD
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: setsockopt
                                                                                        • String ID:
                                                                                        • API String ID: 3981526788-0
                                                                                        • Opcode ID: 09179a2b9693859e0e13b1ead52b3cf89aa8e65c6f7017d169535f971c3e1d26
                                                                                        • Instruction ID: 55e3257226da2ce5576feb3474f76f054d3749e723506985130a764a4e1d08d6
                                                                                        • Opcode Fuzzy Hash: 09179a2b9693859e0e13b1ead52b3cf89aa8e65c6f7017d169535f971c3e1d26
                                                                                        • Instruction Fuzzy Hash: 1F110DB5A40248BAEF11DF94CD81FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1352 2d31bdf-2d31c04 call 2d31ac3 1354 2d31c09-2d31c0b 1352->1354 1355 2d31c5a-2d31c5e 1354->1355 1356 2d31c0d-2d31c1d GetComputerNameA 1354->1356 1357 2d31c45-2d31c57 GetVolumeInformationA 1356->1357 1358 2d31c1f-2d31c24 1356->1358 1357->1355 1358->1357 1359 2d31c26-2d31c3b 1358->1359 1359->1359 1360 2d31c3d-2d31c3f 1359->1360 1360->1357 1361 2d31c41-2d31c43 1360->1361 1361->1355
                                                                                        APIs
                                                                                          • Part of subcall function 02D31AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02D31AD4
                                                                                          • Part of subcall function 02D31AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02D31AE9
                                                                                          • Part of subcall function 02D31AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02D31B20
                                                                                        • GetComputerNameA.KERNEL32(?,0000000F), ref: 02D31C15
                                                                                        • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 02D31C51
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                        • String ID: hi_id$localcfg
                                                                                        • API String ID: 2794401326-2393279970
                                                                                        • Opcode ID: de5f4142d4c4dae12d55aa755500a21f75b6795d698bd83883f2e2ce312b7b84
                                                                                        • Instruction ID: b89f82619e5fe2e138910b8f6f020e0b8b94346efc83692d53f5922a02f97b31
                                                                                        • Opcode Fuzzy Hash: de5f4142d4c4dae12d55aa755500a21f75b6795d698bd83883f2e2ce312b7b84
                                                                                        • Instruction Fuzzy Hash: 140180B6A04129BBEB12DEE9C8C49EFFBBCEB44685F100475E706E3200D630DE4496A0
                                                                                        APIs
                                                                                          • Part of subcall function 02D31AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02D31AD4
                                                                                          • Part of subcall function 02D31AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02D31AE9
                                                                                          • Part of subcall function 02D31AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02D31B20
                                                                                        • GetComputerNameA.KERNEL32(?,0000000F), ref: 02D31BA3
                                                                                        • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,02D31EFD,00000000,00000000,00000000,00000000), ref: 02D31BB8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 2794401326-1857712256
                                                                                        • Opcode ID: a63588ef2457d0057b3c13d2996a08d514aae12b46d87c78363cc4bd3a7675c4
                                                                                        • Instruction ID: f144af9fefcd1248aba9c092c81a2a5c9737ef00d37e2b1b6aba86eacf4bc365
                                                                                        • Opcode Fuzzy Hash: a63588ef2457d0057b3c13d2996a08d514aae12b46d87c78363cc4bd3a7675c4
                                                                                        • Instruction Fuzzy Hash: B6014FB7D00108BFEB019AE9C8819EFFBBDEB48655F150561A705E7240D570AE088AB0
                                                                                        APIs
                                                                                        • inet_addr.WS2_32(00000001), ref: 02D32693
                                                                                        • gethostbyname.WS2_32(00000001), ref: 02D3269F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: gethostbynameinet_addr
                                                                                        • String ID: time_cfg
                                                                                        • API String ID: 1594361348-2401304539
                                                                                        • Opcode ID: c9dac4484ec756bd760030a64865d999cee1418c4aa1c4c81353c3c2633c7e29
                                                                                        • Instruction ID: ea4a2199543dfa1d85ac92b5bc66fc1cfdf00d3eaeca0ffa93e8f253bfbcfcd8
                                                                                        • Opcode Fuzzy Hash: c9dac4484ec756bd760030a64865d999cee1418c4aa1c4c81353c3c2633c7e29
                                                                                        • Instruction Fuzzy Hash: 47E08C30A044518FCB518E28F888A9937E4AF06331F018580F840D3390C7309C80C680
                                                                                        APIs
                                                                                          • Part of subcall function 02D3DD05: GetTickCount.KERNEL32 ref: 02D3DD0F
                                                                                          • Part of subcall function 02D3DD05: InterlockedExchange.KERNEL32(02D436B4,00000001), ref: 02D3DD44
                                                                                          • Part of subcall function 02D3DD05: GetCurrentThreadId.KERNEL32 ref: 02D3DD53
                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,75920F10,?,00000000,?,02D3A445), ref: 02D3E558
                                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,75920F10,?,00000000,?,02D3A445), ref: 02D3E583
                                                                                        • CloseHandle.KERNEL32(00000000,?,75920F10,?,00000000,?,02D3A445), ref: 02D3E5B2
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                        • String ID:
                                                                                        • API String ID: 3683885500-0
                                                                                        • Opcode ID: c06362abc41cc72e653796b1b5f3aa10ba1d72f51a05b5dc896334c02c03ff7b
                                                                                        • Instruction ID: 10e04f039424c74c071d377179c7bbcbcecb0ba495c9108aedcd131500d2bab2
                                                                                        • Opcode Fuzzy Hash: c06362abc41cc72e653796b1b5f3aa10ba1d72f51a05b5dc896334c02c03ff7b
                                                                                        • Instruction Fuzzy Hash: C921F9B2A803017BF2267A25EC49F9B3B5EDF55751F200454BE0AB13D2EA51ED10C9F1
                                                                                        APIs
                                                                                        • Sleep.KERNELBASE(000003E8), ref: 02D388A5
                                                                                          • Part of subcall function 02D3F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,02D3E342,00000000,7508EA50,80000001,00000000,02D3E513,?,00000000,00000000,?,000000E4), ref: 02D3F089
                                                                                          • Part of subcall function 02D3F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,02D3E342,00000000,7508EA50,80000001,00000000,02D3E513,?,00000000,00000000,?,000000E4,000000C8), ref: 02D3F093
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$FileSystem$Sleep
                                                                                        • String ID: localcfg$rresolv
                                                                                        • API String ID: 1561729337-486471987
                                                                                        • Opcode ID: 3168e440d1f7f93880c905db301270f472e3683a478348c6dc5c88426bfb09e8
                                                                                        • Instruction ID: 35adab72b0410c1947c577dcfdb45e5f288ad2ec782c570e457d8dbd3fb18ea2
                                                                                        • Opcode Fuzzy Hash: 3168e440d1f7f93880c905db301270f472e3683a478348c6dc5c88426bfb09e8
                                                                                        • Instruction Fuzzy Hash: 6621B471D883046BF216AF66EC4AF7A3BEADB44710FA40919FD04D53C0EFA55D4489B2
                                                                                        APIs
                                                                                        • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,02D422F8,02D342B6,00000000,00000001,02D422F8,00000000,?,02D398FD), ref: 02D34021
                                                                                        • GetLastError.KERNEL32(?,02D398FD,00000001,00000100,02D422F8,02D3A3C7), ref: 02D3402C
                                                                                        • Sleep.KERNEL32(000001F4,?,02D398FD,00000001,00000100,02D422F8,02D3A3C7), ref: 02D34046
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateErrorFileLastSleep
                                                                                        • String ID:
                                                                                        • API String ID: 408151869-0
                                                                                        • Opcode ID: 5dee96556d08d0cbebc61e671e0232fb2c53abb4625d2443d3db68991a468476
                                                                                        • Instruction ID: de9750ea193339ea8648d04ebc9764e221d330facc8628cf2f22d708299ee490
                                                                                        • Opcode Fuzzy Hash: 5dee96556d08d0cbebc61e671e0232fb2c53abb4625d2443d3db68991a468476
                                                                                        • Instruction Fuzzy Hash: 35F082357481016BD7360A24EC49B1A33A1DB81729F354A64F3B5E22D0C7345C81DA14
                                                                                        APIs
                                                                                        • GetEnvironmentVariableA.KERNEL32(02D3DC19,?,00000104), ref: 02D3DB7F
                                                                                        • lstrcpyA.KERNEL32(?,02D428F8), ref: 02D3DBA4
                                                                                        • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000080,00000000), ref: 02D3DBC2
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateEnvironmentFileVariablelstrcpy
                                                                                        • String ID:
                                                                                        • API String ID: 2536392590-0
