Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rXTqHar5Ud.exe

Overview

General Information

Sample name:rXTqHar5Ud.exe
Analysis ID:1516120
MD5:f403202fb853377ceb67200005ef95b8
SHA1:1840e1495486209e92e5230cf1406f31a02699e7
SHA256:3eebf917efa82ea7b81f37e9f8c98a702254c5f0a487667a72e78d53a61ce363
Tags:exeuser-JAMESWT_MHT
Infos:

Detection

Tofsee
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Tofsee
AI detected suspicious sample
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious New Service Creation
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: Windows Defender Exclusions Added - Registry
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • rXTqHar5Ud.exe (PID: 2532 cmdline: "C:\Users\user\Desktop\rXTqHar5Ud.exe" MD5: F403202FB853377CEB67200005EF95B8)
    • cmd.exe (PID: 3892 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\dkajlqvv\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2144 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\dpbgdjiw.exe" C:\Windows\SysWOW64\dkajlqvv\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6036 cmdline: "C:\Windows\System32\sc.exe" create dkajlqvv binPath= "C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exe /d\"C:\Users\user\Desktop\rXTqHar5Ud.exe\"" type= own start= auto DisplayName= "wifi support" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 6320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6492 cmdline: "C:\Windows\System32\sc.exe" description dkajlqvv "wifi internet conection" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 2444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 4412 cmdline: "C:\Windows\System32\sc.exe" start dkajlqvv MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 7008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 4176 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 2820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 2056 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 1200 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • dpbgdjiw.exe (PID: 4892 cmdline: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exe /d"C:\Users\user\Desktop\rXTqHar5Ud.exe" MD5: E30808D178C5406E7E08BAE69EC89233)
    • svchost.exe (PID: 5236 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
    • WerFault.exe (PID: 6036 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 564 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 5164 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 3196 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2532 -ip 2532 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 2144 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4892 -ip 4892 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
TofseeAccording to PCrisk, Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various account credentials, updating itself, and more.Cyber criminals mainly use this program as an email-oriented tool (they target users' email accounts), however, having Tofsee installed can also lead to many other problems.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee
{"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
SourceRuleDescriptionAuthorStrings
0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
    0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
    • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
    0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
    • 0x27ab:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
    • 0xf0fc:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
    0000000C.00000002.2174434288.0000000002CE0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
      0000000C.00000002.2174434288.0000000002CE0000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
      • 0x2544:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
      • 0xee95:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
      Click to see the 24 entries
      SourceRuleDescriptionAuthorStrings
      12.2.dpbgdjiw.exe.2c80e67.1.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
      • 0xd44:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
      • 0xd695:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
      12.2.dpbgdjiw.exe.2c80e67.1.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
      • 0xe110:$s2: loader_id
      • 0xe140:$s3: start_srv
      • 0xe170:$s4: lid_file_upd
      • 0xe164:$s5: localcfg
      • 0xe894:$s6: Incorrect respons
      12.2.dpbgdjiw.exe.2ce0000.2.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
        12.2.dpbgdjiw.exe.2ce0000.2.raw.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
        • 0x2544:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
        • 0xee95:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
        12.2.dpbgdjiw.exe.2ce0000.2.raw.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
        • 0x1123e:$s1: n%systemroot%\system32\cmd.exe
        • 0x10310:$s2: loader_id
        • 0x10340:$s3: start_srv
        • 0x10370:$s4: lid_file_upd
        • 0x10364:$s5: localcfg
        • 0x10a94:$s6: Incorrect respons
        • 0x10b74:$s7: mx connect error
        • 0x10af0:$s8: Error sending command (sent = %d/%d)
        • 0x10c28:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
        Click to see the 39 entries

        System Summary

        barindex
        Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exe /d"C:\Users\user\Desktop\rXTqHar5Ud.exe", ParentImage: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exe, ParentProcessId: 4892, ParentProcessName: dpbgdjiw.exe, ProcessCommandLine: svchost.exe, ProcessId: 5236, ProcessName: svchost.exe
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\sc.exe" create dkajlqvv binPath= "C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exe /d\"C:\Users\user\Desktop\rXTqHar5Ud.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create dkajlqvv binPath= "C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exe /d\"C:\Users\user\Desktop\rXTqHar5Ud.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\rXTqHar5Ud.exe", ParentImage: C:\Users\user\Desktop\rXTqHar5Ud.exe, ParentProcessId: 2532, ParentProcessName: rXTqHar5Ud.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create dkajlqvv binPath= "C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exe /d\"C:\Users\user\Desktop\rXTqHar5Ud.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 6036, ProcessName: sc.exe
        Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 52.101.11.0, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\SysWOW64\svchost.exe, Initiated: true, ProcessId: 5236, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49715
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exe /d"C:\Users\user\Desktop\rXTqHar5Ud.exe", ParentImage: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exe, ParentProcessId: 4892, ParentProcessName: dpbgdjiw.exe, ProcessCommandLine: svchost.exe, ProcessId: 5236, ProcessName: svchost.exe
        Source: Registry Key setAuthor: Christian Burkard (Nextron Systems): Data: Details: 0, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 5236, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\dkajlqvv
        Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\sc.exe" create dkajlqvv binPath= "C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exe /d\"C:\Users\user\Desktop\rXTqHar5Ud.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create dkajlqvv binPath= "C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exe /d\"C:\Users\user\Desktop\rXTqHar5Ud.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\rXTqHar5Ud.exe", ParentImage: C:\Users\user\Desktop\rXTqHar5Ud.exe, ParentProcessId: 2532, ParentProcessName: rXTqHar5Ud.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create dkajlqvv binPath= "C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exe /d\"C:\Users\user\Desktop\rXTqHar5Ud.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 6036, ProcessName: sc.exe
        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 5164, ProcessName: svchost.exe
        No Suricata rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: rXTqHar5Ud.exeAvira: detected
        Source: vanaheim.cn:443Avira URL Cloud: Label: phishing
        Source: jotunheim.name:443Avira URL Cloud: Label: malware
        Source: C:\Users\user\AppData\Local\Temp\dpbgdjiw.exeAvira: detection malicious, Label: TR/Crypt.EPACK.Gen2
        Source: 12.3.dpbgdjiw.exe.2ca0000.0.raw.unpackMalware Configuration Extractor: Tofsee {"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
        Source: rXTqHar5Ud.exeReversingLabs: Detection: 39%
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
        Source: C:\Users\user\AppData\Local\Temp\dpbgdjiw.exeJoe Sandbox ML: detected
        Source: rXTqHar5Ud.exeJoe Sandbox ML: detected

        Compliance

        barindex
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeUnpacked PE file: 0.2.rXTqHar5Ud.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exeUnpacked PE file: 12.2.dpbgdjiw.exe.400000.0.unpack
        Source: rXTqHar5Ud.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

        Change of critical system settings

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\dkajlqvvJump to behavior

        Networking

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 217.69.139.150 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 98.136.96.74 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.11.0 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 195.58.54.132 443Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 142.250.110.27 25Jump to behavior
        Source: Malware configuration extractorURLs: vanaheim.cn:443
        Source: Malware configuration extractorURLs: jotunheim.name:443
        Source: Joe Sandbox ViewIP Address: 52.101.11.0 52.101.11.0
        Source: Joe Sandbox ViewIP Address: 217.69.139.150 217.69.139.150
        Source: Joe Sandbox ViewIP Address: 98.136.96.74 98.136.96.74
        Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
        Source: Joe Sandbox ViewASN Name: URALTRANSCOM-ASUA URALTRANSCOM-ASUA
        Source: Joe Sandbox ViewASN Name: MAILRU-ASMailRuRU MAILRU-ASMailRuRU
        Source: Joe Sandbox ViewASN Name: YAHOO-NE1US YAHOO-NE1US
        Source: global trafficTCP traffic: 192.168.2.6:49715 -> 52.101.11.0:25
        Source: global trafficTCP traffic: 192.168.2.6:49721 -> 98.136.96.74:25
        Source: global trafficTCP traffic: 192.168.2.6:49724 -> 142.250.110.27:25
        Source: global trafficTCP traffic: 192.168.2.6:49728 -> 217.69.139.150:25
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeCode function: 0_2_00402A62 GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,socket,htons,select,recv,htons,htons,htons,GetProcessHeap,HeapAlloc,htons,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree,0_2_00402A62
        Source: global trafficDNS traffic detected: DNS query: microsoft-com.mail.protection.outlook.com
        Source: global trafficDNS traffic detected: DNS query: vanaheim.cn
        Source: global trafficDNS traffic detected: DNS query: yahoo.com
        Source: global trafficDNS traffic detected: DNS query: mta5.am0.yahoodns.net
        Source: global trafficDNS traffic detected: DNS query: google.com
        Source: global trafficDNS traffic detected: DNS query: smtp.google.com
        Source: global trafficDNS traffic detected: DNS query: mail.ru
        Source: global trafficDNS traffic detected: DNS query: mxs.mail.ru
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
        Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726

        Spam, unwanted Advertisements and Ransom Demands

        barindex
        Source: Yara matchFile source: 12.2.dpbgdjiw.exe.2ce0000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.svchost.exe.3220000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.rXTqHar5Ud.exe.40a0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.rXTqHar5Ud.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.dpbgdjiw.exe.2ca0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.svchost.exe.3220000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.rXTqHar5Ud.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dpbgdjiw.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dpbgdjiw.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dpbgdjiw.exe.2ce0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dpbgdjiw.exe.2c80e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.rXTqHar5Ud.exe.40c0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2174434288.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.2127342938.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.2167679772.0000000002CA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: rXTqHar5Ud.exe PID: 2532, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dpbgdjiw.exe PID: 4892, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5236, type: MEMORYSTR

        System Summary

        barindex
        Source: 12.2.dpbgdjiw.exe.2c80e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.dpbgdjiw.exe.2c80e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.dpbgdjiw.exe.2ce0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.dpbgdjiw.exe.2ce0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.3.dpbgdjiw.exe.2ca0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.3.dpbgdjiw.exe.2ca0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.3.rXTqHar5Ud.exe.40c0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.rXTqHar5Ud.exe.40c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 16.2.svchost.exe.3220000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 16.2.svchost.exe.3220000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.rXTqHar5Ud.exe.40a0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.rXTqHar5Ud.exe.40a0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.rXTqHar5Ud.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.rXTqHar5Ud.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.rXTqHar5Ud.exe.40a0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.rXTqHar5Ud.exe.40a0e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.3.dpbgdjiw.exe.2ca0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.3.dpbgdjiw.exe.2ca0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 16.2.svchost.exe.3220000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.rXTqHar5Ud.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 16.2.svchost.exe.3220000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.rXTqHar5Ud.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.dpbgdjiw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.dpbgdjiw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.dpbgdjiw.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.dpbgdjiw.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.dpbgdjiw.exe.2ce0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.dpbgdjiw.exe.2ce0000.2.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.dpbgdjiw.exe.2c80e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.dpbgdjiw.exe.2c80e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.3.rXTqHar5Ud.exe.40c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.rXTqHar5Ud.exe.40c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000002.2174434288.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000002.2174434288.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000002.2174520005.00000000024BE000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000003.2127342938.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000003.2127342938.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000003.2167679772.0000000002CA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000003.2167679772.0000000002CA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000002.2174342309.0000000002568000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeCode function: 0_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,0_2_00408E26
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeCode function: 0_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,0_2_00401280
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\dkajlqvv\Jump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeCode function: 0_2_0040C9130_2_0040C913
        Source: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exeCode function: 12_2_0040C91312_2_0040C913
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_0322C91316_2_0322C913
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeCode function: String function: 040A27AB appears 35 times
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeCode function: String function: 0040EE2A appears 40 times
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeCode function: String function: 00402544 appears 53 times
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2532 -ip 2532
        Source: rXTqHar5Ud.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: 12.2.dpbgdjiw.exe.2c80e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.dpbgdjiw.exe.2c80e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.dpbgdjiw.exe.2ce0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.dpbgdjiw.exe.2ce0000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.3.dpbgdjiw.exe.2ca0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.3.dpbgdjiw.exe.2ca0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.3.rXTqHar5Ud.exe.40c0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.rXTqHar5Ud.exe.40c0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 16.2.svchost.exe.3220000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 16.2.svchost.exe.3220000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.rXTqHar5Ud.exe.40a0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.rXTqHar5Ud.exe.40a0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.rXTqHar5Ud.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.rXTqHar5Ud.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.rXTqHar5Ud.exe.40a0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.rXTqHar5Ud.exe.40a0e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.3.dpbgdjiw.exe.2ca0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.3.dpbgdjiw.exe.2ca0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 16.2.svchost.exe.3220000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.rXTqHar5Ud.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 16.2.svchost.exe.3220000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.rXTqHar5Ud.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.dpbgdjiw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.dpbgdjiw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.dpbgdjiw.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.dpbgdjiw.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.dpbgdjiw.exe.2ce0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.dpbgdjiw.exe.2ce0000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.dpbgdjiw.exe.2c80e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.dpbgdjiw.exe.2c80e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.3.rXTqHar5Ud.exe.40c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.rXTqHar5Ud.exe.40c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000002.2174434288.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000002.2174434288.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000002.2174520005.00000000024BE000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000003.2127342938.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000003.2127342938.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000003.2167679772.0000000002CA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000003.2167679772.0000000002CA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000002.2174342309.0000000002568000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: classification engineClassification label: mal100.troj.evad.winEXE@31/3@9/5
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeCode function: 0_2_00406A60 lstrcatA,CreateFileA,GetDiskFreeSpaceA,GetLastError,CloseHandle,CloseHandle,CloseHandle,GetLastError,CloseHandle,DeleteFileA,GetLastError,0_2_00406A60
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeCode function: 0_2_024CE399 CreateToolhelp32Snapshot,Module32First,0_2_024CE399
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exeCode function: 12_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,12_2_00409A6B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_03229A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,16_2_03229A6B
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7008:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5704:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2444:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2820:120:WilError_03
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:3196:64:WilError_03
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:2144:64:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1364:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6320:120:WilError_03
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeFile created: C:\Users\user\AppData\Local\Temp\dpbgdjiw.exeJump to behavior
        Source: rXTqHar5Ud.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: rXTqHar5Ud.exeReversingLabs: Detection: 39%
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeFile read: C:\Users\user\Desktop\rXTqHar5Ud.exeJump to behavior
        Source: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_12-14680
        Source: unknownProcess created: C:\Users\user\Desktop\rXTqHar5Ud.exe "C:\Users\user\Desktop\rXTqHar5Ud.exe"
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\dkajlqvv\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\dpbgdjiw.exe" C:\Windows\SysWOW64\dkajlqvv\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create dkajlqvv binPath= "C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exe /d\"C:\Users\user\Desktop\rXTqHar5Ud.exe\"" type= own start= auto DisplayName= "wifi support"
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description dkajlqvv "wifi internet conection"
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start dkajlqvv
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exe C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exe /d"C:\Users\user\Desktop\rXTqHar5Ud.exe"
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
        Source: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2532 -ip 2532
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4892 -ip 4892
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 1200
        Source: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 564
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\dkajlqvv\Jump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\dpbgdjiw.exe" C:\Windows\SysWOW64\dkajlqvv\Jump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create dkajlqvv binPath= "C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exe /d\"C:\Users\user\Desktop\rXTqHar5Ud.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description dkajlqvv "wifi internet conection"Jump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start dkajlqvvJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
        Source: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2532 -ip 2532Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4892 -ip 4892Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 564Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 1200Jump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeSection loaded: msvcr100.dllJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeSection loaded: slc.dllJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exeSection loaded: msvcr100.dllJump to behavior
        Source: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: napinsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wshbth.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winrnr.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
        Source: rXTqHar5Ud.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