                                                                                        • Opcode ID: a555655c40ba949b775259479df049acb1c741d1ab0c1035a5fd1c08b435d5a0
                                                                                        • Instruction ID: a0da3b7f018df24f09e90489f9f08b86a6f817077c2a088d21bbaa21b1c35464
                                                                                        • Opcode Fuzzy Hash: a555655c40ba949b775259479df049acb1c741d1ab0c1035a5fd1c08b435d5a0
                                                                                        • Instruction Fuzzy Hash: 9EF02E70540209ABEF21CF60DC89FE93BA9BB00308F2004A0BB90A41C0D3F2E9A4CF20
                                                                                        APIs
                                                                                        • GetSystemTimeAsFileTime.KERNEL32(?), ref: 02D3EC5E
                                                                                        • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 02D3EC72
                                                                                        • GetTickCount.KERNEL32 ref: 02D3EC78
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$CountFileInformationSystemTickVolume
                                                                                        • String ID:
                                                                                        • API String ID: 1209300637-0
                                                                                        • Opcode ID: 3d3bed17d64cfea9686c13a37192fb238e673765c607026b285dbf3cec6b6f7c
                                                                                        • Instruction ID: 6714301239873d0c5df847d81881b0553ba7ed6a9b1e9b93f6dac16a501ed105
                                                                                        • Opcode Fuzzy Hash: 3d3bed17d64cfea9686c13a37192fb238e673765c607026b285dbf3cec6b6f7c
                                                                                        • Instruction Fuzzy Hash: DBE09AF9C50104BFE705AFB4DC4AE6B77FCEB08315F500A50BA11D6180DA70AE148B60
                                                                                        APIs
                                                                                        • gethostname.WS2_32(?,00000080), ref: 02D330D8
                                                                                        • gethostbyname.WS2_32(?), ref: 02D330E2
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: gethostbynamegethostname
                                                                                        • String ID:
                                                                                        • API String ID: 3961807697-0
                                                                                        • Opcode ID: f92bf2e094a287ad062cf058302e330de41834be95d9914eeba62554386fe87d
                                                                                        • Instruction ID: 4320677f883e6213b76fefe0d14f68b2a22bfcbb01199c5419b0f247831e1980
                                                                                        • Opcode Fuzzy Hash: f92bf2e094a287ad062cf058302e330de41834be95d9914eeba62554386fe87d
                                                                                        • Instruction Fuzzy Hash: DCE06D76D00119ABCB00ABA8EC89F9A77ECFF05208F184461F905E7380EA34E9048BA0
                                                                                        APIs
                                                                                          • Part of subcall function 02D3EBA0: GetProcessHeap.KERNEL32(00000000,00000000,02D3EC0A,00000000,80000001,?,02D3DB55,7FFF0001), ref: 02D3EBAD
                                                                                          • Part of subcall function 02D3EBA0: HeapSize.KERNEL32(00000000,?,02D3DB55,7FFF0001), ref: 02D3EBB4
                                                                                        • GetProcessHeap.KERNEL32(00000000,02D3EA27,00000000,02D3EA27,00000000), ref: 02D3EC41
                                                                                        • RtlFreeHeap.NTDLL(00000000), ref: 02D3EC48
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$Process$FreeSize
                                                                                        • String ID:
                                                                                        • API String ID: 1305341483-0
                                                                                        • Opcode ID: b181d2d3f607f2156ed6d9a21efaead39fa77d5ffd700d8f6682d4e968f6cdb8
                                                                                        • Instruction ID: 0c683cec162ad8e884cdd4c970fd224c9ac68c433e856fccf78b2155cd15ac59
                                                                                        • Opcode Fuzzy Hash: b181d2d3f607f2156ed6d9a21efaead39fa77d5ffd700d8f6682d4e968f6cdb8
                                                                                        • Instruction Fuzzy Hash: C4C012328462306BC5572E50F80CFDF6BA8DF45612F090809F505A628087605C408AE1
                                                                                        APIs
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,80000001,02D3EBFE,7FFF0001,?,02D3DB55,7FFF0001), ref: 02D3EBD3
                                                                                        • RtlAllocateHeap.NTDLL(00000000,?,02D3DB55,7FFF0001), ref: 02D3EBDA
                                                                                          • Part of subcall function 02D3EB74: GetProcessHeap.KERNEL32(00000000,00000000,02D3EC28,00000000,?,02D3DB55,7FFF0001), ref: 02D3EB81
                                                                                          • Part of subcall function 02D3EB74: HeapSize.KERNEL32(00000000,?,02D3DB55,7FFF0001), ref: 02D3EB88
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$Process$AllocateSize
                                                                                        • String ID:
                                                                                        • API String ID: 2559512979-0
                                                                                        • Opcode ID: bb181b4b8588490a4c89215bae65dad15bea9110b82e0426c3f6134a42fcb1f6
                                                                                        • Instruction ID: 8a2ea8c09d60fd81e53d3ff9f5a387ab11dc1da26ae07d0eeb3763cc69e6de82
                                                                                        • Opcode Fuzzy Hash: bb181b4b8588490a4c89215bae65dad15bea9110b82e0426c3f6134a42fcb1f6
                                                                                        • Instruction Fuzzy Hash: A9C0803654423067C6062BA4BC0CFDA3FE4DF04353F040404F709C1350C7304C5087A1
                                                                                        APIs
                                                                                        • recv.WS2_32(000000C8,?,00000000,02D3CA44), ref: 02D3F476
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: recv
                                                                                        • String ID:
                                                                                        • API String ID: 1507349165-0
                                                                                        • Opcode ID: 413c0246bbd4c039f4aeafd8efb1245a4627ecd5431e6c34612048bdd2cb8a3c
                                                                                        • Instruction ID: cedad4e1172c606d56440c84a29b163cb72b203adcb4534f838368f690d4be71
                                                                                        • Opcode Fuzzy Hash: 413c0246bbd4c039f4aeafd8efb1245a4627ecd5431e6c34612048bdd2cb8a3c
                                                                                        • Instruction Fuzzy Hash: 24F0127260155DAF9B129E59DC84CAB3BAEFB892607444521FA54D7210D631DC25CB70
                                                                                        APIs
                                                                                        • closesocket.WS2_32(00000000), ref: 02D31992
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: closesocket
                                                                                        • String ID:
                                                                                        • API String ID: 2781271927-0
                                                                                        • Opcode ID: 39f9d1ada24e8141d18299d3ce475499f7c628162e48d395a207a72354a2945a
                                                                                        • Instruction ID: a8d24245ddd490363e9cbf21737982f5a75a5790d14cbc07dec7e514e0a46233
                                                                                        • Opcode Fuzzy Hash: 39f9d1ada24e8141d18299d3ce475499f7c628162e48d395a207a72354a2945a
                                                                                        • Instruction Fuzzy Hash: 07D012265486367A52162759F80457FABDCDF456B2B11941AFD48D0250D734CC4187A5
                                                                                        APIs
                                                                                        • lstrcmpiA.KERNEL32(80000011,00000000), ref: 02D3DDB5
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcmpi
                                                                                        • String ID:
                                                                                        • API String ID: 1586166983-0
                                                                                        • Opcode ID: 3f5d71971691fdcd8688e7afaaf1bfad2931ff28587be0d3ce19adad3018d8b4
                                                                                        • Instruction ID: e7f957df94ae89ffee2df8cc8f15c0ded8b579b5d39e1c78ea810302b84b3091
                                                                                        • Opcode Fuzzy Hash: 3f5d71971691fdcd8688e7afaaf1bfad2931ff28587be0d3ce19adad3018d8b4
                                                                                        • Instruction Fuzzy Hash: 18F01C75604302CBCB22CE65E884656B7EAEB86369F24492EE655D3340DB30EC55CF61
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,02D39816,EntryPoint), ref: 02D3638F
                                                                                        • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,02D39816,EntryPoint), ref: 02D363A9
                                                                                        • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 02D363CA
                                                                                        • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 02D363EB
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                        • String ID:
                                                                                        • API String ID: 1965334864-0
                                                                                        • Opcode ID: a4ec13d6b365c2c8901328d236273e5fb1797c992ec29f1ff70239d27d1741ac
                                                                                        • Instruction ID: ea0e7ffed4f7640a985f24e82e343a6f624ec49ae1a044504defeb49f074e399
                                                                                        • Opcode Fuzzy Hash: a4ec13d6b365c2c8901328d236273e5fb1797c992ec29f1ff70239d27d1741ac
                                                                                        • Instruction Fuzzy Hash: E8118276A00219BFDB114F65DC49F9B3BACEF047A5F114424F904EA380D770DC10CAA4
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(ntdll.dll,00000000,02D31839,02D39646), ref: 02D31012
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 02D310C2
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 02D310E1
                                                                                        • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 02D31101
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 02D31121
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 02D31140
                                                                                        • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 02D31160
                                                                                        • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 02D31180
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 02D3119F
                                                                                        • GetProcAddress.KERNEL32(00000000,NtClose), ref: 02D311BF
                                                                                        • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 02D311DF
                                                                                        • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 02D311FE
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 02D3121A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressProc$LibraryLoad
                                                                                        • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                        • API String ID: 2238633743-3228201535
                                                                                        • Opcode ID: 761ca36265bead040dc581a2bdaf7feab8b2551111edf982ef202927511e24d5
                                                                                        • Instruction ID: 673979ec7e131d89c50fa972e278fb7d7805546aa6b3e1773e7f487064dcde22
                                                                                        • Opcode Fuzzy Hash: 761ca36265bead040dc581a2bdaf7feab8b2551111edf982ef202927511e24d5
                                                                                        • Instruction Fuzzy Hash: 93517379986A43A7EB528FACEC4075237E8674C264F344796A829E23D0DBB0CCD5CF51
                                                                                        APIs
                                                                                        • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 02D3B2B3
                                                                                        • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 02D3B2C2
                                                                                        • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 02D3B2D0
                                                                                        • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 02D3B2E1
                                                                                        • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 02D3B31A
                                                                                        • GetTimeZoneInformation.KERNEL32(?), ref: 02D3B329
                                                                                        • wsprintfA.USER32 ref: 02D3B3B7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                        • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                        • API String ID: 766114626-2976066047
                                                                                        • Opcode ID: c86df8966cf769aa8d8d74f7b46c2b62bbd69d5e42594e08a88471a18f7079a1
                                                                                        • Instruction ID: 9c57244fc9962bba6d3663011089a3be864faf51b739ef8786def91620bbc009
                                                                                        • Opcode Fuzzy Hash: c86df8966cf769aa8d8d74f7b46c2b62bbd69d5e42594e08a88471a18f7079a1
                                                                                        • Instruction Fuzzy Hash: 4E511AB1E00229EBCF19DFD5D9849EFBBB9BF4830AF10445AE641A6350D7344E89CB90
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                        • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                        • API String ID: 2400214276-165278494
                                                                                        • Opcode ID: 0e6c6e9060ff4fcb244670a04a26da2811e7042dab1aa2da97129a13cbd7ddac
                                                                                        • Instruction ID: ffa79a18244250c8b9facd990ba390f56764ea712aa8d2efc2cf64b2afae160d
                                                                                        • Opcode Fuzzy Hash: 0e6c6e9060ff4fcb244670a04a26da2811e7042dab1aa2da97129a13cbd7ddac
                                                                                        • Instruction Fuzzy Hash: 71618D72940208AFEB659FB4DC45FEA77F9FF08301F148469FA69D2261DA709944CF60
                                                                                        APIs
                                                                                        • wsprintfA.USER32 ref: 02D3A7FB
                                                                                        • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 02D3A87E
                                                                                        • send.WS2_32(00000000,?,00000000,00000000), ref: 02D3A893
                                                                                        • wsprintfA.USER32 ref: 02D3A8AF
                                                                                        • send.WS2_32(00000000,.,00000005,00000000), ref: 02D3A8D2
                                                                                        • wsprintfA.USER32 ref: 02D3A8E2
                                                                                        • recv.WS2_32(00000000,?,000003F6,00000000), ref: 02D3A97C
                                                                                        • wsprintfA.USER32 ref: 02D3A9B9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$send$lstrlenrecv
                                                                                        • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                        • API String ID: 3650048968-2394369944
                                                                                        • Opcode ID: 6c5634a9dc1c0677d5abc92f0d053f7fd453cb6ff03c7276f85fd28d6dbfd7f8
                                                                                        • Instruction ID: 580c4e8e537a9ad87eb01f717f47f7be9c6e0b3ac2bb2772f3d90876a828eb18
                                                                                        • Opcode Fuzzy Hash: 6c5634a9dc1c0677d5abc92f0d053f7fd453cb6ff03c7276f85fd28d6dbfd7f8
                                                                                        • Instruction Fuzzy Hash: 47A13B72B44345ABEF278E54DC85FEE376AEB00308F140466FAC2A6390DB719D58CB65
                                                                                        APIs
                                                                                        • ShellExecuteExW.SHELL32(?), ref: 02D3139A
                                                                                        • lstrlenW.KERNEL32(-00000003), ref: 02D31571
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExecuteShelllstrlen
                                                                                        • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDGu$uac$useless$wusa.exe
                                                                                        • API String ID: 1628651668-3716895483
                                                                                        • Opcode ID: 6b1da3d9e50e4ec5dcfdabfc214c3380c9845453b301cc1e95b2505f78c1a2f0
                                                                                        • Instruction ID: e07a7d141f9f42a5ace61b01c24357aa7d433868f62d5bc958c6ecaab8a623ad
                                                                                        • Opcode Fuzzy Hash: 6b1da3d9e50e4ec5dcfdabfc214c3380c9845453b301cc1e95b2505f78c1a2f0
                                                                                        • Instruction Fuzzy Hash: A9F167B59083429FD725DF64C888BAAB7E5FB88304F14492DFA9A97380D774DC44CB62
                                                                                        APIs
                                                                                        • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7591F380), ref: 02D32A83
                                                                                        • HeapAlloc.KERNEL32(00000000,?,7591F380), ref: 02D32A86
                                                                                        • socket.WS2_32(00000002,00000002,00000011), ref: 02D32AA0
                                                                                        • htons.WS2_32(00000000), ref: 02D32ADB
                                                                                        • select.WS2_32 ref: 02D32B28
                                                                                        • recv.WS2_32(?,00000000,00001000,00000000), ref: 02D32B4A
                                                                                        • htons.WS2_32(?), ref: 02D32B71
                                                                                        • htons.WS2_32(?), ref: 02D32B8C
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02D32BFB
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                        • String ID:
                                                                                        • API String ID: 1639031587-0
                                                                                        • Opcode ID: 7452b7e7853c96625453c5c90164e6286efd2e2304d23ea40c6cba35caa5ce86
                                                                                        • Instruction ID: ddec1bcddfed018f9e72332d1fc19d5fd9e0176c7250ec68cb3575963a0d8f70
                                                                                        • Opcode Fuzzy Hash: 7452b7e7853c96625453c5c90164e6286efd2e2304d23ea40c6cba35caa5ce86
                                                                                        • Instruction Fuzzy Hash: 8E619D75D083059BD7229F65DC4CB6ABBE8EB88756F014809FE8597381D7B0DC50CBA2
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,75920F10,?,75920F10,00000000), ref: 02D370C2
                                                                                        • RegEnumValueA.ADVAPI32(75920F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,75920F10,00000000), ref: 02D3719E
                                                                                        • RegCloseKey.ADVAPI32(75920F10,?,75920F10,00000000), ref: 02D371B2
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 02D37208
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 02D37291
                                                                                        • ___ascii_stricmp.LIBCMT ref: 02D372C2
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 02D372D0
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 02D37314
                                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 02D3738D
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 02D373D8
                                                                                          • Part of subcall function 02D3F1A5: lstrlenA.KERNEL32(000000C8,000000E4,02D422F8,000000C8,02D37150,?), ref: 02D3F1AD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                        • String ID: $"
                                                                                        • API String ID: 4293430545-3817095088
                                                                                        • Opcode ID: d540c91f3d6644474fea1f30afd6dc0bf17ba649758c00a28f75f5d6e52472c1
                                                                                        • Instruction ID: bc655d0a21b8e74d43ce3a15eede8631ad6c4710a88d5d7d529df60c40449d30
                                                                                        • Opcode Fuzzy Hash: d540c91f3d6644474fea1f30afd6dc0bf17ba649758c00a28f75f5d6e52472c1
                                                                                        • Instruction Fuzzy Hash: 32B17FB2D44609ABEF169FA4DC44BEEB7B9EF04301F100466F915E6290EB719E84CF64