        Data Obfuscation

        barindex
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeUnpacked PE file: 0.2.rXTqHar5Ud.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Source: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exeUnpacked PE file: 12.2.dpbgdjiw.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeUnpacked PE file: 0.2.rXTqHar5Ud.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exeUnpacked PE file: 12.2.dpbgdjiw.exe.400000.0.unpack
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeCode function: 0_2_024BE5B4 push eax; retf 0_2_024BE5B5

        Persistence and Installation Behavior

        barindex
        Source: unknownExecutable created and started: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exe
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeFile created: C:\Users\user\AppData\Local\Temp\dpbgdjiw.exeJump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exe (copy)Jump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exe (copy)Jump to dropped file
        Source: C:\Windows\SysWOW64\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\dkajlqvvJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create dkajlqvv binPath= "C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exe /d\"C:\Users\user\Desktop\rXTqHar5Ud.exe\"" type= own start= auto DisplayName= "wifi support"

        Hooking and other Techniques for Hiding and Protection

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeFile deleted: c:\users\user\desktop\rxtqhar5ud.exeJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00401000
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeCode function: inet_addr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetBestInterface,GetProcessHeap,HeapAlloc,GetAdaptersInfo,HeapReAlloc,GetAdaptersInfo,HeapFree,FreeLibrary,FreeLibrary,16_2_0322199C
        Source: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_12-15072
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-15785
        Source: C:\Windows\SysWOW64\svchost.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_16-7599
        Source: C:\Windows\SysWOW64\svchost.exeEvaded block: after key decisiongraph_16-6133
        Source: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_12-15766
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_16-6412
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-14777
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_0-14530
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcessgraph_0-14583
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_16-7414
        Source: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_12-14696
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-14360
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeAPI coverage: 5.4 %
        Source: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exeAPI coverage: 3.9 %
        Source: C:\Windows\SysWOW64\svchost.exe TID: 6552Thread sleep count: 38 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exe TID: 6552Thread sleep time: -38000s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeCode function: 0_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,0_2_00401D96
        Source: svchost.exe, 00000010.00000002.3383067690.0000000003600000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllu

        Anti Debugging

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_16-7659
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_0-15846
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeCode function: 0_2_024CDC76 push dword ptr fs:[00000030h]0_2_024CDC76
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeCode function: 0_2_040A092B mov eax, dword ptr fs:[00000030h]0_2_040A092B
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeCode function: 0_2_040A0D90 mov eax, dword ptr fs:[00000030h]0_2_040A0D90
        Source: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exeCode function: 12_2_0257831E push dword ptr fs:[00000030h]12_2_0257831E
        Source: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exeCode function: 12_2_02C80D90 mov eax, dword ptr fs:[00000030h]12_2_02C80D90
        Source: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exeCode function: 12_2_02C8092B mov eax, dword ptr fs:[00000030h]12_2_02C8092B
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeCode function: 0_2_0040EBCC GetProcessHeap,RtlAllocateHeap,0_2_0040EBCC
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exeCode function: 12_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,12_2_00409A6B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_03229A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,16_2_03229A6B

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 217.69.139.150 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 98.136.96.74 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.11.0 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 195.58.54.132 443Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 142.250.110.27 25Jump to behavior
        Source: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 3220000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3220000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3220000Jump to behavior
        Source: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3105008Jump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\dkajlqvv\Jump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\dpbgdjiw.exe" C:\Windows\SysWOW64\dkajlqvv\Jump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create dkajlqvv binPath= "C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exe /d\"C:\Users\user\Desktop\rXTqHar5Ud.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description dkajlqvv "wifi internet conection"Jump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start dkajlqvvJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
        Source: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2532 -ip 2532Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4892 -ip 4892Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 564Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 1200Jump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeCode function: 0_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00406EDD
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeCode function: 0_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,0_2_0040405E
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeCode function: 0_2_0040EC54 GetSystemTimeAsFileTime,GetVolumeInformationA,GetTickCount,0_2_0040EC54
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeCode function: 0_2_0040B211 FileTimeToSystemTime,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,SystemTimeToFileTime,FileTimeToSystemTime,GetTimeZoneInformation,wsprintfA,0_2_0040B211
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeCode function: 0_2_00409326 GetVersionExA,GetModuleHandleA,GetModuleFileNameA,wsprintfA,wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,0_2_00409326

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: 12.2.dpbgdjiw.exe.2ce0000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.svchost.exe.3220000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.rXTqHar5Ud.exe.40a0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.rXTqHar5Ud.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.dpbgdjiw.exe.2ca0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.svchost.exe.3220000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.rXTqHar5Ud.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dpbgdjiw.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dpbgdjiw.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dpbgdjiw.exe.2ce0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dpbgdjiw.exe.2c80e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.rXTqHar5Ud.exe.40c0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2174434288.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.2127342938.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.2167679772.0000000002CA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: rXTqHar5Ud.exe PID: 2532, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dpbgdjiw.exe PID: 4892, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5236, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Source: Yara matchFile source: 12.2.dpbgdjiw.exe.2ce0000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.svchost.exe.3220000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.rXTqHar5Ud.exe.40a0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.rXTqHar5Ud.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.dpbgdjiw.exe.2ca0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.svchost.exe.3220000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.rXTqHar5Ud.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dpbgdjiw.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dpbgdjiw.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dpbgdjiw.exe.2ce0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dpbgdjiw.exe.2c80e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.rXTqHar5Ud.exe.40c0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2174434288.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.2127342938.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.2167679772.0000000002CA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: rXTqHar5Ud.exe PID: 2532, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dpbgdjiw.exe PID: 4892, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5236, type: MEMORYSTR
        Source: C:\Users\user\Desktop\rXTqHar5Ud.exeCode function: 0_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,0_2_004088B0
        Source: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exeCode function: 12_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,12_2_004088B0
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_032288B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,16_2_032288B0
        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire Infrastructure1
        Valid Accounts
        41
        Native API
        1
        DLL Side-Loading
        1
        DLL Side-Loading
        3
        Disable or Modify Tools
        OS Credential Dumping2
        System Time Discovery
        Remote Services1
        Archive Collected Data
        1
        Ingress Tool Transfer
        Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts2
        Command and Scripting Interpreter
        1
        Valid Accounts
        1
        Valid Accounts
        1
        Deobfuscate/Decode Files or Information
        LSASS Memory1
        Account Discovery
        Remote Desktop ProtocolData from Removable Media12
        Encrypted Channel
        Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts3
        Service Execution
        14
        Windows Service
        1
        Access Token Manipulation
        2
        Obfuscated Files or Information
        Security Account Manager1
        File and Directory Discovery
        SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Application Layer Protocol
        Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook14
        Windows Service
        2
        Software Packing
        NTDS15
        System Information Discovery
        Distributed Component Object ModelInput Capture112
        Application Layer Protocol
        Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script412
        Process Injection
        1
        DLL Side-Loading
        LSA Secrets111
        Security Software Discovery
        SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        File Deletion
        Cached Domain Credentials11
        Virtualization/Sandbox Evasion
        VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
        Masquerading
        DCSync1
        Process Discovery
        Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        Valid Accounts
        Proc Filesystem1
        System Owner/User Discovery
        Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
        Virtualization/Sandbox Evasion
        /etc/passwd and /etc/shadow1
        System Network Configuration Discovery
        Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
        Access Token Manipulation
        Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd412
        Process Injection
        Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1516120 Sample: rXTqHar5Ud.exe Startdate: 23/09/2024 Architecture: WINDOWS Score: 100 57 yahoo.com 2->57 59 vanaheim.cn 2->59 61 6 other IPs or domains 2->61 71 Found malware configuration 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 Antivirus detection for URL or domain 2->75 77 11 other signatures 2->77 8 dpbgdjiw.exe 2->8         started        11 rXTqHar5Ud.exe 2 2->11         started        14 svchost.exe 6 6 2->14         started        signatures3 process4 file5 79 Detected unpacking (changes PE section rights) 8->79 81 Detected unpacking (overwrites its own PE header) 8->81 83 Writes to foreign memory regions 8->83 91 2 other signatures 8->91 16 svchost.exe 1 8->16         started        20 WerFault.exe 2 8->20         started        49 C:\Users\user\AppData\Local\...\dpbgdjiw.exe, PE32 11->49 dropped 85 Found API chain indicative of debugger detection 11->85 87 Uses netsh to modify the Windows network and firewall settings 11->87 89 Modifies the windows firewall 11->89 22 cmd.exe 1 11->22         started        25 netsh.exe 2 11->25         started        27 cmd.exe 2 11->27         started        33 4 other processes 11->33 29 WerFault.exe 2 14->29         started        31 WerFault.exe 2 14->31         started        signatures6 process7 dnsIp8 51 mta5.am0.yahoodns.net 98.136.96.74, 25 YAHOO-NE1US United States 16->51 53 vanaheim.cn 195.58.54.132, 443, 49716, 49726 URALTRANSCOM-ASUA Russian Federation 16->53 55 3 other IPs or domains 16->55 63 System process connects to network (likely due to code injection or exploit) 16->63 65 Found API chain indicative of debugger detection 16->65 67 Deletes itself after installation 16->67 69 Adds extensions / path to Windows Defender exclusion list (Registry) 16->69 47 C:\Windows\SysWOW64\...\dpbgdjiw.exe (copy), PE32 22->47 dropped 35 conhost.exe 22->35         started        37 conhost.exe 25->37         started        39 conhost.exe 27->39         started        41 conhost.exe 33->41         started        43 conhost.exe 33->43         started        45 conhost.exe 33->45         started        file9 signatures10 process11