                                                                                        APIs
                                                                                        • GetLocalTime.KERNEL32(?), ref: 02D3AD98
                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 02D3ADA6
                                                                                          • Part of subcall function 02D3AD08: gethostname.WS2_32(?,00000080), ref: 02D3AD1C
                                                                                          • Part of subcall function 02D3AD08: lstrlenA.KERNEL32(00000000), ref: 02D3AD60
                                                                                          • Part of subcall function 02D3AD08: lstrlenA.KERNEL32(00000000), ref: 02D3AD69
                                                                                          • Part of subcall function 02D3AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 02D3AD7F
                                                                                          • Part of subcall function 02D330B5: gethostname.WS2_32(?,00000080), ref: 02D330D8
                                                                                          • Part of subcall function 02D330B5: gethostbyname.WS2_32(?), ref: 02D330E2
                                                                                        • wsprintfA.USER32 ref: 02D3AEA5
                                                                                          • Part of subcall function 02D3A7A3: inet_ntoa.WS2_32(?), ref: 02D3A7A9
                                                                                        • wsprintfA.USER32 ref: 02D3AE4F
                                                                                        • wsprintfA.USER32 ref: 02D3AE5E
                                                                                          • Part of subcall function 02D3EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 02D3EF92
                                                                                          • Part of subcall function 02D3EF7C: lstrlenA.KERNEL32(?), ref: 02D3EF99
                                                                                          • Part of subcall function 02D3EF7C: lstrlenA.KERNEL32(00000000), ref: 02D3EFA0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                        • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                        • API String ID: 3631595830-1816598006
                                                                                        • Opcode ID: f84e3ebe003823e2b2addb04a32c0ba39cf20a4a903a72f72d55057866a15b64
                                                                                        • Instruction ID: 53002f46f2f8b0b0b0bbcd68361a5c659126f562cc8af2be752c91eb811b2186
                                                                                        • Opcode Fuzzy Hash: f84e3ebe003823e2b2addb04a32c0ba39cf20a4a903a72f72d55057866a15b64
                                                                                        • Instruction Fuzzy Hash: E04100B290025CABDF26EFA0DC45EEE3BADFF08340F144416BA2592251EA75DD548F60
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(iphlpapi.dll,759223A0,?,000DBBA0,?,00000000,02D32F0F,?,02D320FF,02D42000), ref: 02D32E01
                                                                                        • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,02D32F0F,?,02D320FF,02D42000), ref: 02D32E11
                                                                                        • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 02D32E2E
                                                                                        • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,02D32F0F,?,02D320FF,02D42000), ref: 02D32E4C
                                                                                        • HeapAlloc.KERNEL32(00000000,?,00000000,02D32F0F,?,02D320FF,02D42000), ref: 02D32E4F
                                                                                        • htons.WS2_32(00000035), ref: 02D32E88
                                                                                        • inet_addr.WS2_32(?), ref: 02D32E93
                                                                                        • gethostbyname.WS2_32(?), ref: 02D32EA6
                                                                                        • GetProcessHeap.KERNEL32(00000000,?,?,00000000,02D32F0F,?,02D320FF,02D42000), ref: 02D32EE3
                                                                                        • HeapFree.KERNEL32(00000000,?,00000000,02D32F0F,?,02D320FF,02D42000), ref: 02D32EE6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                        • String ID: GetNetworkParams$iphlpapi.dll
                                                                                        • API String ID: 929413710-2099955842
                                                                                        • Opcode ID: 7604e3614bb75029bb1f2d2ee67054a9118703dd325b38981bccfb3e9e5c2daf
                                                                                        • Instruction ID: 069ef093ac8e018afc9639fec035cdc37d521c38551c6decf26b7611eb680dc0
                                                                                        • Opcode Fuzzy Hash: 7604e3614bb75029bb1f2d2ee67054a9118703dd325b38981bccfb3e9e5c2daf
                                                                                        • Instruction Fuzzy Hash: 3231AD36E0020AABDB129FB8D88AA6E77F8AF04766F144515EE14F7390DB30DD41CB90
                                                                                        APIs
                                                                                        • GetVersionExA.KERNEL32(?,?,02D39DD7,?,00000022,?,?,00000000,00000001), ref: 02D39340
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,02D39DD7,?,00000022,?,?,00000000,00000001), ref: 02D3936E
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,02D39DD7,?,00000022,?,?,00000000,00000001), ref: 02D39375
                                                                                        • wsprintfA.USER32 ref: 02D393CE
                                                                                        • wsprintfA.USER32 ref: 02D3940C
                                                                                        • wsprintfA.USER32 ref: 02D3948D
                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 02D394F1
                                                                                        • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 02D39526
                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 02D39571
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                        • String ID: runas
                                                                                        • API String ID: 3696105349-4000483414
                                                                                        • Opcode ID: 995ccbb6ccc3d9d7654c88bfc5869d5fa97c533531edf4ead3741c7f2801e624
                                                                                        • Instruction ID: 7def41bb851e2d5f1ef040a2bff11cf31dd90fa9d1b46e63b872f20115a0b2e4
                                                                                        • Opcode Fuzzy Hash: 995ccbb6ccc3d9d7654c88bfc5869d5fa97c533531edf4ead3741c7f2801e624
                                                                                        • Instruction Fuzzy Hash: 40A16DB2940248ABEB269FA0CC99FDE3BADEB44745F100426FE0592351E7B5DD54CFA0
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 02D32078
                                                                                        • GetTickCount.KERNEL32 ref: 02D320D4
                                                                                        • GetTickCount.KERNEL32 ref: 02D320DB
                                                                                        • GetTickCount.KERNEL32 ref: 02D3212B
                                                                                        • GetTickCount.KERNEL32 ref: 02D32132
                                                                                        • GetTickCount.KERNEL32 ref: 02D32142
                                                                                          • Part of subcall function 02D3F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,02D3E342,00000000,7508EA50,80000001,00000000,02D3E513,?,00000000,00000000,?,000000E4), ref: 02D3F089
                                                                                          • Part of subcall function 02D3F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,02D3E342,00000000,7508EA50,80000001,00000000,02D3E513,?,00000000,00000000,?,000000E4,000000C8), ref: 02D3F093
                                                                                          • Part of subcall function 02D3E854: lstrcpyA.KERNEL32(00000001,?,?,02D3D8DF,00000001,localcfg,except_info,00100000,02D40264), ref: 02D3E88B
                                                                                          • Part of subcall function 02D3E854: lstrlenA.KERNEL32(00000001,?,02D3D8DF,00000001,localcfg,except_info,00100000,02D40264), ref: 02D3E899
                                                                                          • Part of subcall function 02D31C5F: wsprintfA.USER32 ref: 02D31CE1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                        • String ID: PZg$localcfg$net_type$rbl_bl$rbl_ip
                                                                                        • API String ID: 3976553417-3874429886
                                                                                        • Opcode ID: a79a401fcd70f56718c10cae3f035543b2b2384fca72cd720ecc131bfd091b64
                                                                                        • Instruction ID: 8cd19a93a627029c799e82719ebfb1e346ce0750cc29449b23e756fb8a1f6c6d
                                                                                        • Opcode Fuzzy Hash: a79a401fcd70f56718c10cae3f035543b2b2384fca72cd720ecc131bfd091b64
                                                                                        • Instruction Fuzzy Hash: 1C510275D843469FE72AEF24EDCDB163BE5EB00314F204819FE4586390DBB4AC58DA21
                                                                                        APIs
                                                                                        • wsprintfA.USER32 ref: 02D3B467
                                                                                          • Part of subcall function 02D3EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 02D3EF92
                                                                                          • Part of subcall function 02D3EF7C: lstrlenA.KERNEL32(?), ref: 02D3EF99
                                                                                          • Part of subcall function 02D3EF7C: lstrlenA.KERNEL32(00000000), ref: 02D3EFA0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$wsprintf
                                                                                        • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                        • API String ID: 1220175532-2340906255
                                                                                        • Opcode ID: 52b827ccea4eb53c7dfa371e8834242b75ba44b6834cf499374d7f65fe7c4b1a
                                                                                        • Instruction ID: 95bff3b2588b71d95373c8ce0c624e2b8eadbda9ca92d23b75917a368498fb09
                                                                                        • Opcode Fuzzy Hash: 52b827ccea4eb53c7dfa371e8834242b75ba44b6834cf499374d7f65fe7c4b1a
                                                                                        • Instruction Fuzzy Hash: 814131B254012DBFEF02AB94DCC1DBF7B6DEE49749F144015FA05A2240DB71AE188BB1
                                                                                        APIs
                                                                                          • Part of subcall function 02D3A4C7: GetTickCount.KERNEL32 ref: 02D3A4D1
                                                                                          • Part of subcall function 02D3A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 02D3A4FA
                                                                                        • GetTickCount.KERNEL32 ref: 02D3C31F
                                                                                        • GetTickCount.KERNEL32 ref: 02D3C32B
                                                                                        • GetTickCount.KERNEL32 ref: 02D3C363
                                                                                        • GetTickCount.KERNEL32 ref: 02D3C378
                                                                                        • GetTickCount.KERNEL32 ref: 02D3C44D
                                                                                        • InterlockedIncrement.KERNEL32(02D3C4E4), ref: 02D3C4AE
                                                                                        • CreateThread.KERNEL32(00000000,00000000,02D3B535,00000000,?,02D3C4E0), ref: 02D3C4C1
                                                                                        • CloseHandle.KERNEL32(00000000,?,02D3C4E0,02D43588,02D38810), ref: 02D3C4CC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 1553760989-1857712256
                                                                                        • Opcode ID: a4724aaac2b66977b1b8b623bfb8e85b32141f2bba93b616cd234dd47800d9e6
                                                                                        • Instruction ID: 8b7c3efd22d5790a3cc196ef3e9bc49e160373691d6cb8eb84bee325a3cb0ec3
                                                                                        • Opcode Fuzzy Hash: a4724aaac2b66977b1b8b623bfb8e85b32141f2bba93b616cd234dd47800d9e6
                                                                                        • Instruction Fuzzy Hash: 2D5176B1A01B418FC7298F69C68462ABBE9FB48314B505D2EE1CBD7B90E774F844CB14
                                                                                        APIs
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 02D3BE4F
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 02D3BE5B
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 02D3BE67
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 02D3BF6A
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 02D3BF7F
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 02D3BF94
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcmpi
                                                                                        • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                        • API String ID: 1586166983-1625972887
                                                                                        • Opcode ID: 0c817d9279b33aefb14a44059fce8096a090b01a28423b84e752690aaf7bf913
                                                                                        • Instruction ID: 3049cdb45059f862c7ce9b6d02e125ccf191b9cbae47f61f09c8e1e4df4b37ff
                                                                                        • Opcode Fuzzy Hash: 0c817d9279b33aefb14a44059fce8096a090b01a28423b84e752690aaf7bf913
                                                                                        • Instruction Fuzzy Hash: EA51AE31A0021AAFDB169F68D880B6EBBE9EF0434CF145056E945EB390D731ED45CFA0
                                                                                        APIs
                                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,75918A60,?,?,?,?,02D39A60,?,?,02D39E9D), ref: 02D36A7D
                                                                                        • GetDiskFreeSpaceA.KERNEL32(02D39E9D,02D39A60,?,?,?,02D422F8,?,?,?,02D39A60,?,?,02D39E9D), ref: 02D36ABB
                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,02D39A60,?,?,02D39E9D), ref: 02D36B40
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02D39A60,?,?,02D39E9D), ref: 02D36B4E
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02D39A60,?,?,02D39E9D), ref: 02D36B5F
                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,02D39A60,?,?,02D39E9D), ref: 02D36B6F
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02D39A60,?,?,02D39E9D), ref: 02D36B7D
                                                                                        • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,02D39A60,?,?,02D39E9D), ref: 02D36B80
                                                                                        • GetLastError.KERNEL32(?,?,?,02D39A60,?,?,02D39E9D,?,?,?,?,?,02D39E9D,?,00000022,?), ref: 02D36B96
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                        • String ID:
                                                                                        • API String ID: 3188212458-0
                                                                                        • Opcode ID: 0bba6e0689c16baad8622dfa09b5e7489840ed8e247c5eb6fc7410f68bfdd599
                                                                                        • Instruction ID: 2255984866729b72bb1fa913c27fd628c88dab7bb551870283cc798080c8d54a
                                                                                        • Opcode Fuzzy Hash: 0bba6e0689c16baad8622dfa09b5e7489840ed8e247c5eb6fc7410f68bfdd599
                                                                                        • Instruction Fuzzy Hash: 8C31ACBAD00249BFDB029FA4C848ADEBBBDEF48340F144866E651A3341E7309D55CFA5
                                                                                        APIs
                                                                                        • GetUserNameA.ADVAPI32(?,02D3D7C3), ref: 02D36F7A
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,02D3D7C3), ref: 02D36FC1
                                                                                        • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 02D36FE8
                                                                                        • LocalFree.KERNEL32(00000120), ref: 02D3701F
                                                                                        • wsprintfA.USER32 ref: 02D37036
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                        • String ID: /%d$|
                                                                                        • API String ID: 676856371-4124749705
                                                                                        • Opcode ID: 5f47ae57cd439d20cc53b92719786f3389e861428ace787259cd88dc89101f9a
                                                                                        • Instruction ID: 353494a0e850b8e215c6dbb4ebd1907c58d1a9e615023baa05d09e5df73eeaea
                                                                                        • Opcode Fuzzy Hash: 5f47ae57cd439d20cc53b92719786f3389e861428ace787259cd88dc89101f9a
                                                                                        • Instruction Fuzzy Hash: 8B311A76A00108BFDB01DFA8D848ADA7BFCEF04354F148066F959DB240EB35DA08CBA4
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,02D422F8,000000E4,02D36DDC,000000C8), ref: 02D36CE7
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 02D36CEE
                                                                                        • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02D36D14
                                                                                        • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02D36D2B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                        • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                        • API String ID: 1082366364-3395550214
                                                                                        • Opcode ID: f1da47882a88203d965ae4a933b09c9e29a23d001ef507aacc1909109e43a3c9
                                                                                        • Instruction ID: 8ef2509394503a1ba2efdc774d61d43f78c4825a7dd0fdc21f1f48842ade29c3
                                                                                        • Opcode Fuzzy Hash: f1da47882a88203d965ae4a933b09c9e29a23d001ef507aacc1909109e43a3c9
                                                                                        • Instruction Fuzzy Hash: 2E21FF55A802507BF7275B22EC8CF672F8D8B02745F080464FE44A6380CB948D4AC6F9
                                                                                        APIs
                                                                                        • CreateProcessA.KERNEL32(00000000,02D39947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,02D422F8), ref: 02D397B1
                                                                                        • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,02D422F8), ref: 02D397EB
                                                                                        • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,02D422F8), ref: 02D397F9
                                                                                        • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,02D422F8), ref: 02D39831
                                                                                        • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,02D422F8), ref: 02D3984E
                                                                                        • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,02D422F8), ref: 02D3985B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                        • String ID: D
                                                                                        • API String ID: 2981417381-2746444292
                                                                                        • Opcode ID: c70d21ab99829b0ada8191f31c528a29becc44957db35e8051922792ab81a36a
                                                                                        • Instruction ID: eeb38c98a15d64d40d36e53454911d78d502a7207f1cac7c1de82745bb32f5f3
                                                                                        • Opcode Fuzzy Hash: c70d21ab99829b0ada8191f31c528a29becc44957db35e8051922792ab81a36a
                                                                                        • Instruction Fuzzy Hash: 1F213DB1D41119BBDB129FA1DC49FEF7BBCEF09655F000860FA19E1280EB709A54CAA0
                                                                                        APIs
                                                                                          • Part of subcall function 02D3DD05: GetTickCount.KERNEL32 ref: 02D3DD0F
                                                                                          • Part of subcall function 02D3DD05: InterlockedExchange.KERNEL32(02D436B4,00000001), ref: 02D3DD44
                                                                                          • Part of subcall function 02D3DD05: GetCurrentThreadId.KERNEL32 ref: 02D3DD53
                                                                                          • Part of subcall function 02D3DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 02D3DDB5
                                                                                        • lstrcpynA.KERNEL32(?,02D31E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,02D3EAAA,?,?), ref: 02D3E8DE
                                                                                        • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,02D3EAAA,?,?,00000001,?,02D31E84,?), ref: 02D3E935
                                                                                        • lstrlenA.KERNEL32(00000001,?,?,?,?,?,02D3EAAA,?,?,00000001,?,02D31E84,?,0000000A), ref: 02D3E93D
                                                                                        • lstrlenA.KERNEL32(00000000,?,?,?,?,?,02D3EAAA,?,?,00000001,?,02D31E84,?), ref: 02D3E94F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                        • String ID: flags_upd$localcfg
                                                                                        • API String ID: 204374128-3505511081