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand
        SourceDetectionScannerLabelLink
        rXTqHar5Ud.exe39%ReversingLabs
        rXTqHar5Ud.exe100%AviraHEUR/AGEN.1310247
        rXTqHar5Ud.exe100%Joe Sandbox ML
        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\dpbgdjiw.exe100%AviraTR/Crypt.EPACK.Gen2
        C:\Users\user\AppData\Local\Temp\dpbgdjiw.exe100%Joe Sandbox ML
        No Antivirus matches
        No Antivirus matches
        SourceDetectionScannerLabelLink
        vanaheim.cn:443100%Avira URL Cloudphishing
        jotunheim.name:443100%Avira URL Cloudmalware
        NameIPActiveMaliciousAntivirus DetectionReputation
        mxs.mail.ru
        217.69.139.150
        truetrue
          unknown
          mta5.am0.yahoodns.net
          98.136.96.74
          truetrue
            unknown
            microsoft-com.mail.protection.outlook.com
            52.101.11.0
            truetrue
              unknown
              vanaheim.cn
              195.58.54.132
              truetrue
                unknown
                smtp.google.com
                142.250.110.27
                truefalse
                  unknown
                  google.com
                  unknown
                  unknowntrue
                    unknown
                    yahoo.com
                    unknown
                    unknowntrue
                      unknown
                      mail.ru
                      unknown
                      unknowntrue
                        unknown
                        NameMaliciousAntivirus DetectionReputation
                        vanaheim.cn:443true
                        • Avira URL Cloud: phishing
                        unknown
                        jotunheim.name:443true
                        • Avira URL Cloud: malware
                        unknown
                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs
                        IPDomainCountryFlagASNASN NameMalicious
                        52.101.11.0
                        microsoft-com.mail.protection.outlook.comUnited States
                        8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                        195.58.54.132
                        vanaheim.cnRussian Federation
                        41082URALTRANSCOM-ASUAtrue
                        142.250.110.27
                        smtp.google.comUnited States
                        15169GOOGLEUSfalse
                        217.69.139.150
                        mxs.mail.ruRussian Federation
                        47764MAILRU-ASMailRuRUtrue
                        98.136.96.74
                        mta5.am0.yahoodns.netUnited States
                        36646YAHOO-NE1UStrue
                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1516120
                        Start date and time:2024-09-23 20:16:15 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 5m 29s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:29
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:rXTqHar5Ud.exe
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@31/3@9/5
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 62
                        • Number of non-executed functions: 256
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
                        • Excluded IPs from analysis (whitelisted): 20.112.250.133, 20.76.201.171, 20.70.246.20, 20.236.44.162, 20.231.239.246, 2.23.209.179, 2.23.209.187, 2.23.209.189, 2.23.209.149, 2.23.209.176, 2.23.209.133, 2.23.209.130, 2.23.209.177, 2.23.209.148
                        • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, e86303.dscx.akamaiedge.net, www.bing.com.edgekey.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, microsoft.com, www-www.bing.com.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtEnumerateKey calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: rXTqHar5Ud.exe
                        TimeTypeDescription
                        14:17:53API Interceptor11x Sleep call for process: svchost.exe modified
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        52.101.11.0RSno9EH0K9.exeGet hashmaliciousTofseeBrowse
                          ODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                            knkduwqg.exeGet hashmaliciousTofseeBrowse
                              bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                  vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                    AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                      DWoKcG581L.exeGet hashmaliciousTofseeBrowse
                                        kPl1mZTpru.exeGet hashmaliciousTofseeBrowse
                                          Wc4SadetF5.exeGet hashmaliciousTofseeBrowse
                                            195.58.54.1322IFYYPRUgO.exeGet hashmaliciousTofseeBrowse
                                              H3nfKrgQbi.exeGet hashmaliciousTofseeBrowse
                                                217.69.139.150874A7cigvX.exeGet hashmaliciousTofseeBrowse
                                                  RSno9EH0K9.exeGet hashmaliciousTofseeBrowse
                                                    ODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                                                      Uc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                        knkduwqg.exeGet hashmaliciousTofseeBrowse
                                                          foufdsk.exeGet hashmaliciousTofseeBrowse
                                                            bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                              Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                  Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                    98.136.96.74qkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                                      rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                        file.exeGet hashmaliciousPhorpiexBrowse
                                                                          file.exeGet hashmaliciousPhorpiexBrowse
                                                                            file.exeGet hashmaliciousTofseeBrowse
                                                                              newtpp.exeGet hashmaliciousPhorpiexBrowse
                                                                                gEkl9O5tiu.exeGet hashmaliciousPhorpiexBrowse
                                                                                  file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                    l3Qj8QhTYZ.exeGet hashmaliciousPhorpiexBrowse
                                                                                      data.log.exeGet hashmaliciousUnknownBrowse
                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        microsoft-com.mail.protection.outlook.com2IFYYPRUgO.exeGet hashmaliciousTofseeBrowse
                                                                                        • 52.101.8.49
                                                                                        H3nfKrgQbi.exeGet hashmaliciousTofseeBrowse
                                                                                        • 52.101.42.0
                                                                                        2FnvReiPU6.exeGet hashmaliciousTofseeBrowse
                                                                                        • 52.101.11.9
                                                                                        874A7cigvX.exeGet hashmaliciousTofseeBrowse
                                                                                        • 52.101.42.0
                                                                                        RSno9EH0K9.exeGet hashmaliciousTofseeBrowse
                                                                                        • 52.101.8.49
                                                                                        ODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                                                                                        • 52.101.11.0
                                                                                        Uc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                                        • 52.101.8.49
                                                                                        qkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                                                        • 52.101.42.0
                                                                                        vekvtia.exeGet hashmaliciousTofseeBrowse
                                                                                        • 52.101.8.49
                                                                                        knkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                        • 52.101.11.0
                                                                                        mta5.am0.yahoodns.netH3nfKrgQbi.exeGet hashmaliciousTofseeBrowse
                                                                                        • 67.195.204.79
                                                                                        ODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                                                                                        • 67.195.228.109
                                                                                        igvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                                        • 67.195.228.110
                                                                                        fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                        • 67.195.228.94
                                                                                        SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeGet hashmaliciousTofseeBrowse
                                                                                        • 98.136.96.91
                                                                                        vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                                                                        • 67.195.204.72
                                                                                        lYWiDKe1In.exeGet hashmaliciousTofseeBrowse
                                                                                        • 98.136.96.91
                                                                                        I7ldmFS13W.exeGet hashmaliciousPhorpiexBrowse
                                                                                        • 67.195.204.73
                                                                                        file.exeGet hashmaliciousPhorpiexBrowse
                                                                                        • 67.195.228.110
                                                                                        file.exeGet hashmaliciousPhorpiexBrowse
                                                                                        • 98.136.96.74
                                                                                        mxs.mail.ru2IFYYPRUgO.exeGet hashmaliciousTofseeBrowse
                                                                                        • 94.100.180.31
                                                                                        H3nfKrgQbi.exeGet hashmaliciousTofseeBrowse
                                                                                        • 94.100.180.31
                                                                                        2FnvReiPU6.exeGet hashmaliciousTofseeBrowse
                                                                                        • 94.100.180.31
                                                                                        874A7cigvX.exeGet hashmaliciousTofseeBrowse
                                                                                        • 217.69.139.150
                                                                                        RSno9EH0K9.exeGet hashmaliciousTofseeBrowse
                                                                                        • 217.69.139.150
                                                                                        ODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                                                                                        • 217.69.139.150
                                                                                        Uc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                                        • 217.69.139.150
                                                                                        qkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                                                        • 94.100.180.31
                                                                                        vekvtia.exeGet hashmaliciousTofseeBrowse
                                                                                        • 94.100.180.31
                                                                                        knkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                        • 217.69.139.150
                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        URALTRANSCOM-ASUA2IFYYPRUgO.exeGet hashmaliciousTofseeBrowse
                                                                                        • 195.58.54.132
                                                                                        H3nfKrgQbi.exeGet hashmaliciousTofseeBrowse
                                                                                        • 195.58.54.132
                                                                                        cQOoKCZyG3.elfGet hashmaliciousMiraiBrowse
                                                                                        • 91.215.129.108
                                                                                        09M6JXwjtO.elfGet hashmaliciousMiraiBrowse
                                                                                        • 195.133.84.147
                                                                                        Pb0GaINSjK.elfGet hashmaliciousMiraiBrowse
                                                                                        • 194.87.3.81
                                                                                        QN5PrDr5St.elfGet hashmaliciousUnknownBrowse
                                                                                        • 195.133.84.180
                                                                                        8dToMPcvO1.elfGet hashmaliciousMiraiBrowse
                                                                                        • 91.215.129.145
                                                                                        wsskM49eA3.elfGet hashmaliciousUnknownBrowse
                                                                                        • 195.133.89.28
                                                                                        quhEKAdhFU.elfGet hashmaliciousMiraiBrowse
                                                                                        • 91.215.129.137
                                                                                        5z7qDyLr2T.elfGet hashmaliciousMiraiBrowse
                                                                                        • 91.215.129.142
                                                                                        MAILRU-ASMailRuRU2IFYYPRUgO.exeGet hashmaliciousTofseeBrowse
                                                                                        • 94.100.180.31
                                                                                        H3nfKrgQbi.exeGet hashmaliciousTofseeBrowse
                                                                                        • 94.100.180.31
                                                                                        8zzBr1gT31.elfGet hashmaliciousMiraiBrowse
                                                                                        • 5.61.23.57
                                                                                        2FnvReiPU6.exeGet hashmaliciousTofseeBrowse
                                                                                        • 94.100.180.31
                                                                                        OuZGkt7xKK.exeGet hashmaliciousCoinhive, XmrigBrowse
                                                                                        • 178.237.20.50
                                                                                        OuZGkt7xKK.exeGet hashmaliciousCoinhive, XmrigBrowse
                                                                                        • 178.237.20.50
                                                                                        874A7cigvX.exeGet hashmaliciousTofseeBrowse
                                                                                        • 217.69.139.150
                                                                                        RSno9EH0K9.exeGet hashmaliciousTofseeBrowse
                                                                                        • 217.69.139.150
                                                                                        ODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                                                                                        • 217.69.139.150
                                                                                        Uc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                                        • 217.69.139.150
                                                                                        YAHOO-NE1USTsunami.arm.elfGet hashmaliciousMiraiBrowse
                                                                                        • 98.137.87.86
                                                                                        2FnvReiPU6.exeGet hashmaliciousTofseeBrowse
                                                                                        • 98.136.96.91
                                                                                        qkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                                                        • 98.136.96.74
                                                                                        knkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                        • 98.136.96.75
                                                                                        foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                        • 98.136.96.76
                                                                                        .exeGet hashmaliciousUnknownBrowse
                                                                                        • 98.136.96.76
                                                                                        VvlYJBzLuW.elfGet hashmaliciousMiraiBrowse
                                                                                        • 216.252.107.64
                                                                                        rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                        • 98.136.96.74
                                                                                        setup.exeGet hashmaliciousTofseeBrowse
                                                                                        • 98.136.96.76
                                                                                        botx.arm.elfGet hashmaliciousMiraiBrowse
                                                                                        • 98.138.56.151
                                                                                        MICROSOFT-CORP-MSN-AS-BLOCKUSfhSD7cCQRW.htmGet hashmaliciousUnknownBrowse
                                                                                        • 150.171.27.10
                                                                                        0n25lfPJxD.exeGet hashmaliciousAsyncRAT, DcRat, Quasar, XWormBrowse
                                                                                        • 40.114.114.106
                                                                                        http://email.lndg.page/ls/click?upn=u001.IvLseMgsVhVvzUpwRiP-2FwHcYgYhC-2FGgyJ4SYlOmfnU0vpk3F-2FdnKwGEcikPNWl7AuE6IkZZ1A-2BFPEyDboqe-2B7Lj4-2FBLrURhM6P-2BVimmhP8ywtnU0tiSwJiHclGExadMkPbv31fArzKsBOdpDUi6FfV4X-2FXMq-2BLiUPVu9cZK2rUixRgPxeHjooE5ANKgz5LO2r1HvkRajramOrfuxyTj5F-2F9ha-2BAfwp8bzuwfnEGUXnAMft6NCcqA5FJmV8JfQ0-2FwKaMV_Yp4ydSxZWNatis3HtI6bBrJjg57JYwT6kbyY2f89Z-2FD59pf6KKODwP63UPLy27mgp-2FqTgdFleUsG4ygMdisVJJ0CDq1iL9Ljh5jCrVrbyQsE9Ko6GU4XMfNXGxlhkGjM5VU4HzKNBs1MjxGZ2qRKEJ-2F3V58K5D3LGyY1HE-2BVQpxmLTX1WQNHahobwGsL7GcnagwUjT9o0F5vg9CkCA30qw-3D-3DGet hashmaliciousUnknownBrowse
                                                                                        • 13.107.246.60
                                                                                        https://forms.office.com/Pages/ShareFormPage.aspx?id=atlxJ-ZfTkmpiBz5GOrQZra6YH8IF9tJvDnK9FEosBRUNUoySTNMSlhENTkyTjRFS0pYUFBWREJDVS4u&sharetoken=VjI7W44Fh45blPkj2SeDGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 13.107.246.60
                                                                                        https://wanshaofu.top/Get hashmaliciousHTMLPhisherBrowse
                                                                                        • 13.107.246.60
                                                                                        ffa72d5-Cabinetworksgroup Inv23998.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 13.107.246.60
                                                                                        https://href.li/?https://0r2Ic.phydrimic.com/6bvcD/#Get hashmaliciousUnknownBrowse
                                                                                        • 150.171.27.10
                                                                                        https://twwi.documentother.com/ihdLIGet hashmaliciousUnknownBrowse
                                                                                        • 13.107.253.72
                                                                                        https://qfS.zephyrane.com/MFJysj7U/Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                                                        • 150.171.27.10
                                                                                        https://app.powerbi.com/view?r=eyJrIjoiOWEwN2RmMjItNjhiOC00Njc0LTliM2MtNzdiNWRiOGVlMWIyIiwidCI6IjJkMTNkMGU4LTI1YjgtNDE2Yi04YzQ1LTVkZDU4MDgzYmVjZCJ9Get hashmaliciousUnknownBrowse
                                                                                        • 20.201.88.210
                                                                                        No context
                                                                                        No context
                                                                                        Process:C:\Users\user\Desktop\rXTqHar5Ud.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):15208448
                                                                                        Entropy (8bit):4.8330923320491594
                                                                                        Encrypted:false
                                                                                        SSDEEP:393216:8BSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSi:8
                                                                                        MD5:E30808D178C5406E7E08BAE69EC89233
                                                                                        SHA1:72D01320B4873C10F7BDAFC362CABB7A89A65FB5
                                                                                        SHA-256:0DBF88CC067DA8BB92DD12274F6C81C660197D3E754AEF51319A2759F8127F4B
                                                                                        SHA-512:F8BF96D71ADC683D67CF7046B047CB9E75B57E1968F8F946FA3D851ECAACC4151FAB6715FD7526BD1B5AC5A1FC9D38C4E971A90CB40EF8B98681B4FC8D10491E
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............qb..qb..qb.....qb......qb.....qb.....qb..qc.eqb.....qb......qb......qb.Rich.qb.........................PE..L...f..e.............................(............@..................................|..........................................x.......`...............................................................@...............4............................text............................... ..`.rdata..............................@..@.data...........^..................@....rsrc...`............J..............@..@................................................................................................................................................................................................................................................................................................................................................................
                                                                                        Process:C:\Windows\SysWOW64\cmd.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):15208448
                                                                                        Entropy (8bit):4.8330923320491594
                                                                                        Encrypted:false
                                                                                        SSDEEP:393216:8BSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSi:8
                                                                                        MD5:E30808D178C5406E7E08BAE69EC89233
                                                                                        SHA1:72D01320B4873C10F7BDAFC362CABB7A89A65FB5
                                                                                        SHA-256:0DBF88CC067DA8BB92DD12274F6C81C660197D3E754AEF51319A2759F8127F4B
                                                                                        SHA-512:F8BF96D71ADC683D67CF7046B047CB9E75B57E1968F8F946FA3D851ECAACC4151FAB6715FD7526BD1B5AC5A1FC9D38C4E971A90CB40EF8B98681B4FC8D10491E
                                                                                        Malicious:true
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............qb..qb..qb.....qb......qb.....qb.....qb..qc.eqb.....qb......qb......qb.Rich.qb.........................PE..L...f..e.............................(............@..................................|..........................................x.......`...............................................................@...............4............................text............................... ..`.rdata..............................@..@.data...........^..................@....rsrc...`............J..............@..@................................................................................................................................................................................................................................................................................................................................................................
                                                                                        Process:C:\Windows\SysWOW64\netsh.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):3773
                                                                                        Entropy (8bit):4.7109073551842435
                                                                                        Encrypted:false
                                                                                        SSDEEP:48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
                                                                                        MD5:DA3247A302D70819F10BCEEBAF400503
                                                                                        SHA1:2857AA198EE76C86FC929CC3388A56D5FD051844
                                                                                        SHA-256:5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
                                                                                        SHA-512:48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
                                                                                        Malicious:false
                                                                                        Preview:..A specified value is not valid.....Usage: add rule name=<string>.. dir=in|out.. action=allow|block|bypass.. [program=<program path>].. [service=<service short name>|any].. [description=<string>].. [enable=yes|no (default=yes)].. [profile=public|private|domain|any[,...]].. [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|.. <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)].. [remoteport=0-65535|<port range>[,...]|any (default=any)].. [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|.. tcp|udp|any (default=any)].. [interfacetype=wireless|lan|ras|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes|deferapp|deferuser|no (default=no)].. [security=authenticate|authenc|authdynenc|authnoencap|
                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Entropy (8bit):6.898855911967009
                                                                                        TrID:
                                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                        File name:rXTqHar5Ud.exe
                                                                                        File size:406'528 bytes
                                                                                        MD5:f403202fb853377ceb67200005ef95b8
                                                                                        SHA1:1840e1495486209e92e5230cf1406f31a02699e7
                                                                                        SHA256:3eebf917efa82ea7b81f37e9f8c98a702254c5f0a487667a72e78d53a61ce363
                                                                                        SHA512:13b130d6f2ac8be444e16d4b1116812179d5043912a7aa24bd0d566eeecf4447be09fd54266dc12ff1902569d048c93a2d0c827abc135b0159f8156c18f9bf7a
                                                                                        SSDEEP:6144:7BYOcLH6/xNtFxaS3DpwmEIey0bGWEbje2bkln5eOy8:76Ocb6/r/xv2GWaeaklQT8
                                                                                        TLSH:0E846B5292E17C51E96ECF72CE2EC6E4773EB6508E69277E22389A3F04B1171C172721
                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............qb..qb..qb......qb......qb......qb......qb..qc.eqb......qb......qb......qb.Rich.qb.........................PE..L...f..e...
                                                                                        Icon Hash:532945654955610d
                                                                                        Entrypoint:0x4028d3
                                                                                        Entrypoint Section:.text
                                                                                        Digitally signed:false
                                                                                        Imagebase:0x400000
                                                                                        Subsystem:windows gui
                                                                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                        DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                        Time Stamp:0x658D9166 [Thu Dec 28 15:16:54 2023 UTC]
                                                                                        TLS Callbacks:
                                                                                        CLR (.Net) Version:
                                                                                        OS Version Major:5
                                                                                        OS Version Minor:1
                                                                                        File Version Major:5
                                                                                        File Version Minor:1
                                                                                        Subsystem Version Major:5
                                                                                        Subsystem Version Minor:1
                                                                                        Import Hash:986c435e506f58d0c12bcc8ade90d975
                                                                                        Instruction
                                                                                        call 00007F3F306EC12Bh
                                                                                        jmp 00007F3F306E8CFEh
                                                                                        int3
                                                                                        int3
                                                                                        int3
                                                                                        call 00007F3F306E8EACh
                                                                                        xchg cl, ch
                                                                                        jmp 00007F3F306E8E94h
                                                                                        call 00007F3F306E8EA3h
                                                                                        fxch st(0), st(1)
                                                                                        jmp 00007F3F306E8E8Bh
                                                                                        fabs
                                                                                        fld1
                                                                                        mov ch, cl
                                                                                        xor cl, cl
                                                                                        jmp 00007F3F306E8E81h
                                                                                        mov byte ptr [ebp-00000090h], FFFFFFFEh
                                                                                        fabs
                                                                                        fxch st(0), st(1)
                                                                                        fabs
                                                                                        fxch st(0), st(1)
                                                                                        fpatan
                                                                                        or cl, cl
                                                                                        je 00007F3F306E8E76h
                                                                                        fldpi
                                                                                        fsubrp st(1), st(0)
                                                                                        or ch, ch
                                                                                        je 00007F3F306E8E74h
                                                                                        fchs
                                                                                        ret
                                                                                        fabs
                                                                                        fld st(0), st(0)
                                                                                        fld st(0), st(0)
                                                                                        fld1
                                                                                        fsubrp st(1), st(0)
                                                                                        fxch st(0), st(1)
                                                                                        fld1
                                                                                        faddp st(1), st(0)
                                                                                        fmulp st(1), st(0)
                                                                                        ftst
                                                                                        wait
                                                                                        fstsw word ptr [ebp-000000A0h]
                                                                                        wait
                                                                                        test byte ptr [ebp-0000009Fh], 00000001h
                                                                                        jne 00007F3F306E8E77h
                                                                                        xor ch, ch
                                                                                        fsqrt
                                                                                        ret
                                                                                        pop eax
                                                                                        jmp 00007F3F306E949Fh
                                                                                        fstp st(0)