                                                                                        • Opcode ID: 129279cf43c186f2f15bc9a1086f0cf6c064a534e1cf4926cc6cbf6bf219c91a
                                                                                        • Instruction ID: e63f099ca29f7d2a057275adde34705cd9e3b1828e6e09975a83e000351a2a9e
                                                                                        • Opcode Fuzzy Hash: 129279cf43c186f2f15bc9a1086f0cf6c064a534e1cf4926cc6cbf6bf219c91a
                                                                                        • Instruction Fuzzy Hash: CA51FE72D0020AAFCB12EFA8C9849AEB7FAFF48308F144569E505A7250D775EE15CF60
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Code
                                                                                        • String ID:
                                                                                        • API String ID: 3609698214-0
                                                                                        • Opcode ID: 1d534eeee063094bca884a458890e4f84757e290dd97c432ba127645526fd714
                                                                                        • Instruction ID: 26c88e2b2f00c7ec03f8a64e91f95e0f98c1589347778eacff1e8a6e8249f946
                                                                                        • Opcode Fuzzy Hash: 1d534eeee063094bca884a458890e4f84757e290dd97c432ba127645526fd714
                                                                                        • Instruction Fuzzy Hash: 1C216F76504105FFDB166F60ED48D9F7FACDB447A5B204915F602E1280EB31EE10DAB8
                                                                                        APIs
                                                                                        • GetTempPathA.KERNEL32(00000400,?,00000000,02D422F8), ref: 02D3907B
                                                                                        • wsprintfA.USER32 ref: 02D390E9
                                                                                        • CreateFileA.KERNEL32(02D422F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02D3910E
                                                                                        • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 02D39122
                                                                                        • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 02D3912D
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 02D39134
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                        • String ID:
                                                                                        • API String ID: 2439722600-0
                                                                                        • Opcode ID: 5689ba5b0c78f605d362444ad1ccac6f0c049e3a889dd84f0a2c3569c0f25dc1
                                                                                        • Instruction ID: 47178b6c0695d7857df028a1ed3dc4cc60f0905882b281e52fec8ff704d6f49c
                                                                                        • Opcode Fuzzy Hash: 5689ba5b0c78f605d362444ad1ccac6f0c049e3a889dd84f0a2c3569c0f25dc1
                                                                                        • Instruction Fuzzy Hash: 5A118BB6A401147BFB696A22DC0DEAF37BEDFC4701F008465BB06E5281D9705E118AB0
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 02D3DD0F
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02D3DD20
                                                                                        • GetTickCount.KERNEL32 ref: 02D3DD2E
                                                                                        • Sleep.KERNEL32(00000000,?,75920F10,?,00000000,02D3E538,?,75920F10,?,00000000,?,02D3A445), ref: 02D3DD3B
                                                                                        • InterlockedExchange.KERNEL32(02D436B4,00000001), ref: 02D3DD44
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02D3DD53
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 3819781495-0
                                                                                        • Opcode ID: 838cb4f1c82517f05189a13d954d22637b7912cfc9c8ee35733bc16b25e200cb
                                                                                        • Instruction ID: 2ac22dae2cbbada9b489cd3220a865721de4d99858ed8f9f73e9bc6a27919ab1
                                                                                        • Opcode Fuzzy Hash: 838cb4f1c82517f05189a13d954d22637b7912cfc9c8ee35733bc16b25e200cb
                                                                                        • Instruction Fuzzy Hash: E9F0BE7A9842159BC7815FA9F884B293BF6E745312F200865E709C2340CB20AC69CE22
                                                                                        APIs
                                                                                        • gethostname.WS2_32(?,00000080), ref: 02D3AD1C
                                                                                        • lstrlenA.KERNEL32(00000000), ref: 02D3AD60
                                                                                        • lstrlenA.KERNEL32(00000000), ref: 02D3AD69
                                                                                        • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 02D3AD7F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$gethostnamelstrcpy
                                                                                        • String ID: LocalHost
                                                                                        • API String ID: 3695455745-3154191806
                                                                                        • Opcode ID: ed387a78708c35566069b538a4689a283c96eacde28cc0507d2ab4103ea03e51
                                                                                        • Instruction ID: 43d6627217a2d8534fdbf01438184c55057d05df818edfb1c6fdd9b679a65ab4
                                                                                        • Opcode Fuzzy Hash: ed387a78708c35566069b538a4689a283c96eacde28cc0507d2ab4103ea03e51
                                                                                        • Instruction Fuzzy Hash: B9014524A8418A5EDF370A38F844BF43F6AAB8660AF140065E4C08B311FF649C87C762
                                                                                        APIs
                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,02D398FD,00000001,00000100,02D422F8,02D3A3C7), ref: 02D34290
                                                                                        • CloseHandle.KERNEL32(02D3A3C7), ref: 02D343AB
                                                                                        • CloseHandle.KERNEL32(00000001), ref: 02D343AE
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseHandle$CreateEvent
                                                                                        • String ID:
                                                                                        • API String ID: 1371578007-0
                                                                                        • Opcode ID: 8164fd574b3cf3d91c191043cc1d95c97c0a2e600d061d4d35f2bf95b15281ba
                                                                                        • Instruction ID: 6c8613a056ca42ca01934c9b6f28b9c3202e99574b0b5cb293b82045f31fecff
                                                                                        • Opcode Fuzzy Hash: 8164fd574b3cf3d91c191043cc1d95c97c0a2e600d061d4d35f2bf95b15281ba
                                                                                        • Instruction Fuzzy Hash: 70417B71D40209BBDB12ABA1DE85FAFBFB9EF40365F104555F614A6280DB389E50CBA0
                                                                                        APIs
                                                                                        • IsBadReadPtr.KERNEL32(?,00000014), ref: 02D3609C
                                                                                        • LoadLibraryA.KERNEL32(?,?,02D364CF,00000000), ref: 02D360C3
                                                                                        • GetProcAddress.KERNEL32(?,00000014), ref: 02D3614A
                                                                                        • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 02D3619E
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Read$AddressLibraryLoadProc
                                                                                        • String ID:
                                                                                        • API String ID: 2438460464-0
                                                                                        • Opcode ID: c54f042b02f97f6eb3afaf7c877319df6f1832cac46cad7f5da94dcd0b7d7f16
                                                                                        • Instruction ID: 5252d4a3c2ae7316100b89e093e857b8f512b082a096627c13141d0006544d7e
                                                                                        • Opcode Fuzzy Hash: c54f042b02f97f6eb3afaf7c877319df6f1832cac46cad7f5da94dcd0b7d7f16
                                                                                        • Instruction Fuzzy Hash: 24415871E0020ABBDB26CF58C884BAAB7B9EF14358F248069E955D7391E730ED50CBD4
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 33f10aac3457828a07c661b3cc662f4429f30117c80e838d50a39fdb6af9ac93
                                                                                        • Instruction ID: cf552421b9c6819dd46b56147368a9546beb174474f3955143888da7a3ddf691
                                                                                        • Opcode Fuzzy Hash: 33f10aac3457828a07c661b3cc662f4429f30117c80e838d50a39fdb6af9ac93
                                                                                        • Instruction Fuzzy Hash: A4319F75E00208ABDB129FA9CC85BBEB7F4EF48701F104456E984E6381E374DE41CB64
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 02D3272E
                                                                                        • htons.WS2_32(00000001), ref: 02D32752
                                                                                        • htons.WS2_32(0000000F), ref: 02D327D5
                                                                                        • htons.WS2_32(00000001), ref: 02D327E3
                                                                                        • sendto.WS2_32(?,02D42BF8,00000009,00000000,00000010,00000010), ref: 02D32802
                                                                                          • Part of subcall function 02D3EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,02D3EBFE,7FFF0001,?,02D3DB55,7FFF0001), ref: 02D3EBD3
                                                                                          • Part of subcall function 02D3EBCC: RtlAllocateHeap.NTDLL(00000000,?,02D3DB55,7FFF0001), ref: 02D3EBDA
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                        • String ID:
                                                                                        • API String ID: 1128258776-0
                                                                                        • Opcode ID: 1e729e5db46a3976b287b1fe701af6a4435db9b43621dcccf0364771d5703278
                                                                                        • Instruction ID: ba30dcc81daecaf873ce85e9eca6f453d1e5de642d214c579eaa4f7ace3e6a81
                                                                                        • Opcode Fuzzy Hash: 1e729e5db46a3976b287b1fe701af6a4435db9b43621dcccf0364771d5703278
                                                                                        • Instruction Fuzzy Hash: 84314578B843829FD7118F74D8C8A6177A4FF19318B1A886DEC95CB352D632DC92CB10
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,02D422F8), ref: 02D3915F
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 02D39166
                                                                                        • CharToOemA.USER32(?,?), ref: 02D39174
                                                                                        • wsprintfA.USER32 ref: 02D391A9