                                                                                        fld tbyte ptr [0040FBDAh]
                                                                                        ret
                                                                                        fstp st(0)
                                                                                        or cl, cl
                                                                                        je 00007F3F306E8E7Dh
                                                                                        fstp st(0)
                                                                                        fldpi
                                                                                        or ch, ch
                                                                                        je 00007F3F306E8E74h
                                                                                        fchs
                                                                                        ret
                                                                                        fstp st(0)
                                                                                        fldz
                                                                                        or ch, ch
                                                                                        je 00007F3F306E8E69h
                                                                                        fchs
                                                                                        ret
                                                                                        fstp st(0)
                                                                                        jmp 00007F3F306E9475h
                                                                                        fstp st(0)
                                                                                        mov cl, ch
                                                                                        jmp 00007F3F306E8E72h
                                                                                        call 00007F3F306E8E3Eh
                                                                                        jmp 00007F3F306E9480h
                                                                                        int3
                                                                                        int3
                                                                                        int3
                                                                                        int3
                                                                                        int3
                                                                                        int3
                                                                                        int3
                                                                                        int3
                                                                                        push ebp
                                                                                        mov ebp, esp
                                                                                        add esp, FFFFFD30h
                                                                                        push ebx
                                                                                        Programming Language:
                                                                                        • [C++] VS2010 build 30319
                                                                                        • [ASM] VS2010 build 30319
                                                                                        • [ C ] VS2010 build 30319
                                                                                        • [IMP] VS2008 SP1 build 30729
                                                                                        • [RES] VS2010 build 30319
                                                                                        • [LNK] VS2010 build 30319
                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x3eb0c0x78.rdata
                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x205c0000x1e860.rsrc
                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x3eb840x1c.rdata
                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x3e6880x40.rdata
                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0xf0000x234.rdata
                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                        .text0x10000xdefc0xe000b5df6ebc595a2803e0d7fb871e8ea275False0.6059221540178571data6.71489583929132IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                        .rdata0xf0000x307d00x30800fb50e53fb846b2e78cf1f96df3f70fdcFalse0.9405504993556701data7.8843085487433875IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                        .data0x400000x201b1f00x5e00d70e30c3b013fe773e07e0332aaaee8eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                        .rsrc0x205c0000x1e8600x1ea0017c3c8dca0924acad8e2cda53ead6e40False0.4177853954081633data4.753377258268954IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                        NOLIF0x20752e80x1e31ASCII text, with very long lines (7729), with no line terminatorsTamilIndia0.5879156423858196
                                                                                        NOLIF0x20752e80x1e31ASCII text, with very long lines (7729), with no line terminatorsTamilSri Lanka0.5879156423858196
                                                                                        RT_CURSOR0x20771580xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.26439232409381663
                                                                                        RT_CURSOR0x20780000x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.3686823104693141
                                                                                        RT_CURSOR0x20788a80x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.49060693641618497
                                                                                        RT_ICON0x205c9500xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTamilIndia0.43523454157782515
                                                                                        RT_ICON0x205c9500xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTamilSri Lanka0.43523454157782515
                                                                                        RT_ICON0x205d7f80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTamilIndia0.5401624548736462
                                                                                        RT_ICON0x205d7f80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTamilSri Lanka0.5401624548736462
                                                                                        RT_ICON0x205e0a00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilIndia0.6002304147465438
                                                                                        RT_ICON0x205e0a00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilSri Lanka0.6002304147465438
                                                                                        RT_ICON0x205e7680x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTamilIndia0.6705202312138728
                                                                                        RT_ICON0x205e7680x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTamilSri Lanka0.6705202312138728
                                                                                        RT_ICON0x205ecd00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TamilIndia0.32987551867219916
                                                                                        RT_ICON0x205ecd00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TamilSri Lanka0.32987551867219916
                                                                                        RT_ICON0x20612780x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TamilIndia0.4047842401500938
                                                                                        RT_ICON0x20612780x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TamilSri Lanka0.4047842401500938
                                                                                        RT_ICON0x20623200x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TamilIndia0.47008196721311474
                                                                                        RT_ICON0x20623200x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TamilSri Lanka0.47008196721311474
                                                                                        RT_ICON0x2062ca80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TamilIndia0.5558510638297872
                                                                                        RT_ICON0x2062ca80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TamilSri Lanka0.5558510638297872
                                                                                        RT_ICON0x20631880xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilIndia0.3664712153518124
                                                                                        RT_ICON0x20631880xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilSri Lanka0.3664712153518124
                                                                                        RT_ICON0x20640300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilIndia0.45306859205776173
                                                                                        RT_ICON0x20640300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilSri Lanka0.45306859205776173
                                                                                        RT_ICON0x20648d80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilIndia0.45910138248847926
                                                                                        RT_ICON0x20648d80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilSri Lanka0.45910138248847926
                                                                                        RT_ICON0x2064fa00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilIndia0.45664739884393063
                                                                                        RT_ICON0x2064fa00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilSri Lanka0.45664739884393063
                                                                                        RT_ICON0x20655080x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilIndia0.26908713692946057
                                                                                        RT_ICON0x20655080x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilSri Lanka0.26908713692946057
                                                                                        RT_ICON0x2067ab00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilIndia0.30417448405253283
                                                                                        RT_ICON0x2067ab00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilSri Lanka0.30417448405253283
                                                                                        RT_ICON0x2068b580x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilIndia0.35726950354609927
                                                                                        RT_ICON0x2068b580x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilSri Lanka0.35726950354609927
                                                                                        RT_ICON0x20690280xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilIndia0.56636460554371
                                                                                        RT_ICON0x20690280xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilSri Lanka0.56636460554371
                                                                                        RT_ICON0x2069ed00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilIndia0.5482851985559567
                                                                                        RT_ICON0x2069ed00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilSri Lanka0.5482851985559567
                                                                                        RT_ICON0x206a7780x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilIndia0.6127167630057804
                                                                                        RT_ICON0x206a7780x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilSri Lanka0.6127167630057804
                                                                                        RT_ICON0x206ace00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilIndia0.46141078838174276
                                                                                        RT_ICON0x206ace00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilSri Lanka0.46141078838174276
                                                                                        RT_ICON0x206d2880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilIndia0.48944652908067543
                                                                                        RT_ICON0x206d2880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilSri Lanka0.48944652908067543
                                                                                        RT_ICON0x206e3300x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilIndia0.4934426229508197
                                                                                        RT_ICON0x206e3300x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilSri Lanka0.4934426229508197
                                                                                        RT_ICON0x206ecb80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilIndia0.4512411347517731
                                                                                        RT_ICON0x206ecb80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilSri Lanka0.4512411347517731
                                                                                        RT_ICON0x206f1880xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilIndia0.4906716417910448
                                                                                        RT_ICON0x206f1880xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilSri Lanka0.4906716417910448
                                                                                        RT_ICON0x20700300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilIndia0.4720216606498195
                                                                                        RT_ICON0x20700300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilSri Lanka0.4720216606498195
                                                                                        RT_ICON0x20708d80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilIndia0.43858381502890176
                                                                                        RT_ICON0x20708d80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilSri Lanka0.43858381502890176
                                                                                        RT_ICON0x2070e400x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilIndia0.2794605809128631
                                                                                        RT_ICON0x2070e400x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilSri Lanka0.2794605809128631
                                                                                        RT_ICON0x20733e80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilIndia0.2844746716697936
                                                                                        RT_ICON0x20733e80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilSri Lanka0.2844746716697936
                                                                                        RT_ICON0x20744900x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilIndia0.3086065573770492
                                                                                        RT_ICON0x20744900x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilSri Lanka0.3086065573770492
                                                                                        RT_ICON0x2074e180x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilIndia0.3342198581560284
                                                                                        RT_ICON0x2074e180x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilSri Lanka0.3342198581560284
                                                                                        RT_STRING0x20790980x430dataTamilIndia0.45615671641791045
                                                                                        RT_STRING0x20790980x430dataTamilSri Lanka0.45615671641791045
                                                                                        RT_STRING0x20794c80x7ccdataTamilIndia0.4168336673346693
                                                                                        RT_STRING0x20794c80x7ccdataTamilSri Lanka0.4168336673346693
                                                                                        RT_STRING0x2079c980x220dataTamilIndia0.5
                                                                                        RT_STRING0x2079c980x220dataTamilSri Lanka0.5
                                                                                        RT_STRING0x2079eb80x5e6dataTamilIndia0.43178807947019865
                                                                                        RT_STRING0x2079eb80x5e6dataTamilSri Lanka0.43178807947019865
                                                                                        RT_STRING0x207a4a00x3c0dataTamilIndia0.4479166666666667
                                                                                        RT_STRING0x207a4a00x3c0dataTamilSri Lanka0.4479166666666667
                                                                                        RT_ACCELERATOR0x20771200x38dataTamilIndia0.9107142857142857
                                                                                        RT_ACCELERATOR0x20771200x38dataTamilSri Lanka0.9107142857142857
                                                                                        RT_GROUP_CURSOR0x2078e100x30data0.9375
                                                                                        RT_GROUP_ICON0x206f1200x68dataTamilIndia0.7115384615384616
                                                                                        RT_GROUP_ICON0x206f1200x68dataTamilSri Lanka0.7115384615384616
                                                                                        RT_GROUP_ICON0x20631100x76dataTamilIndia0.6610169491525424
                                                                                        RT_GROUP_ICON0x20631100x76dataTamilSri Lanka0.6610169491525424
                                                                                        RT_GROUP_ICON0x2068fc00x68dataTamilIndia0.7115384615384616
                                                                                        RT_GROUP_ICON0x2068fc00x68dataTamilSri Lanka0.7115384615384616
                                                                                        RT_GROUP_ICON0x20752800x68dataTamilIndia0.7211538461538461
                                                                                        RT_GROUP_ICON0x20752800x68dataTamilSri Lanka0.7211538461538461
                                                                                        RT_VERSION0x2078e400x258data0.5433333333333333
                                                                                        DLLImport
                                                                                        KERNEL32.dllGetCurrentProcess, GetLogicalDriveStringsW, SetComputerNameW, CreateHardLinkA, GetModuleHandleW, CreateNamedPipeW, EnumCalendarInfoExW, FindNextVolumeMountPointA, GetNumberFormatA, GetConsoleAliasExesW, TlsSetValue, LoadLibraryW, GetLocaleInfoW, GetCalendarInfoW, CreateEventA, SetVolumeMountPointA, GetFileAttributesA, EnumSystemCodePagesA, GetTimeFormatW, GetModuleFileNameW, CreateActCtxA, SetThreadPriority, GetTempPathW, CreateJobObjectA, VerifyVersionInfoW, GlobalUnfix, GetLastError, GetCurrentDirectoryW, GetProcAddress, GetLongPathNameA, PeekConsoleInputW, GetConsoleDisplayMode, LoadModule, GlobalFree, InterlockedDecrement, LoadLibraryA, InterlockedExchangeAdd, CreateFileMappingA, LocalAlloc, GetFileType, FoldStringW, SetEnvironmentVariableA, EnumDateFormatsA, GlobalUnWire, GetProcessShutdownParameters, LoadLibraryExA, GetFileTime, WaitForDebugEvent, OpenEventW, GetShortPathNameW, SetFileShortNameA, GetVersionExA, GetDiskFreeSpaceExW, GetWindowsDirectoryW, LCMapStringW, CommConfigDialogW, GetStringTypeW, ReadFile, GetProcessHeap, MultiByteToWideChar, WriteConsoleW, RaiseException, FlushFileBuffers, SetDefaultCommConfigA, GetCommState, EnumCalendarInfoW, InterlockedIncrement, GetConsoleAliasExesLengthA, SetEndOfFile, GetProcessVersion, SetStdHandle, IsValidCodePage, GetOEMCP, GetACP, HeapAlloc, EncodePointer, DecodePointer, HeapReAlloc, GetCommandLineW, HeapSetInformation, GetStartupInfoW, IsProcessorFeaturePresent, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, ExitProcess, WriteFile, HeapCreate, Sleep, HeapSize, RtlUnwind, HeapFree, SetFilePointer, FreeEnvironmentStringsW, GetEnvironmentStringsW, TlsAlloc, TlsGetValue, TlsFree, SetLastError, GetCurrentThreadId, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, CloseHandle, CreateFileA, GetCPInfo, CreateFileW
                                                                                        USER32.dllDrawStateA, LoadMenuA, CharUpperA, InsertMenuItemW, SetCaretPos, GetMenu, LoadMenuW, GetWindowLongW, GetSysColor, GetMenuStringA
                                                                                        GDI32.dllGetTextCharset, GetCharWidthI, GetBkMode, GetCharWidthFloatA, CreateDCA, GetCharWidth32W
                                                                                        WINHTTP.dllWinHttpCloseHandle
                                                                                        MSIMG32.dllGradientFill
                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                        TamilIndia
                                                                                        TamilSri Lanka
                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Sep 23, 2024 20:17:12.660625935 CEST4971525192.168.2.652.101.11.0
                                                                                        Sep 23, 2024 20:17:13.663608074 CEST4971525192.168.2.652.101.11.0
                                                                                        Sep 23, 2024 20:17:15.411709070 CEST49716443192.168.2.6195.58.54.132
                                                                                        Sep 23, 2024 20:17:15.411767960 CEST44349716195.58.54.132192.168.2.6
                                                                                        Sep 23, 2024 20:17:15.411835909 CEST49716443192.168.2.6195.58.54.132
                                                                                        Sep 23, 2024 20:17:15.663686037 CEST4971525192.168.2.652.101.11.0
                                                                                        Sep 23, 2024 20:17:19.679317951 CEST4971525192.168.2.652.101.11.0
                                                                                        Sep 23, 2024 20:17:27.679271936 CEST4971525192.168.2.652.101.11.0
                                                                                        Sep 23, 2024 20:17:32.681052923 CEST4972125192.168.2.698.136.96.74
                                                                                        Sep 23, 2024 20:17:33.694889069 CEST4972125192.168.2.698.136.96.74
                                                                                        Sep 23, 2024 20:17:35.694920063 CEST4972125192.168.2.698.136.96.74
                                                                                        Sep 23, 2024 20:17:39.710608959 CEST4972125192.168.2.698.136.96.74
                                                                                        Sep 23, 2024 20:17:47.710609913 CEST4972125192.168.2.698.136.96.74
                                                                                        Sep 23, 2024 20:17:52.712769985 CEST4972425192.168.2.6142.250.110.27
                                                                                        Sep 23, 2024 20:17:53.726178885 CEST4972425192.168.2.6142.250.110.27
                                                                                        Sep 23, 2024 20:17:55.413856983 CEST49716443192.168.2.6195.58.54.132
                                                                                        Sep 23, 2024 20:17:55.413954973 CEST44349716195.58.54.132192.168.2.6
                                                                                        Sep 23, 2024 20:17:55.414005041 CEST49716443192.168.2.6195.58.54.132
                                                                                        Sep 23, 2024 20:17:55.524060011 CEST49726443192.168.2.6195.58.54.132
                                                                                        Sep 23, 2024 20:17:55.524101973 CEST44349726195.58.54.132192.168.2.6
                                                                                        Sep 23, 2024 20:17:55.524194956 CEST49726443192.168.2.6195.58.54.132
                                                                                        Sep 23, 2024 20:17:55.741816998 CEST4972425192.168.2.6142.250.110.27
                                                                                        Sep 23, 2024 20:17:59.757565975 CEST4972425192.168.2.6142.250.110.27
                                                                                        Sep 23, 2024 20:18:07.757518053 CEST4972425192.168.2.6142.250.110.27
                                                                                        Sep 23, 2024 20:18:12.727726936 CEST4972825192.168.2.6217.69.139.150
                                                                                        Sep 23, 2024 20:18:13.741898060 CEST4972825192.168.2.6217.69.139.150
                                                                                        Sep 23, 2024 20:18:15.741905928 CEST4972825192.168.2.6217.69.139.150
                                                                                        Sep 23, 2024 20:18:19.757509947 CEST4972825192.168.2.6217.69.139.150
                                                                                        Sep 23, 2024 20:18:27.773093939 CEST4972825192.168.2.6217.69.139.150
                                                                                        Sep 23, 2024 20:18:35.538814068 CEST49726443192.168.2.6195.58.54.132
                                                                                        Sep 23, 2024 20:18:35.538896084 CEST44349726195.58.54.132192.168.2.6
                                                                                        Sep 23, 2024 20:18:35.538960934 CEST49726443192.168.2.6195.58.54.132
                                                                                        Sep 23, 2024 20:18:35.648921013 CEST49730443192.168.2.6195.58.54.132
                                                                                        Sep 23, 2024 20:18:35.649023056 CEST44349730195.58.54.132192.168.2.6
                                                                                        Sep 23, 2024 20:18:35.649183989 CEST49730443192.168.2.6195.58.54.132
                                                                                        Sep 23, 2024 20:19:13.288167953 CEST4973325192.168.2.652.101.11.0
                                                                                        Sep 23, 2024 20:19:14.288784027 CEST4973325192.168.2.652.101.11.0
                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Sep 23, 2024 20:17:12.388784885 CEST5577053192.168.2.61.1.1.1
                                                                                        Sep 23, 2024 20:17:12.659671068 CEST53557701.1.1.1192.168.2.6
                                                                                        Sep 23, 2024 20:17:15.290523052 CEST6342753192.168.2.61.1.1.1
                                                                                        Sep 23, 2024 20:17:15.410991907 CEST53634271.1.1.1192.168.2.6
                                                                                        Sep 23, 2024 20:17:32.664135933 CEST5755553192.168.2.61.1.1.1
                                                                                        Sep 23, 2024 20:17:32.671399117 CEST53575551.1.1.1192.168.2.6
                                                                                        Sep 23, 2024 20:17:32.672019958 CEST5895053192.168.2.61.1.1.1
                                                                                        Sep 23, 2024 20:17:32.680217981 CEST53589501.1.1.1192.168.2.6
                                                                                        Sep 23, 2024 20:17:52.695506096 CEST5961753192.168.2.61.1.1.1
                                                                                        Sep 23, 2024 20:17:52.704253912 CEST53596171.1.1.1192.168.2.6
                                                                                        Sep 23, 2024 20:17:52.704848051 CEST5497053192.168.2.61.1.1.1
                                                                                        Sep 23, 2024 20:17:52.712265015 CEST53549701.1.1.1192.168.2.6
                                                                                        Sep 23, 2024 20:18:12.711414099 CEST5282953192.168.2.61.1.1.1
                                                                                        Sep 23, 2024 20:18:12.718822956 CEST53528291.1.1.1192.168.2.6
                                                                                        Sep 23, 2024 20:18:12.719695091 CEST5742753192.168.2.61.1.1.1
                                                                                        Sep 23, 2024 20:18:12.727164030 CEST53574271.1.1.1192.168.2.6
                                                                                        Sep 23, 2024 20:19:13.254934072 CEST5494753192.168.2.61.1.1.1
                                                                                        Sep 23, 2024 20:19:13.286005974 CEST53549471.1.1.1192.168.2.6
                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                        Sep 23, 2024 20:17:12.388784885 CEST192.168.2.61.1.1.10x50c6Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                        Sep 23, 2024 20:17:15.290523052 CEST192.168.2.61.1.1.10x2ea3Standard query (0)vanaheim.cnA (IP address)IN (0x0001)false
                                                                                        Sep 23, 2024 20:17:32.664135933 CEST192.168.2.61.1.1.10x5cb5Standard query (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                        Sep 23, 2024 20:17:32.672019958 CEST192.168.2.61.1.1.10x3565Standard query (0)mta5.am0.yahoodns.netA (IP address)IN (0x0001)false
                                                                                        Sep 23, 2024 20:17:52.695506096 CEST192.168.2.61.1.1.10x88d5Standard query (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                        Sep 23, 2024 20:17:52.704848051 CEST192.168.2.61.1.1.10x6836Standard query (0)smtp.google.comA (IP address)IN (0x0001)false
                                                                                        Sep 23, 2024 20:18:12.711414099 CEST192.168.2.61.1.1.10xf757Standard query (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                        Sep 23, 2024 20:18:12.719695091 CEST192.168.2.61.1.1.10x77cdStandard query (0)mxs.mail.ruA (IP address)IN (0x0001)false
                                                                                        Sep 23, 2024 20:19:13.254934072 CEST192.168.2.61.1.1.10x44d1Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                        Sep 23, 2024 20:17:12.659671068 CEST1.1.1.1192.168.2.60x50c6No error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false
                                                                                        Sep 23, 2024 20:17:12.659671068 CEST1.1.1.1192.168.2.60x50c6No error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false
                                                                                        Sep 23, 2024 20:17:12.659671068 CEST1.1.1.1192.168.2.60x50c6No error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false
                                                                                        Sep 23, 2024 20:17:12.659671068 CEST1.1.1.1192.168.2.60x50c6No error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false
                                                                                        Sep 23, 2024 20:17:15.410991907 CEST1.1.1.1192.168.2.60x2ea3No error (0)vanaheim.cn195.58.54.132A (IP address)IN (0x0001)false
                                                                                        Sep 23, 2024 20:17:32.671399117 CEST1.1.1.1192.168.2.60x5cb5No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                        Sep 23, 2024 20:17:32.671399117 CEST1.1.1.1192.168.2.60x5cb5No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                        Sep 23, 2024 20:17:32.671399117 CEST1.1.1.1192.168.2.60x5cb5No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                        Sep 23, 2024 20:17:32.680217981 CEST1.1.1.1192.168.2.60x3565No error (0)mta5.am0.yahoodns.net98.136.96.74A (IP address)IN (0x0001)false
                                                                                        Sep 23, 2024 20:17:32.680217981 CEST1.1.1.1192.168.2.60x3565No error (0)mta5.am0.yahoodns.net98.136.96.91A (IP address)IN (0x0001)false
                                                                                        Sep 23, 2024 20:17:32.680217981 CEST1.1.1.1192.168.2.60x3565No error (0)mta5.am0.yahoodns.net67.195.204.79A (IP address)IN (0x0001)false
                                                                                        Sep 23, 2024 20:17:32.680217981 CEST1.1.1.1192.168.2.60x3565No error (0)mta5.am0.yahoodns.net67.195.204.72A (IP address)IN (0x0001)false
                                                                                        Sep 23, 2024 20:17:32.680217981 CEST1.1.1.1192.168.2.60x3565No error (0)mta5.am0.yahoodns.net67.195.228.94A (IP address)IN (0x0001)false
                                                                                        Sep 23, 2024 20:17:32.680217981 CEST1.1.1.1192.168.2.60x3565No error (0)mta5.am0.yahoodns.net67.195.204.73A (IP address)IN (0x0001)false
                                                                                        Sep 23, 2024 20:17:32.680217981 CEST1.1.1.1192.168.2.60x3565No error (0)mta5.am0.yahoodns.net67.195.204.74A (IP address)IN (0x0001)false
                                                                                        Sep 23, 2024 20:17:32.680217981 CEST1.1.1.1192.168.2.60x3565No error (0)mta5.am0.yahoodns.net67.195.204.77A (IP address)IN (0x0001)false
                                                                                        Sep 23, 2024 20:17:52.704253912 CEST1.1.1.1192.168.2.60x88d5No error (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                        Sep 23, 2024 20:17:52.712265015 CEST1.1.1.1192.168.2.60x6836No error (0)smtp.google.com142.250.110.27A (IP address)IN (0x0001)false
                                                                                        Sep 23, 2024 20:17:52.712265015 CEST1.1.1.1192.168.2.60x6836No error (0)smtp.google.com66.102.1.26A (IP address)IN (0x0001)false
                                                                                        Sep 23, 2024 20:17:52.712265015 CEST1.1.1.1192.168.2.60x6836No error (0)smtp.google.com66.102.1.27A (IP address)IN (0x0001)false
                                                                                        Sep 23, 2024 20:17:52.712265015 CEST1.1.1.1192.168.2.60x6836No error (0)smtp.google.com142.250.110.26A (IP address)IN (0x0001)false
                                                                                        Sep 23, 2024 20:17:52.712265015 CEST1.1.1.1192.168.2.60x6836No error (0)smtp.google.com173.194.76.26A (IP address)IN (0x0001)false
                                                                                        Sep 23, 2024 20:18:12.718822956 CEST1.1.1.1192.168.2.60xf757No error (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                        Sep 23, 2024 20:18:12.727164030 CEST1.1.1.1192.168.2.60x77cdNo error (0)mxs.mail.ru217.69.139.150A (IP address)IN (0x0001)false
                                                                                        Sep 23, 2024 20:18:12.727164030 CEST1.1.1.1192.168.2.60x77cdNo error (0)mxs.mail.ru94.100.180.31A (IP address)IN (0x0001)false
                                                                                        Sep 23, 2024 20:19:13.286005974 CEST1.1.1.1192.168.2.60x44d1No error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false
                                                                                        Sep 23, 2024 20:19:13.286005974 CEST1.1.1.1192.168.2.60x44d1No error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false
                                                                                        Sep 23, 2024 20:19:13.286005974 CEST1.1.1.1192.168.2.60x44d1No error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false
                                                                                        Sep 23, 2024 20:19:13.286005974 CEST1.1.1.1192.168.2.60x44d1No error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false