                                                                                          • Part of subcall function 02D39064: GetTempPathA.KERNEL32(00000400,?,00000000,02D422F8), ref: 02D3907B
                                                                                          • Part of subcall function 02D39064: wsprintfA.USER32 ref: 02D390E9
                                                                                          • Part of subcall function 02D39064: CreateFileA.KERNEL32(02D422F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02D3910E
                                                                                          • Part of subcall function 02D39064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 02D39122
                                                                                          • Part of subcall function 02D39064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 02D3912D
                                                                                          • Part of subcall function 02D39064: CloseHandle.KERNEL32(00000000), ref: 02D39134
                                                                                        • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 02D391E1
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                        • String ID:
                                                                                        • API String ID: 3857584221-0
                                                                                        • Opcode ID: eb03ae10aa79fc6f6c85b094c5fd473f3da5845872b8606bf64ba7b526de6e58
                                                                                        • Instruction ID: e3dca38c1175288deceaf6f744474983c2b3d8a31b85e81ff7386358db1cf549
                                                                                        • Opcode Fuzzy Hash: eb03ae10aa79fc6f6c85b094c5fd473f3da5845872b8606bf64ba7b526de6e58
                                                                                        • Instruction Fuzzy Hash: 150180FAD401187BD621AA61DC8DFDF37BCDB85702F000491BB49E2240DAB09E848FB0
                                                                                        APIs
                                                                                        • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,02D32491,?,?,?,02D3E844,-00000030,?,?,?,00000001), ref: 02D32429
                                                                                        • lstrlenA.KERNEL32(?,?,02D32491,?,?,?,02D3E844,-00000030,?,?,?,00000001,02D31E3D,00000001,localcfg,lid_file_upd), ref: 02D3243E
                                                                                        • lstrcmpiA.KERNEL32(?,?), ref: 02D32452
                                                                                        • lstrlenA.KERNEL32(?,?,02D32491,?,?,?,02D3E844,-00000030,?,?,?,00000001,02D31E3D,00000001,localcfg,lid_file_upd), ref: 02D32467
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$lstrcmpi
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 1808961391-1857712256
                                                                                        • Opcode ID: bbc0941e922c8104b448822884fcd6566349688cfe23103d27b6e9d906d20f01
                                                                                        • Instruction ID: a1df0433084342aab9ed5f9e3909a3184d76ef1b7d51d0c8179b1d0e2d2b47ca
                                                                                        • Opcode Fuzzy Hash: bbc0941e922c8104b448822884fcd6566349688cfe23103d27b6e9d906d20f01
                                                                                        • Instruction Fuzzy Hash: 2501DA31A00218AFCF16EF69DC849DE7BE9EF54365B11C425ED6997201E330EE50CA90
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf
                                                                                        • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                        • API String ID: 2111968516-120809033
                                                                                        • Opcode ID: d7bafa867cee55f3c367b1f14e0eebde36283933900a6dc53200a49cceba8cdc
                                                                                        • Instruction ID: 565835044a4e52afbf7f2c6a0fc2a3348910929ffa40bb23c3a8b48184313a1d
                                                                                        • Opcode Fuzzy Hash: d7bafa867cee55f3c367b1f14e0eebde36283933900a6dc53200a49cceba8cdc
                                                                                        • Instruction Fuzzy Hash: 98419C729042999FDB22CF78DC44BEE3BE99F4A310F240056FAA4D3241D634EA05CBA0
                                                                                        APIs
                                                                                          • Part of subcall function 02D3DD05: GetTickCount.KERNEL32 ref: 02D3DD0F
                                                                                          • Part of subcall function 02D3DD05: InterlockedExchange.KERNEL32(02D436B4,00000001), ref: 02D3DD44
                                                                                          • Part of subcall function 02D3DD05: GetCurrentThreadId.KERNEL32 ref: 02D3DD53
                                                                                        • lstrcmpA.KERNEL32(75920F18,00000000,?,75920F10,00000000,?,02D35EC1), ref: 02D3E693
                                                                                        • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,75920F10,00000000,?,02D35EC1), ref: 02D3E6E9
                                                                                        • lstrcmpA.KERNEL32(89ABCDEF,00000008,?,75920F10,00000000,?,02D35EC1), ref: 02D3E722
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                        • String ID: 89ABCDEF
                                                                                        • API String ID: 3343386518-71641322
                                                                                        • Opcode ID: 24da5abacaade91da085064d300018c669f1e57f1c18f34c686ccd1eb49ffa72
                                                                                        • Instruction ID: 8b887a2b5a62ea7e652c38d956612dd28b956ff19bfc2098546c3bb179e8193f
                                                                                        • Opcode Fuzzy Hash: 24da5abacaade91da085064d300018c669f1e57f1c18f34c686ccd1eb49ffa72
                                                                                        • Instruction Fuzzy Hash: 2831CF71A00745DBCF328F65D888B6677E5EF01765F10892AE95587782D770EC80CF91
                                                                                        APIs
                                                                                        • RegCreateKeyExA.ADVAPI32(80000001,02D3E2A3,00000000,00000000,00000000,00020106,00000000,02D3E2A3,00000000,000000E4), ref: 02D3E0B2
                                                                                        • RegSetValueExA.ADVAPI32(02D3E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,02D422F8), ref: 02D3E127
                                                                                        • RegDeleteValueA.ADVAPI32(02D3E2A3,?,?,?,?,?,000000C8,02D422F8), ref: 02D3E158
                                                                                        • RegCloseKey.ADVAPI32(02D3E2A3,?,?,?,?,000000C8,02D422F8,?,?,?,?,?,?,?,?,02D3E2A3), ref: 02D3E161
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Value$CloseCreateDelete
                                                                                        • String ID:
                                                                                        • API String ID: 2667537340-0
                                                                                        • Opcode ID: 05e6895be4d7b27df49c30f0fd60a034e41abfd264f06b141f89365b52ba6f7d
                                                                                        • Instruction ID: cc95ba152696ba97a5d3b8611f5093741d50a65d7bdf6b2c98c73cefe57ac9b8
                                                                                        • Opcode Fuzzy Hash: 05e6895be4d7b27df49c30f0fd60a034e41abfd264f06b141f89365b52ba6f7d
                                                                                        • Instruction Fuzzy Hash: DA215C72E00219BBDF219FA4DC89EDE7FB9EF09750F148061F904A6290E7319E14DBA0
                                                                                        APIs
                                                                                        • ReadFile.KERNEL32(00000000,00000000,02D3A3C7,00000000,00000000,000007D0,00000001), ref: 02D33FB8
                                                                                        • GetLastError.KERNEL32 ref: 02D33FC2
                                                                                        • WaitForSingleObject.KERNEL32(00000004,?), ref: 02D33FD3
                                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 02D33FE6
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                        • String ID:
                                                                                        • API String ID: 888215731-0
                                                                                        • Opcode ID: 60c488f460f6b3b5be54e46e67e382dd7ee3b96d88665740f1937fdb91b95c19
                                                                                        • Instruction ID: c5b00ffc578409b74b00455a9b2251181073df6ca1ead43b0ff0330f2a5ef932
                                                                                        • Opcode Fuzzy Hash: 60c488f460f6b3b5be54e46e67e382dd7ee3b96d88665740f1937fdb91b95c19
                                                                                        • Instruction Fuzzy Hash: C301D77291010AABDF12DF94D945BEE7BBCEB04356F504451FA02E2180D770EE64CFA1
                                                                                        APIs
                                                                                        • WriteFile.KERNEL32(00000000,00000000,02D3A3C7,00000000,00000000,000007D0,00000001), ref: 02D33F44
                                                                                        • GetLastError.KERNEL32 ref: 02D33F4E
                                                                                        • WaitForSingleObject.KERNEL32(00000004,?), ref: 02D33F5F
                                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 02D33F72
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3373104450-0
                                                                                        • Opcode ID: bb23ebf7ea2c68d9ca5ec6fb52cad965ba627b0fe5daba9d9605981ffefd0a3b
                                                                                        • Instruction ID: 105aaf277a1a16052d3cd28c8c96b073e08f7d66bcbb61ba7b20582fdc2479d9
                                                                                        • Opcode Fuzzy Hash: bb23ebf7ea2c68d9ca5ec6fb52cad965ba627b0fe5daba9d9605981ffefd0a3b
                                                                                        • Instruction Fuzzy Hash: 9801D372955109ABDB16DE90DE84BEE7BBCEB04356F504465FA01E6280D730EE24CBA2
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 02D3A4D1
                                                                                        • GetTickCount.KERNEL32 ref: 02D3A4E4
                                                                                        • Sleep.KERNEL32(00000000,?,02D3C2E9,02D3C4E0,00000000,localcfg,?,02D3C4E0,02D43588,02D38810), ref: 02D3A4F1
                                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 02D3A4FA
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: f60e9cde0336df4e61330ea9a969f5dd990abf576351e0044765efffc0c9a594
                                                                                        • Instruction ID: 1a614590f0d243e2b627475d5c07554b24c6897c28b55cfc1d164c16d8944723
                                                                                        • Opcode Fuzzy Hash: f60e9cde0336df4e61330ea9a969f5dd990abf576351e0044765efffc0c9a594