                                                                                        Click to jump to process

                                                                                        Click to jump to process

                                                                                        Click to dive into process behavior distribution

                                                                                        Click to jump to process

                                                                                        Target ID:0
                                                                                        Start time:14:17:05
                                                                                        Start date:23/09/2024
                                                                                        Path:C:\Users\user\Desktop\rXTqHar5Ud.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\Desktop\rXTqHar5Ud.exe"
                                                                                        Imagebase:0x400000
                                                                                        File size:406'528 bytes
                                                                                        MD5 hash:F403202FB853377CEB67200005EF95B8
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2174520005.00000000024BE000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                        • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000003.2127342938.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000003.2127342938.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000003.2127342938.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        Target ID:2
                                                                                        Start time:14:17:06
                                                                                        Start date:23/09/2024
                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\dkajlqvv\
                                                                                        Imagebase:0x1c0000
                                                                                        File size:236'544 bytes
                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        Target ID:3
                                                                                        Start time:14:17:06
                                                                                        Start date:23/09/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff66e660000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        Target ID:4
                                                                                        Start time:14:17:06
                                                                                        Start date:23/09/2024
                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\dpbgdjiw.exe" C:\Windows\SysWOW64\dkajlqvv\
                                                                                        Imagebase:0x1c0000
                                                                                        File size:236'544 bytes
                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        Target ID:5
                                                                                        Start time:14:17:06
                                                                                        Start date:23/09/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff66e660000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        Target ID:6
                                                                                        Start time:14:17:07
                                                                                        Start date:23/09/2024
                                                                                        Path:C:\Windows\SysWOW64\sc.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Windows\System32\sc.exe" create dkajlqvv binPath= "C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exe /d\"C:\Users\user\Desktop\rXTqHar5Ud.exe\"" type= own start= auto DisplayName= "wifi support"
                                                                                        Imagebase:0xee0000
                                                                                        File size:61'440 bytes
                                                                                        MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:moderate
                                                                                        Has exited:true

                                                                                        Target ID:7
                                                                                        Start time:14:17:07
                                                                                        Start date:23/09/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff66e660000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        Target ID:8
                                                                                        Start time:14:17:07
                                                                                        Start date:23/09/2024
                                                                                        Path:C:\Windows\SysWOW64\sc.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Windows\System32\sc.exe" description dkajlqvv "wifi internet conection"
                                                                                        Imagebase:0xee0000
                                                                                        File size:61'440 bytes
                                                                                        MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:moderate
                                                                                        Has exited:true

                                                                                        Target ID:9
                                                                                        Start time:14:17:07
                                                                                        Start date:23/09/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff66e660000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        Target ID:10
                                                                                        Start time:14:17:08
                                                                                        Start date:23/09/2024
                                                                                        Path:C:\Windows\SysWOW64\sc.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Windows\System32\sc.exe" start dkajlqvv
                                                                                        Imagebase:0xee0000
                                                                                        File size:61'440 bytes
                                                                                        MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:moderate
                                                                                        Has exited:true

                                                                                        Target ID:11
                                                                                        Start time:14:17:08
                                                                                        Start date:23/09/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff66e660000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        Target ID:12
                                                                                        Start time:14:17:08
                                                                                        Start date:23/09/2024
                                                                                        Path:C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exe /d"C:\Users\user\Desktop\rXTqHar5Ud.exe"
                                                                                        Imagebase:0x400000
                                                                                        File size:15'208'448 bytes
                                                                                        MD5 hash:E30808D178C5406E7E08BAE69EC89233
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2174434288.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2174434288.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000002.2174434288.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000003.2167679772.0000000002CA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000003.2167679772.0000000002CA0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000003.2167679772.0000000002CA0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                        • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000C.00000002.2174342309.0000000002568000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: unknown
                                                                                        • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: ditekSHen
                                                                                        Has exited:true

                                                                                        Target ID:13
                                                                                        Start time:14:17:09
                                                                                        Start date:23/09/2024
                                                                                        Path:C:\Windows\SysWOW64\netsh.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                                        Imagebase:0xa60000
                                                                                        File size:82'432 bytes
                                                                                        MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        Target ID:14
                                                                                        Start time:14:17:09
                                                                                        Start date:23/09/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff66e660000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        Target ID:15
                                                                                        Start time:14:17:09
                                                                                        Start date:23/09/2024
                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                        Imagebase:0x7ff7403e0000
                                                                                        File size:55'320 bytes
                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        Target ID:16
                                                                                        Start time:14:17:09
                                                                                        Start date:23/09/2024
                                                                                        Path:C:\Windows\SysWOW64\svchost.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:svchost.exe
                                                                                        Imagebase:0x960000
                                                                                        File size:46'504 bytes
                                                                                        MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                        Has exited:false

                                                                                        Target ID:17
                                                                                        Start time:14:17:09
                                                                                        Start date:23/09/2024
                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2532 -ip 2532
                                                                                        Imagebase:0xb60000
                                                                                        File size:483'680 bytes
                                                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        Target ID:18
                                                                                        Start time:14:17:09
                                                                                        Start date:23/09/2024
                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4892 -ip 4892
                                                                                        Imagebase:0xb60000
                                                                                        File size:483'680 bytes
                                                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        Target ID:19
                                                                                        Start time:14:17:10
                                                                                        Start date:23/09/2024
                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 1200
                                                                                        Imagebase:0xb60000
                                                                                        File size:483'680 bytes
                                                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        Target ID:20
                                                                                        Start time:14:17:10
                                                                                        Start date:23/09/2024
                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 564
                                                                                        Imagebase:0xb60000
                                                                                        File size:483'680 bytes
                                                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        Reset < >

                                                                                          Execution Graph

                                                                                          Execution Coverage:3.8%
                                                                                          Dynamic/Decrypted Code Coverage:4.1%
                                                                                          Signature Coverage:26.3%
                                                                                          Total number of Nodes:1505
                                                                                          Total number of Limit Nodes:17
                                                                                          execution_graph 16026 40a0005 16031 40a092b GetPEB 16026->16031 16028 40a0030 16033 40a003c 16028->16033 16032 40a0972 16031->16032 16032->16028 16034 40a0049 16033->16034 16048 40a0e0f SetErrorMode SetErrorMode 16034->16048 16039 40a0265 16040 40a02ce VirtualProtect 16039->16040 16042 40a030b 16040->16042 16041 40a0439 VirtualFree 16046 40a04be 16041->16046 16047 40a05f4 LoadLibraryA 16041->16047 16042->16041 16043 40a04e3 LoadLibraryA 16043->16046 16045 40a08c7 16046->16043 16046->16047 16047->16045 16049 40a0223 16048->16049 16050 40a0d90 16049->16050 16051 40a0dad 16050->16051 16052 40a0dbb GetPEB 16051->16052 16053 40a0238 VirtualAlloc 16051->16053 16052->16053 16053->16039 14328 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 14446 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14328->14446 14330 409a95 14331 409aa3 GetModuleHandleA GetModuleFileNameA 14330->14331 14337 40a3c7 14330->14337 14344 409ac4 14331->14344 14332 40a41c CreateThread WSAStartup 14615 40e52e 14332->14615 15494 40405e CreateEventA 14332->15494 14334 409afd GetCommandLineA 14345 409b22 14334->14345 14335 40a406 DeleteFileA 14335->14337 14338 40a40d 14335->14338 14336 40a445 14634 40eaaf 14336->14634 14337->14332 14337->14335 14337->14338 14340 40a3ed GetLastError 14337->14340 14338->14332 14340->14338 14342 40a3f8 Sleep 14340->14342 14341 40a44d 14638 401d96 14341->14638 14342->14335 14344->14334 14348 409c0c 14345->14348 14355 409b47 14345->14355 14346 40a457 14686 4080c9 14346->14686 14447 4096aa 14348->14447 14359 409b96 lstrlenA 14355->14359 14362 409b58 14355->14362 14356 40a1d2 14363 40a1e3 GetCommandLineA 14356->14363 14357 409c39 14360 40a167 GetModuleHandleA GetModuleFileNameA 14357->14360 14453 404280 CreateEventA 14357->14453 14359->14362 14361 409c05 ExitProcess 14360->14361 14365 40a189 14360->14365 14362->14361 14369 40675c 21 API calls 14362->14369 14389 40a205 14363->14389 14365->14361 14371 40a1b2 GetDriveTypeA 14365->14371 14372 409be3 14369->14372 14371->14361 14374 40a1c5 14371->14374 14372->14361 14552 406a60 CreateFileA 14372->14552 14596 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 14374->14596 14380 40a491 14381 40a49f GetTickCount 14380->14381 14383 40a4be Sleep 14380->14383 14388 40a4b7 GetTickCount 14380->14388 14732 40c913 14380->14732 14381->14380 14381->14383 14383->14380 14385 409ca0 GetTempPathA 14386 409e3e 14385->14386 14387 409cba 14385->14387 14392 409e6b GetEnvironmentVariableA 14386->14392 14396 409e04 14386->14396 14508 4099d2 lstrcpyA 14387->14508 14388->14383 14393 40a285 lstrlenA 14389->14393 14405 40a239 14389->14405 14392->14396 14397 409e7d 14392->14397 14393->14405 14591 40ec2e 14396->14591 14398 4099d2 16 API calls 14397->14398 14399 409e9d 14398->14399 14399->14396 14404 409eb0 lstrcpyA lstrlenA 14399->14404 14402 409d5f 14571 406cc9 14402->14571 14403 40a3c2 14608 4098f2 14403->14608 14408 409ef4 14404->14408 14604 406ec3 14405->14604 14412 406dc2 6 API calls 14408->14412 14414 409f03 14408->14414 14409 40a39d StartServiceCtrlDispatcherA 14409->14403 14411 40a35f 14411->14403 14411->14411 14417 40a37b 14411->14417 14412->14414 14413 409cf6 14515 409326 14413->14515 14415 409f32 RegOpenKeyExA 14414->14415 14416 409f48 RegSetValueExA RegCloseKey 14415->14416 14420 409f70 14415->14420 14416->14420 14417->14409 14426 409f9d GetModuleHandleA GetModuleFileNameA 14420->14426 14421 409e0c DeleteFileA 14421->14386 14422 409dde GetFileAttributesExA 14422->14421 14424 409df7 14422->14424 14424->14396 14425 409dff 14424->14425 14581 4096ff 14425->14581 14428 409fc2 14426->14428 14429 40a093 14426->14429 14428->14429 14434 409ff1 GetDriveTypeA 14428->14434 14430 40a103 CreateProcessA 14429->14430 14433 40a0a4 wsprintfA 14429->14433 14431 40a13a 14430->14431 14432 40a12a DeleteFileA 14430->14432 14431->14396 14438 4096ff 3 API calls 14431->14438 14432->14431 14587 402544 14433->14587 14434->14429 14436 40a00d 14434->14436 14441 40a02d lstrcatA 14436->14441 14438->14396 14442 40a046 14441->14442 14443 40a052 lstrcatA 14442->14443 14444 40a064 lstrcatA 14442->14444 14443->14444 14444->14429 14445 40a081 lstrcatA 14444->14445 14445->14429 14446->14330 14448 4096b9 14447->14448 14835 4073ff 14448->14835 14450 4096e2 14451 4096f7 14450->14451 14855 40704c 14450->14855 14451->14356 14451->14357 14454 4042a5 14453->14454 14455 40429d 14453->14455 14880 403ecd 14454->14880 14455->14360 14480 40675c 14455->14480 14457 4042b0 14884 404000 14457->14884 14460 4043c1 CloseHandle 14460->14455 14461 4042ce 14890 403f18 WriteFile 14461->14890 14466 4043ba CloseHandle 14466->14460 14467 404318 14468 403f18 4 API calls 14467->14468 14469 404331 14468->14469 14470 403f18 4 API calls 14469->14470 14471 40434a 14470->14471 14898 40ebcc GetProcessHeap RtlAllocateHeap 14471->14898 14474 403f18 4 API calls 14475 404389 14474->14475 14476 40ec2e codecvt 4 API calls 14475->14476 14477 40438f 14476->14477 14478 403f8c 4 API calls 14477->14478 14479 40439f CloseHandle CloseHandle 14478->14479 14479->14455 14481 406784 CreateFileA 14480->14481 14482 40677a SetFileAttributesA 14480->14482 14483 4067a4 CreateFileA 14481->14483 14484 4067b5 14481->14484 14482->14481 14483->14484 14485 4067c5 14484->14485 14486 4067ba SetFileAttributesA 14484->14486 14487 406977 14485->14487 14488 4067cf GetFileSize 14485->14488 14486->14485 14487->14360 14487->14385 14487->14386 14489 4067e5 14488->14489 14507 406965 14488->14507 14491 4067ed ReadFile 14489->14491 14489->14507 14490 40696e CloseHandle 14490->14487 14492 406811 SetFilePointer 14491->14492 14491->14507 14493 40682a ReadFile 14492->14493 14492->14507 14494 406848 SetFilePointer 14493->14494 14493->14507 14495 406867 14494->14495 14494->14507 14496 4068d5 14495->14496 14497 406878 ReadFile 14495->14497 14496->14490 14498 40ebcc 4 API calls 14496->14498 14499 406891 14497->14499 14501 4068d0 14497->14501 14500 4068f8 14498->14500 14499->14497 14499->14501 14502 406900 SetFilePointer 14500->14502 14500->14507 14501->14496 14503 40695a 14502->14503 14504 40690d ReadFile 14502->14504 14505 40ec2e codecvt 4 API calls 14503->14505 14504->14503 14506 406922 14504->14506 14505->14507 14506->14490 14507->14490 14509 4099eb 14508->14509 14510 409a2f lstrcatA 14509->14510 14511 40ee2a 14510->14511 14512 409a4b lstrcatA 14511->14512 14513 406a60 13 API calls 14512->14513 14514 409a60 14513->14514 14514->14386 14514->14413 14565 406dc2 14514->14565 14904 401910 14515->14904 14518 40934a GetModuleHandleA GetModuleFileNameA 14520 40937f 14518->14520 14521 4093a4 14520->14521 14522 4093d9 14520->14522 14523 4093c3 wsprintfA 14521->14523 14524 409401 wsprintfA 14522->14524 14525 409415 14523->14525 14524->14525 14527 406cc9 5 API calls 14525->14527 14549 4094a0 14525->14549 14534 409439 14527->14534 14528 4094ac 14529 40962f 14528->14529 14530 4094e8 RegOpenKeyExA 14528->14530 14535 409646 14529->14535 14934 401820 14529->14934 14532 409502 14530->14532 14533 4094fb 14530->14533 14537 40951f RegQueryValueExA 14532->14537 14533->14529 14539 40958a 14533->14539 14919 40ef1e lstrlenA 14534->14919 14544 4095d6 14535->14544 14914 4091eb 14535->14914 14541 409530 14537->14541 14542 409539 14537->14542 14539->14535 14540 409593 14539->14540 14540->14544 14921 40f0e4 14540->14921 14545 40956e RegCloseKey 14541->14545 14546 409556 RegQueryValueExA 14542->14546 14543 409462 14547 40947e wsprintfA 14543->14547 14544->14421 14544->14422 14545->14533 14546->14541 14546->14545 14547->14549 14906 406edd 14549->14906 14550 4095bb 14550->14544 14928 4018e0 14550->14928 14553 406b8c GetLastError 14552->14553 14554 406a8f GetDiskFreeSpaceA 14552->14554 14555 406b86 14553->14555 14556 406ac5 14554->14556 14564 406ad7 14554->14564 14555->14361 14983 40eb0e 14556->14983 14560 406b56 CloseHandle 14560->14555 14562 406b65 GetLastError CloseHandle 14560->14562 14561 406b36 GetLastError CloseHandle 14563 406b7f DeleteFileA 14561->14563 14562->14563 14563->14555 14977 406987 14564->14977 14566 406e24 14565->14566 14567 406dd7 14565->14567 14566->14402 14568 406cc9 5 API calls 14567->14568 14569 406ddc 14568->14569 14569->14566 14569->14569 14570 406e02 GetVolumeInformationA 14569->14570 14570->14566 14572 406cdc GetModuleHandleA GetProcAddress 14571->14572 14573 406dbe lstrcpyA lstrcatA lstrcatA 14571->14573 14574 406d12 GetSystemDirectoryA 14572->14574 14575 406cfd 14572->14575 14573->14413 14576 406d27 GetWindowsDirectoryA 14574->14576 14577 406d1e 14574->14577 14575->14574 14578 406d8b 14575->14578 14579 406d42 14576->14579 14577->14576 14577->14578 14578->14573 14580 40ef1e lstrlenA 14579->14580 14580->14578 14582 402544 14581->14582 14583 40972d RegOpenKeyExA 14582->14583 14584 409740 14583->14584 14586 409765 14583->14586 14585 40974f RegDeleteValueA RegCloseKey 14584->14585 14585->14586 14586->14396 14588 402554 lstrcatA 14587->14588 14589 40ee2a 14588->14589 14590 40a0ec lstrcatA 14589->14590 14590->14430 14592 40ec37 14591->14592 14593 40a15d 14591->14593 14991 40eba0 14592->14991 14593->14360 14593->14361 14597 402544 14596->14597 14598 40919e wsprintfA 14597->14598 14599 4091bb 14598->14599 14994 409064 GetTempPathA 14599->14994 14602 4091d5 ShellExecuteA 14603 4091e7 14602->14603 14603->14361 14605 406ed5 14604->14605 14606 406ecc 14604->14606 14605->14411 14607 406e36 2 API calls 14606->14607 14607->14605 14609 4098f6 14608->14609 14610 404280 30 API calls 14609->14610 14611 409904 Sleep 14609->14611 14612 409915 14609->14612 14610->14609 14611->14609 14611->14612 14614 409947 14612->14614 15001 40977c 14612->15001 14614->14337 15023 40dd05 GetTickCount 14615->15023 14617 40e538 15030 40dbcf 14617->15030 14619 40e544 14620 40e555 GetFileSize 14619->14620 14624 40e5b8 14619->14624 14621 40e5b1 CloseHandle 14620->14621 14622 40e566 14620->14622 14621->14624 15040 40db2e 14622->15040 15049 40e3ca RegOpenKeyExA 14624->15049 14626 40e576 ReadFile 14626->14621 14628 40e58d 14626->14628 15044 40e332 14628->15044 14631 40e5f2 14632 40e3ca 19 API calls 14631->14632 14633 40e629 14631->14633 14632->14633 14633->14336 14635 40eabe 14634->14635 14637 40eaba 14634->14637 14636 40dd05 6 API calls 14635->14636 14635->14637 14636->14637 14637->14341 14639 40ee2a 14638->14639 14640 401db4 GetVersionExA 14639->14640 14641 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 14640->14641 14643 401e24 14641->14643 14644 401e16 GetCurrentProcess 14641->14644 15102 40e819 14643->15102 14644->14643 14646 401e3d 14647 40e819 11 API calls 14646->14647 14648 401e4e 14647->14648 14649 401e77 14648->14649 15109 40df70 14648->15109 15118 40ea84 14649->15118 14652 401e6c 14654 40df70 12 API calls 14652->14654 14654->14649 14655 40e819 11 API calls 14656 401e93 14655->14656 15122 40199c inet_addr LoadLibraryA 14656->15122 14659 40e819 11 API calls 14660 401eb9 14659->14660 14661 401ed8 14660->14661 14662 40f04e 4 API calls 14660->14662 14663 40e819 11 API calls 14661->14663 14664 401ec9 14662->14664 14665 401eee 14663->14665 14666 40ea84 30 API calls 14664->14666 14667 401f0a 14665->14667 15135 401b71 14665->15135 14666->14661 14668 40e819 11 API calls 14667->14668 14670 401f23 14668->14670 14672 401f3f 14670->14672 15139 401bdf 14670->15139 14671 401efd 14673 40ea84 30 API calls 14671->14673 14675 40e819 11 API calls 14672->14675 14673->14667 14677 401f5e 14675->14677 14679 40ea84 30 API calls 14677->14679 14682 401f77 14677->14682 14678 40ea84 30 API calls 14678->14672 14679->14682 15146 4030b5 14682->15146 14683 406ec3 2 API calls 14685 401f8e GetTickCount 14683->14685 14685->14346 14687 406ec3 2 API calls 14686->14687 14688 4080eb 14687->14688 14689 4080f9 14688->14689 14690 4080ef 14688->14690 14692 40704c 16 API calls 14689->14692 15194 407ee6 14690->15194 14694 408110 14692->14694 14693 408269 CreateThread 14711 405e6c 14693->14711 15523 40877e 14693->15523 14696 408156 RegOpenKeyExA 14694->14696 14697 4080f4 14694->14697 14695 40675c 21 API calls 14701 408244 14695->14701 14696->14697 14698 40816d RegQueryValueExA 14696->14698 14697->14693 14697->14695 14699 4081f7 14698->14699 14700 40818d 14698->14700 14702 40820d RegCloseKey 14699->14702 14704 40ec2e codecvt 4 API calls 14699->14704 14700->14699 14705 40ebcc 4 API calls 14700->14705 14701->14693 14703 40ec2e codecvt 4 API calls 14701->14703 