                                                                                        • Instruction Fuzzy Hash: E7E0263734021457C7005BA5EC84F6A33D8AB89772F150421FB48D3340C616BC5185B2
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 02D34E9E
                                                                                        • GetTickCount.KERNEL32 ref: 02D34EAD
                                                                                        • Sleep.KERNEL32(0000000A,?,00000001), ref: 02D34EBA
                                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 02D34EC3
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: fe9b8a400848aaf33424146a996c31bbb8e5025f1d191712d6446b0ab1fac2d2
                                                                                        • Instruction ID: bff9c32fdf5e854da7742470db9f38c12b4e7402ba963df438a44c91defe87db
                                                                                        • Opcode Fuzzy Hash: fe9b8a400848aaf33424146a996c31bbb8e5025f1d191712d6446b0ab1fac2d2
                                                                                        • Instruction Fuzzy Hash: 54E0CD7774121457D7102AF9ED84F5777D99B85372F110931F709E2340C65AEC5245F1
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 02D34BDD
                                                                                        • GetTickCount.KERNEL32 ref: 02D34BEC
                                                                                        • Sleep.KERNEL32(00000000,?,?,?,0321B06C,02D350F2), ref: 02D34BF9
                                                                                        • InterlockedExchange.KERNEL32(0321B060,00000001), ref: 02D34C02
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: a73563a45207b9969a2e634d16dcc27117668b0a3d25ed8b10dfe08f67d23201
                                                                                        • Instruction ID: 17b0372984ec917ce20368eb68bea690ad9364798e8a5a6704aece0fe74c13f1
                                                                                        • Opcode Fuzzy Hash: a73563a45207b9969a2e634d16dcc27117668b0a3d25ed8b10dfe08f67d23201
                                                                                        • Instruction Fuzzy Hash: 01E0863B68121457C7101AA5AC80F9677E8AB85362F160462F708D2340C55AEC5185B1
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 02D33103
                                                                                        • GetTickCount.KERNEL32 ref: 02D3310F
                                                                                        • Sleep.KERNEL32(00000000), ref: 02D3311C
                                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 02D33128
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: 7fcd3468155086e6e637e7f1f69201834223d5d8dfbd1cfc0cdb4521d429f6a5
                                                                                        • Instruction ID: dec488013aba81036a0264b95f024fdb5ddbd4748aea577877ef7263c4b79b69
                                                                                        • Opcode Fuzzy Hash: 7fcd3468155086e6e637e7f1f69201834223d5d8dfbd1cfc0cdb4521d429f6a5
                                                                                        • Instruction Fuzzy Hash: DFE02B39740215AFDB402FB5EE44B49ABDADFC47A3F110871F301D2390C650AC10C9B1
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 536389180-1857712256
                                                                                        • Opcode ID: c8c2411c1d1b868fde6c855c0e9473efb602b9bf0efcb0cf21fb98668fd4f8c0
                                                                                        • Instruction ID: f0bfef118f8e76fcbb2fb9f666f383d7c3c4614524c0e36c1b1dccdc455b6019
                                                                                        • Opcode Fuzzy Hash: c8c2411c1d1b868fde6c855c0e9473efb602b9bf0efcb0cf21fb98668fd4f8c0
                                                                                        • Instruction Fuzzy Hash: 9321D232A10511AFCB558FA8E88465ABBFAEF20259B390499F481DB301CB34ED40DB60
                                                                                        APIs
                                                                                        Strings
                                                                                        • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 02D3C057
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTickwsprintf
                                                                                        • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                        • API String ID: 2424974917-1012700906
                                                                                        • Opcode ID: 6c783a1922b89acc16306fed9ea558fb8b404336761c87be5e561e28008ae526
                                                                                        • Instruction ID: 6e4d6b4941f3b85d60144cf6edf27f57fda3e8907bf116e59d2de28c2363fcaa
                                                                                        • Opcode Fuzzy Hash: 6c783a1922b89acc16306fed9ea558fb8b404336761c87be5e561e28008ae526
                                                                                        • Instruction Fuzzy Hash: C3119776500100FFDB429EA9DD44E567FA6FF88329B34819CF6188E126D633D863EB50
                                                                                        APIs
                                                                                          • Part of subcall function 02D330FA: GetTickCount.KERNEL32 ref: 02D33103
                                                                                          • Part of subcall function 02D330FA: InterlockedExchange.KERNEL32(?,00000001), ref: 02D33128
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02D33929
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02D33939
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                        • String ID: %FROM_EMAIL
                                                                                        • API String ID: 3716169038-2903620461
                                                                                        • Opcode ID: aaabbb7b6ad5e8ab96fd0126edf447079151f6ea69a898fd64bb5102632baded
                                                                                        • Instruction ID: 7609067b13a0144dd052f57ef4e92efecca1eb230bcedb5562cd88731395b057
                                                                                        • Opcode Fuzzy Hash: aaabbb7b6ad5e8ab96fd0126edf447079151f6ea69a898fd64bb5102632baded
                                                                                        • Instruction Fuzzy Hash: 0F110475940204EFD762DF59D685A58F3F5FB08715F10899AE84497380C770AE80CFA0
                                                                                        APIs
                                                                                        • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,02D3BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 02D3ABB9
                                                                                        • InterlockedIncrement.KERNEL32(02D43640), ref: 02D3ABE1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: IncrementInterlockedlstrcpyn
                                                                                        • String ID: %FROM_EMAIL
                                                                                        • API String ID: 224340156-2903620461
                                                                                        • Opcode ID: 31b18d2d665b38a03f5035a2119160d1a73076f3bf113255fa39e2c87ad58d90
                                                                                        • Instruction ID: 8704c3121903382e630d91360a02f963c30a370578886b5c959ebbd2772c226d
                                                                                        • Opcode Fuzzy Hash: 31b18d2d665b38a03f5035a2119160d1a73076f3bf113255fa39e2c87ad58d90
                                                                                        • Instruction Fuzzy Hash: 59019E316082C4AFEB12CF18E881F967BA6AF15214F184884E5C087303C370ED44CBA1
                                                                                        APIs
                                                                                        • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 02D326C3
                                                                                        • inet_ntoa.WS2_32(?), ref: 02D326E4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: gethostbyaddrinet_ntoa
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 2112563974-1857712256
                                                                                        • Opcode ID: 5f33bdb0e5066c95bca9a59e9edf853a6d8bfe3a27ff2b0c70413ebb63c46888
                                                                                        • Instruction ID: 9910ac7898ac0e3bfd02b321552e00f069d54a38fd0016cb4890c71d4d7cb41c
                                                                                        • Opcode Fuzzy Hash: 5f33bdb0e5066c95bca9a59e9edf853a6d8bfe3a27ff2b0c70413ebb63c46888
                                                                                        • Instruction Fuzzy Hash: ABF082365482087BEB056FA0EC49AAA379CEF04760F148425FE08CA2D0DB71DD50C798
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(ntdll.dll,02D3EB54,_alldiv,02D3F0B7,80000001,00000000,00989680,00000000,?,?,?,02D3E342,00000000,7508EA50,80000001,00000000), ref: 02D3EAF2
                                                                                        • GetProcAddress.KERNEL32(76E80000,00000000), ref: 02D3EB07
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID: ntdll.dll
                                                                                        • API String ID: 2574300362-2227199552
                                                                                        • Opcode ID: e3131116e0e3b3277c75eed8d334c47f2f5b9e3fffc1373edd6bdb08dc833fc7
                                                                                        • Instruction ID: a9e55374b451110cb398620d0a6454eeead10831ed2a34fc5eca7c53b1a7f894
                                                                                        • Opcode Fuzzy Hash: e3131116e0e3b3277c75eed8d334c47f2f5b9e3fffc1373edd6bdb08dc833fc7
                                                                                        • Instruction Fuzzy Hash: FCD0C938A803439BEF678F68E90AA4577E8AB40742B604855A94AD1300E730EC68DA00
                                                                                        APIs
                                                                                          • Part of subcall function 02D32D21: GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,02D32F01,?,02D320FF,02D42000), ref: 02D32D3A
                                                                                          • Part of subcall function 02D32D21: LoadLibraryA.KERNEL32(?), ref: 02D32D4A
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02D32F73
                                                                                        • HeapFree.KERNEL32(00000000), ref: 02D32F7A
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.3304250387.0000000002D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_2d30000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                        • String ID:
                                                                                        • API String ID: 1017166417-0
                                                                                        • Opcode ID: 682c35866e1718e3d1d23885145c00c40bfaa1ec8f040288a312752414529afa
                                                                                        • Instruction ID: 07c2a90658855193b10dfbde331985c1a6cbbf463034e431d74f109ffc68a033
                                                                                        • Opcode Fuzzy Hash: 682c35866e1718e3d1d23885145c00c40bfaa1ec8f040288a312752414529afa
                                                                                        • Instruction Fuzzy Hash: F1518C7590024AAFDB069F64D888AFAB7B5FF05304F2045A9EC96D7350E732DE19CB90