14702->14697 14703->14693 14710 4081dd 14704->14710 14706 4081a0 14705->14706 14706->14702 14707 4081aa RegQueryValueExA 14706->14707 14707->14699 14708 4081c4 14707->14708 14709 40ebcc 4 API calls 14708->14709 14709->14710 14710->14702 15262 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14711->15262 14713 405e71 15263 40e654 14713->15263 14715 405ec1 14716 403132 14715->14716 14717 40df70 12 API calls 14716->14717 14718 40313b 14717->14718 14719 40c125 14718->14719 15274 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14719->15274 14721 40c12d 14722 40e654 13 API calls 14721->14722 14723 40c2bd 14722->14723 14724 40e654 13 API calls 14723->14724 14725 40c2c9 14724->14725 14726 40e654 13 API calls 14725->14726 14727 40a47a 14726->14727 14728 408db1 14727->14728 14729 408dbc 14728->14729 14730 40e654 13 API calls 14729->14730 14731 408dec Sleep 14730->14731 14731->14380 14733 40c92f 14732->14733 14734 40c93c 14733->14734 15275 40c517 14733->15275 14736 40ca2b 14734->14736 14737 40e819 11 API calls 14734->14737 14736->14380 14738 40c96a 14737->14738 14739 40e819 11 API calls 14738->14739 14740 40c97d 14739->14740 14741 40e819 11 API calls 14740->14741 14742 40c990 14741->14742 14743 40c9aa 14742->14743 14744 40ebcc 4 API calls 14742->14744 14743->14736 15292 402684 14743->15292 14744->14743 14749 40ca26 15299 40c8aa 14749->15299 14752 40ca44 14753 40ca4b closesocket 14752->14753 14754 40ca83 14752->14754 14753->14749 14755 40ea84 30 API calls 14754->14755 14756 40caac 14755->14756 14757 40f04e 4 API calls 14756->14757 14758 40cab2 14757->14758 14759 40ea84 30 API calls 14758->14759 14760 40caca 14759->14760 14761 40ea84 30 API calls 14760->14761 14762 40cad9 14761->14762 15307 40c65c 14762->15307 14765 40cb60 closesocket 14765->14736 14767 40dad2 closesocket 14768 40e318 23 API calls 14767->14768 14768->14736 14769 40df4c 20 API calls 14788 40cb70 14769->14788 14774 40e654 13 API calls 14774->14788 14777 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 14777->14788 14781 40c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 14781->14788 14782 40ea84 30 API calls 14782->14788 14783 40d569 closesocket Sleep 15354 40e318 14783->15354 14784 40d815 wsprintfA 14784->14788 14785 40cc1c GetTempPathA 14785->14788 14786 40c517 23 API calls 14786->14788 14788->14767 14788->14769 14788->14774 14788->14777 14788->14781 14788->14782 14788->14783 14788->14784 14788->14785 14788->14786 14789 40e8a1 30 API calls 14788->14789 14791 40cfe3 GetSystemDirectoryA 14788->14791 14792 40cfad GetEnvironmentVariableA 14788->14792 14793 40675c 21 API calls 14788->14793 14794 40d027 GetSystemDirectoryA 14788->14794 14795 40d105 lstrcatA 14788->14795 14796 40ef1e lstrlenA 14788->14796 14797 40cc9f CreateFileA 14788->14797 14798 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 14788->14798 14800 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 14788->14800 14801 40d15b CreateFileA 14788->14801 14806 40d149 SetFileAttributesA 14788->14806 14807 40d36e GetEnvironmentVariableA 14788->14807 14808 40d1bf SetFileAttributesA 14788->14808 14810 40d22d GetEnvironmentVariableA 14788->14810 14811 407ead 6 API calls 14788->14811 14812 40d3af lstrcatA 14788->14812 14814 40d3f2 CreateFileA 14788->14814 14816 407fcf 64 API calls 14788->14816 14822 40d3e0 SetFileAttributesA 14788->14822 14823 40d26e lstrcatA 14788->14823 14825 40d4b1 CreateProcessA 14788->14825 14827 40d2b1 CreateFileA 14788->14827 14828 407ee6 64 API calls 14788->14828 14829 40d452 SetFileAttributesA 14788->14829 14832 40d29f SetFileAttributesA 14788->14832 14834 40d31d SetFileAttributesA 14788->14834 15315 40c75d 14788->15315 15327 407e2f 14788->15327 15349 407ead 14788->15349 15359 4031d0 14788->15359 15376 403c09 14788->15376 15386 403a00 14788->15386 15390 40e7b4 14788->15390 15393 40c06c 14788->15393 15399 406f5f GetUserNameA 14788->15399 15410 40e854 14788->15410 15420 407dd6 14788->15420 14789->14788 14790 40d582 ExitProcess 14791->14788 14792->14788 14793->14788 14794->14788 14795->14788 14796->14788 14797->14788 14799 40ccc6 WriteFile 14797->14799 14798->14788 14802 40cdcc CloseHandle 14799->14802 14803 40cced CloseHandle 14799->14803 14800->14788 14801->14788 14804 40d182 WriteFile CloseHandle 14801->14804 14802->14788 14809 40cd2f 14803->14809 14804->14788 14805 40cd16 wsprintfA 14805->14809 14806->14801 14807->14788 14808->14788 14809->14805 15336 407fcf 14809->15336 14810->14788 14811->14788 14812->14788 14812->14814 14814->14788 14817 40d415 WriteFile CloseHandle 14814->14817 14816->14788 14817->14788 14818 40cd81 WaitForSingleObject CloseHandle CloseHandle 14820 40f04e 4 API calls 14818->14820 14819 40cda5 14821 407ee6 64 API calls 14819->14821 14820->14819 14824 40cdbd DeleteFileA 14821->14824 14822->14814 14823->14788 14823->14827 14824->14788 14825->14788 14826 40d4e8 CloseHandle CloseHandle 14825->14826 14826->14788 14827->14788 14830 40d2d8 WriteFile CloseHandle 14827->14830 14828->14788 14829->14788 14830->14788 14832->14827 14834->14788 14836 40741b 14835->14836 14837 406dc2 6 API calls 14836->14837 14838 40743f 14837->14838 14839 407469 RegOpenKeyExA 14838->14839 14840 4077f9 14839->14840 14850 407487 ___ascii_stricmp 14839->14850 14840->14450 14841 407703 RegEnumKeyA 14842 407714 RegCloseKey 14841->14842 14841->14850 14842->14840 14843 4074d2 RegOpenKeyExA 14843->14850 14844 40772c 14846 407742 RegCloseKey 14844->14846 14847 40774b 14844->14847 14845 407521 RegQueryValueExA 14845->14850 14846->14847 14848 4077ec RegCloseKey 14847->14848 14848->14840 14849 4076e4 RegCloseKey 14849->14850 14850->14841 14850->14843 14850->14844 14850->14845 14850->14849 14852 40f1a5 lstrlenA 14850->14852 14853 40777e GetFileAttributesExA 14850->14853 14854 407769 14850->14854 14851 4077e3 RegCloseKey 14851->14848 14852->14850 14853->14854 14854->14851 14856 407073 14855->14856 14857 4070b9 RegOpenKeyExA 14856->14857 14858 4070d0 14857->14858 14872 4071b8 14857->14872 14859 406dc2 6 API calls 14858->14859 14862 4070d5 14859->14862 14860 40719b RegEnumValueA 14861 4071af RegCloseKey 14860->14861 14860->14862 14861->14872 14862->14860 14864 4071d0 14862->14864 14878 40f1a5 lstrlenA 14862->14878 14865 407205 RegCloseKey 14864->14865 14866 407227 14864->14866 14865->14872 14867 4072b8 ___ascii_stricmp 14866->14867 14868 40728e RegCloseKey 14866->14868 14869 4072cd RegCloseKey 14867->14869 14870 4072dd 14867->14870 14868->14872 14869->14872 14871 407311 RegCloseKey 14870->14871 14874 407335 14870->14874 14871->14872 14872->14451 14873 4073d5 RegCloseKey 14875 4073e4 14873->14875 14874->14873 14876 40737e GetFileAttributesExA 14874->14876 14877 407397 14874->14877 14876->14877 14877->14873 14879 40f1c3 14878->14879 14879->14862 14881 403ee2 14880->14881 14882 403edc 14880->14882 14881->14457 14883 406dc2 6 API calls 14882->14883 14883->14881 14885 40400b CreateFileA 14884->14885 14886 40402c GetLastError 14885->14886 14887 404052 14885->14887 14886->14887 14888 404037 14886->14888 14887->14455 14887->14460 14887->14461 14888->14887 14889 404041 Sleep 14888->14889 14889->14885 14889->14887 14891 403f7c 14890->14891 14892 403f4e GetLastError 14890->14892 14894 403f8c ReadFile 14891->14894 14892->14891 14893 403f5b WaitForSingleObject GetOverlappedResult 14892->14893 14893->14891 14895 403fc2 GetLastError 14894->14895 14897 403ff0 14894->14897 14896 403fcf WaitForSingleObject GetOverlappedResult 14895->14896 14895->14897 14896->14897 14897->14466 14897->14467 14901 40eb74 14898->14901 14902 40eb7b GetProcessHeap HeapSize 14901->14902 14903 404350 14901->14903 14902->14903 14903->14474 14905 401924 GetVersionExA 14904->14905 14905->14518 14907 406eef AllocateAndInitializeSid 14906->14907 14913 406f55 14906->14913 14908 406f44 14907->14908 14909 406f1c CheckTokenMembership 14907->14909 14908->14913 14940 406e36 GetUserNameW 14908->14940 14910 406f3b FreeSid 14909->14910 14911 406f2e 14909->14911 14910->14908 14911->14910 14913->14528 14915 40920e 14914->14915 14918 409308 14914->14918 14915->14915 14916 4092f1 Sleep 14915->14916 14917 4092bf ShellExecuteA 14915->14917 14915->14918 14916->14915 14917->14915 14917->14918 14918->14544 14920 40ef32 14919->14920 14920->14543 14922 40f0f1 14921->14922 14923 40f0ed 14921->14923 14924 40f119 14922->14924 14925 40f0fa lstrlenA SysAllocStringByteLen 14922->14925 14923->14550 14927 40f11c MultiByteToWideChar 14924->14927 14926 40f117 14925->14926 14925->14927 14926->14550 14927->14926 14929 401820 17 API calls 14928->14929 14930 4018f2 14929->14930 14931 4018f9 14930->14931 14943 401280 14930->14943 14931->14544 14933 401908 14933->14544 14956 401000 14934->14956 14936 401839 14937 401851 GetCurrentProcess 14936->14937 14938 40183d 14936->14938 14939 401864 14937->14939 14938->14535 14939->14535 14941 406e5f LookupAccountNameW 14940->14941 14942 406e97 14940->14942 14941->14942 14942->14913 14946 4012e1 ShellExecuteExW 14943->14946 14945 4016f9 GetLastError 14947 401699 14945->14947 14946->14945 14953 4013a8 14946->14953 14947->14933 14948 401570 lstrlenW 14948->14953 14949 4015be GetStartupInfoW 14949->14953 14950 4015ff CreateProcessWithLogonW 14951 4016bf GetLastError 14950->14951 14952 40163f WaitForSingleObject 14950->14952 14951->14947 14952->14953 14954 401659 CloseHandle 14952->14954 14953->14947 14953->14948 14953->14949 14953->14950 14955 401668 CloseHandle 14953->14955 14954->14953 14955->14953 14957 40100d LoadLibraryA 14956->14957 14958 401023 14956->14958 14957->14958 14960 401021 14957->14960 14959 4010b5 GetProcAddress 14958->14959 14976 4010ae 14958->14976 14961 4010d1 GetProcAddress 14959->14961 14962 40127b 14959->14962 14960->14936 14961->14962 14963 4010f0 GetProcAddress 14961->14963 14962->14936 14963->14962 14964 401110 GetProcAddress 14963->14964 14964->14962 14965 401130 GetProcAddress 14964->14965 14965->14962 14966 40114f GetProcAddress 14965->14966 14966->14962 14967 40116f GetProcAddress 14966->14967 14967->14962 14968 40118f GetProcAddress 14967->14968 14968->14962 14969 4011ae GetProcAddress 14968->14969 14969->14962 14970 4011ce GetProcAddress 14969->14970 14970->14962 14971 4011ee GetProcAddress 14970->14971 14971->14962 14972 401209 GetProcAddress 14971->14972 14972->14962 14973 401225 GetProcAddress 14972->14973 14973->14962 14974 401241 GetProcAddress 14973->14974 14974->14962 14975 40125c GetProcAddress 14974->14975 14975->14962 14976->14936 14979 4069b9 WriteFile 14977->14979 14980 406a3c 14979->14980 14981 4069ff 14979->14981 14980->14560 14980->14561 14981->14980 14982 406a10 WriteFile 14981->14982 14982->14980 14982->14981 14984 40eb17 14983->14984 14985 40eb21 14983->14985 14987 40eae4 14984->14987 14985->14564 14988 40eb02 GetProcAddress 14987->14988 14989 40eaed LoadLibraryA 14987->14989 14988->14985 14989->14988 14990 40eb01 14989->14990 14990->14985 14992 40eba7 GetProcessHeap HeapSize 14991->14992 14993 40ebbf GetProcessHeap HeapFree 14991->14993 14992->14993 14993->14593 14995 40908d 14994->14995 14996 4090e2 wsprintfA 14995->14996 14997 40ee2a 14996->14997 14998 4090fd CreateFileA 14997->14998 14999 40911a lstrlenA WriteFile CloseHandle 14998->14999 15000 40913f 14998->15000 14999->15000 15000->14602 15000->14603 15002 40ee2a 15001->15002 15003 409794 CreateProcessA 15002->15003 15004 4097c2 15003->15004 15005 4097bb 15003->15005 15006 4097d4 GetThreadContext 15004->15006 15005->14614 15007 409801 15006->15007 15008 4097f5 15006->15008 15015 40637c 15007->15015 15010 4097f6 TerminateProcess 15008->15010 15010->15005 15011 409816 15011->15010 15012 40981e WriteProcessMemory 15011->15012 15012->15008 15013 40983b SetThreadContext 15012->15013 15013->15008 15014 409858 ResumeThread 15013->15014 15014->15005 15016 406386 15015->15016 15017 40638a GetModuleHandleA VirtualAlloc 15015->15017 15016->15011 15018 4063f5 15017->15018 15019 4063b6 15017->15019 15018->15011 15020 4063be VirtualAllocEx 15019->15020 15020->15018 15021 4063d6 15020->15021 15022 4063df WriteProcessMemory 15021->15022 15022->15018 15024 40dd41 InterlockedExchange 15023->15024 15025 40dd20 GetCurrentThreadId 15024->15025 15026 40dd4a 15024->15026 15027 40dd53 GetCurrentThreadId 15025->15027 15028 40dd2e GetTickCount 15025->15028 15026->15027 15027->14617 15028->15026 15029 40dd39 Sleep 15028->15029 15029->15024 15031 40dbf0 15030->15031 15063 40db67 GetEnvironmentVariableA 15031->15063 15033 40dc19 15034 40dcda 15033->15034 15035 40db67 3 API calls 15033->15035 15034->14619 15036 40dc5c 15035->15036 15036->15034 15037 40db67 3 API calls 15036->15037 15038 40dc9b 15037->15038 15038->15034 15039 40db67 3 API calls 15038->15039 15039->15034 15041 40db3a 15040->15041 15043 40db55 15040->15043 15067 40ebed 15041->15067 15043->14621 15043->14626 15076 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15044->15076 15046 40e3be 15046->14621 15047 40e342 15047->15046 15079 40de24 15047->15079 15050 40e528 15049->15050 15051 40e3f4 15049->15051 15050->14631 15052 40e434 RegQueryValueExA 15051->15052 15053 40e458 15052->15053 15054 40e51d RegCloseKey 15052->15054 15055 40e46e RegQueryValueExA 15053->15055 15054->15050 15055->15053 15056 40e488 15055->15056 15056->15054 15057 40db2e 8 API calls 15056->15057 15058 40e499 15057->15058 15058->15054 15059 40e4b9 RegQueryValueExA 15058->15059 15060 40e4e8 15058->15060 15059->15058 15059->15060 15060->15054 15061 40e332 14 API calls 15060->15061 15062 40e513 15061->15062 15062->15054 15064 40db89 lstrcpyA CreateFileA 15063->15064 15065 40dbca 15063->15065 15064->15033 15065->15033 15068 40ec01 15067->15068 15069 40ebf6 15067->15069 15071 40eba0 codecvt 2 API calls 15068->15071 15070 40ebcc 4 API calls 15069->15070 15072 40ebfe 15070->15072 15073 40ec0a GetProcessHeap HeapReAlloc 15071->15073 15072->15043 15074 40eb74 2 API calls 15073->15074 15075 40ec28 15074->15075 15075->15043 15090 40eb41 15076->15090 15080 40de3a 15079->15080 15086 40de4e 15080->15086 15094 40dd84 15080->15094 15083 40ebed 8 API calls 15088 40def6 15083->15088 15084 40de9e 15084->15083 15084->15086 15085 40de76 15098 40ddcf 15085->15098 15086->15047 15088->15086 15089 40ddcf lstrcmpA 15088->15089 15089->15086 15091 40eb4a 15090->15091 15093 40eb54 15090->15093 15092 40eae4 2 API calls 15091->15092 15092->15093 15093->15047 15095 40dd96 15094->15095 15096 40ddc5 15094->15096 15095->15096 15097 40ddad lstrcmpiA 15095->15097 15096->15084 15096->15085 15097->15095 15097->15096 15099 40de20 15098->15099 15100 40dddd 15098->15100 15099->15086 15100->15099 15101 40ddfa lstrcmpA 15100->15101 15101->15100 15103 40dd05 6 API calls 15102->15103 15104 40e821 15103->15104 15105 40dd84 lstrcmpiA 15104->15105 15106 40e82c 15105->15106 15107 40e844 15106->15107 15150 402480 15106->15150 15107->14646 15110 40dd05 6 API calls 15109->15110 15111 40df7c 15110->15111 15112 40dd84 lstrcmpiA 15111->15112 15116 40df89 15112->15116 15113 40dfc4 15113->14652 15114 40ddcf lstrcmpA 15114->15116 15115 40ec2e codecvt 4 API calls 15115->15116 15116->15113 15116->15114 15116->15115 15117 40dd84 lstrcmpiA 15116->15117 15117->15116 15119 40ea98 15118->15119 15159 40e8a1 15119->15159 15121 401e84 15121->14655 15123 4019d5 GetProcAddress GetProcAddress GetProcAddress 15122->15123 15126 4019ce 15122->15126 15124 401ab3 FreeLibrary 15123->15124 15125 401a04 15123->15125 15124->15126 15125->15124 15127 401a14 GetProcessHeap 15125->15127 15126->14659 15127->15126 15129 401a2e HeapAlloc 15127->15129 15129->15126 15130 401a42 15129->15130 15131 401a62 15130->15131 15132 401a52 HeapReAlloc 15130->15132 15133 401aa1 FreeLibrary 15131->15133 15134 401a96 HeapFree 15131->15134 15132->15131 15133->15126 15134->15133 15187 401ac3 LoadLibraryA 15135->15187 15138 401bcf 15138->14671 15140 401ac3 12 API calls 15139->15140 15141 401c09 15140->15141 15142 401c41 15141->15142 15143 401c0d GetComputerNameA 15141->15143 15142->14678 15144 401c45 GetVolumeInformationA 15143->15144 15145 401c1f 15143->15145 15144->15142 15145->15142 15145->15144 15147 40ee2a 15146->15147 15148 4030d0 gethostname gethostbyname 15147->15148 15149 401f82 15148->15149 15149->14683 15149->14685 15153 402419 lstrlenA 15150->15153 15152 402491 15152->15107 15154 402474 15153->15154 15155 40243d lstrlenA 15153->15155 15154->15152 15156 402464 lstrlenA 15155->15156 15157 40244e lstrcmpiA 15155->15157 15156->15154 15156->15155 15157->15156 15158 40245c 15157->15158 15158->15154 15158->15156 15160 40dd05 6 API calls 15159->15160 15161 40e8b4 15160->15161 15162 40dd84 lstrcmpiA 15161->15162 15163 40e8c0 15162->15163 15164 40e90a 15163->15164 15165 40e8c8 lstrcpynA 15163->15165 15167 402419 4 API calls 15164->15167 15175 40ea27 15164->15175 15166 40e8f5 15165->15166 15180 40df4c 15166->15180 15168 40e926 lstrlenA lstrlenA 15167->15168 15170 40e96a 15168->15170 15171 40e94c lstrlenA 15168->15171 15174 40ebcc 4 API calls 15170->15174 15170->15175 15171->15170 15172 40e901 15173 40dd84 lstrcmpiA 15172->15173 15173->15164 15176 40e98f 15174->15176 15175->15121 15176->15175 15177 40df4c 20 API calls 15176->15177 15178 40ea1e 15177->15178 15179 40ec2e codecvt 4 API calls 15178->15179 15179->15175 15181 40dd05 6 API calls 15180->15181 15182 40df51 15181->15182 15183 40f04e 4 API calls 15182->15183 15184 40df58 15183->15184 15185 40de24 10 API calls 15184->15185 15186 40df63 15185->15186 15186->15172 15188 401ae2 GetProcAddress 15187->15188 15190 401b68 GetComputerNameA GetVolumeInformationA 15187->15190 15188->15190 15191 401af5 15188->15191 15189 40ebed 8 API calls 15189->15191 15190->15138 15191->15189 15192 401b29 15191->15192 15192->15190 15192->15192 15193 40ec2e codecvt 4 API calls 15192->15193 15193->15190 15195 406ec3 2 API calls 15194->15195 15196 407ef4 15195->15196 15197 4073ff 17 API calls 15196->15197 15206 407fc9 15196->15206 15198 407f16 15197->15198 15198->15206 15207 407809 GetUserNameA 15198->15207 15200 407f63 15201 40ef1e lstrlenA 15200->15201 15200->15206 15202 407fa6 15201->15202 15203 40ef1e lstrlenA 15202->15203 15204 407fb7 15203->15204 15231 407a95 RegOpenKeyExA 15204->15231 15206->14697 15208 40783d LookupAccountNameA 15207->15208 15209 407a8d 15207->15209 15208->15209 15210 407874 GetLengthSid GetFileSecurityA 15208->15210 15209->15200 15210->15209 15211 4078a8 GetSecurityDescriptorOwner 15210->15211 15212 4078c5 EqualSid 15211->15212 15213 40791d GetSecurityDescriptorDacl 15211->15213 15212->15213 15214 4078dc LocalAlloc 15212->15214 15213->15209 15228 407941 15213->15228 15214->15213 15215 4078ef InitializeSecurityDescriptor 15214->15215 15216 407916 LocalFree 15215->15216 15217 4078fb SetSecurityDescriptorOwner 15215->15217 15216->15213 15217->15216 15219 40790b SetFileSecurityA 15217->15219 15218 40795b GetAce 15218->15228 15219->15216 15220 407980 EqualSid 15220->15228 15221 4079be EqualSid 15221->15228 15222 407a3d 15222->15209 15223 407a43 LocalAlloc 15222->15223 15223->15209 15225 407a56 InitializeSecurityDescriptor 15223->15225 15224 40799d DeleteAce 15224->15228 15226 407a62 SetSecurityDescriptorDacl 15225->15226 15227 407a86 LocalFree 15225->15227 15226->15227 15229 407a73 SetFileSecurityA 15226->15229 15227->15209 15228->15209 15228->15218 15228->15220 15228->15221 15228->15222 15228->15224 15229->15227 15230 407a83 15229->15230 15230->15227 15232 407ac4 15231->15232 15233 407acb GetUserNameA 15231->15233 15232->15206 15234 407da7 RegCloseKey 15233->15234 15235 407aed LookupAccountNameA 15233->15235 15234->15232 15235->15234 15236 407b24 RegGetKeySecurity 15235->15236 15236->15234 15237 407b49 GetSecurityDescriptorOwner 15236->15237 15238 407b63 EqualSid 15237->15238 15239 407bb8 GetSecurityDescriptorDacl 15237->15239 15238->15239 15240 407b74 LocalAlloc 15238->15240 15241 407da6 15239->15241 15251 407bdc 15239->15251 15240->15239 15242 407b8a InitializeSecurityDescriptor 15240->15242 15241->15234 15243 407bb1 LocalFree 15242->15243 15244 407b96 SetSecurityDescriptorOwner 15242->15244 15243->15239 15244->15243 15246 407ba6 RegSetKeySecurity 15244->15246 15245 407bf8 GetAce 15245->15251 15246->15243 15247 407c1d EqualSid 15247->15251 15248 407c5f EqualSid 15248->15251 15249 407cd9 15249->15241 15252 407d5a LocalAlloc 15249->15252 15253 407cf2 RegOpenKeyExA 15249->15253 15250 407c3a DeleteAce 15250->15251 15251->15241 15251->15245 15251->15247 15251->15248 15251->15249 15251->15250 15252->15241 15254 407d70 InitializeSecurityDescriptor 15252->15254 15253->15252 15257 407d0f 15253->15257 15255 407d7c SetSecurityDescriptorDacl 15254->15255 15256 407d9f LocalFree 15254->15256 15255->15256 15258 407d8c RegSetKeySecurity 15255->15258 15256->15241 15257->15257 15260 407d43 RegSetValueExA 15257->15260 15258->15256 15259 407d9c 15258->15259 15259->15256 15260->15252 15261 407d54 15260->15261 15261->15252 15262->14713 15264 40dd05 6 API calls 15263->15264 15267 40e65f 15264->15267 15265 40e6a5 15266 40ebcc 4 API calls 15265->15266 15271 40e6f5 15265->15271 15269 40e6b0 15266->15269 15267->15265 15268 40e68c lstrcmpA 15267->15268 15268->15267 15270 40e6e0 lstrcpynA 15269->15270 15269->15271 15273 40e6b7 15269->15273 15270->15271 15272 40e71d lstrcmpA 15271->15272 15271->15273 15272->15271 15273->14715 15274->14721 15276 40c525 15275->15276 15277 40c532 15275->15277 15276->15277 15279 40ec2e codecvt 4 API calls 15276->15279 15278 40c548 15277->15278 15427 40e7ff 15277->15427 15281 40e7ff lstrcmpiA 15278->15281 15288 40c54f 15278->15288 15279->15277 15282 40c615 15281->15282 15283 40ebcc 4 API calls 15282->15283 15282->15288 15283->15288 15284 40c5d1 15286 40ebcc 4 API calls 15284->15286 15286->15288 15287 40e819 11 API calls 15289 40c5b7 15287->15289 15288->14734 15290 40f04e 4 API calls 15289->15290 15291 40c5bf 15290->15291 15291->15278 15291->15284 15293 402692 inet_addr 15292->15293 15294 40268e 15292->15294 15293->15294 15295 40269e gethostbyname 15293->15295 15296 40f428 15294->15296 15295->15294 15430 40f315 15296->15430 15300 40c8d2 15299->15300 15301 40c907 15300->15301 15302 40c517 23 API calls 15300->15302 15301->14736 15302->15301 15303 40f43e 15304 40f473 recv 15303->15304 15305 40f47c 15304->15305 15306 40f458 15304->15306 15305->14752 15306->15304 15306->15305 15308 40c670 15307->15308 15309 40c67d 15307->15309 15310 40ebcc 4 API calls 15308->15310 15311 40ebcc 4 API calls 15309->15311 15312 40c699 15309->15312 15310->15309 15311->15312 15313 40c6f3 15312->15313 15314 40c73c send 15312->15314 15313->14765 15313->14788 15314->15313 15316 40c770 15315->15316 15317 40c77d 15315->15317 15318 40ebcc 4 API calls 15316->15318 15319 40c799 15317->15319 15321 40ebcc 4 API calls 15317->15321 15318->15317 15320 40c7b5 15319->15320 15322 40ebcc 4 API calls 15319->15322 15323 40f43e recv 15320->15323 15321->15319 15322->15320 15324 40c7cb 15323->15324 15325 40f43e recv 15324->15325 15326 40c7d3 15324->15326 15325->15326 15326->14788 15443 407db7 15327->15443 15330 407e70 15332 40f04e 4 API calls 15330->15332 15334 407e96 15330->15334 15331 40f04e 4 API calls 15333 407e4c 15331->15333 15332->15334 15333->15330 15335 40f04e 4 API calls 15333->15335 15334->14788 15335->15330 15337 406ec3 2 API calls 15336->15337 15338 407fdd 15337->15338 15339 4073ff 17 API calls 15338->15339 15348 4080c2 CreateProcessA 15338->15348 15340 407fff 15339->15340 15341 407809 21 API calls 15340->15341 15340->15348 15342 40804d 15341->15342 15343 40ef1e lstrlenA 15342->15343 15342->15348 15344 40809e 15343->15344 15345 40ef1e lstrlenA 15344->15345 15346 4080af 15345->15346 15347 407a95 24 API calls 15346->15347 15347->15348 15348->14818 15348->14819 15350 407db7 2 API calls 15349->15350 15351 407eb8 15350->15351 15352 40f04e 4 API calls 15351->15352 15353 407ece DeleteFileA 15352->15353 15353->14788 15355 40dd05 6 API calls 15354->15355 15356 40e31d 15355->15356 15447 40e177 15356->15447 15358 40e326 15358->14790 15360 4031f3 15359->15360 15361 4031ec 15359->15361 15362 40ebcc 4 API calls 15360->15362 15361->14788 15375 4031fc 15362->15375 15363 403459 15366 40f04e 4 API calls 15363->15366 15364 40349d 15365 40ec2e codecvt 4 API calls 15364->15365 15365->15361 15367 40345f 15366->15367 15369 4030fa 4 API calls 15367->15369 15368 40ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15368->15375 15369->15361 15370 40344d 15371 40ec2e codecvt 4 API calls 15370->15371 15372 40344b 15371->15372 15372->15363 15372->15364 15374 403141 lstrcmpiA 15374->15375 15375->15361 15375->15368 15375->15370 15375->15372 15375->15374 15473 4030fa GetTickCount 15375->15473 15377 4030fa 4 API calls 15376->15377 15378 403c1a 15377->15378 15382 403ce6 15378->15382 15478 403a72 15378->15478 15381 403a72 9 API calls 15385 403c5e 15381->15385 15382->14788 15383 403a72 9 API calls 15383->15385 15384 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15384->15385 15385->15382 15385->15383 15385->15384 15387 403a10 15386->15387 15388 4030fa 4 API calls 15387->15388 15389 403a1a 15388->15389 15389->14788 15391 40dd05 6 API calls 15390->15391 15392 40e7be 15391->15392 15392->14788 15394 40c07e wsprintfA 15393->15394 15398 40c105 15393->15398 15487 40bfce GetTickCount wsprintfA 15394->15487 15396 40c0ef 15488 40bfce GetTickCount wsprintfA 15396->15488 15398->14788 15400 407047 15399->15400 15401 406f88 LookupAccountNameA 15399->15401 15400->14788 15403 407025 15401->15403 15404 406fcb 15401->15404 15405 406edd 5 API calls 15403->15405 15407 406fdb ConvertSidToStringSidA 15404->15407 15406 40702a wsprintfA 15405->15406 15406->15400 15407->15403 15408 406ff1 15407->15408 15409 407013 LocalFree 15408->15409 15409->15403 15411 40dd05 6 API calls 15410->15411 15412 40e85c 15411->15412 15413 40dd84 lstrcmpiA 15412->15413 15414 40e867 15413->15414 15415 40e885 lstrcpyA 15414->15415 15489 4024a5 15414->15489 15492 40dd69 15415->15492 15421 407db7 2 API calls 15420->15421 15422 407de1 15421->15422 15423 407e16 15422->15423 15424 40f04e 4 API calls 15422->15424 15423->14788 15425 407df2 15424->15425 15425->15423 15426 40f04e 4 API calls 15425->15426 15426->15423 15428 40dd84 lstrcmpiA 15427->15428 15429 40c58e 15428->15429 15429->15278 15429->15284 15429->15287 15431 40f33b 15430->15431 15438 40ca1d 15430->15438 15432 40f347 htons socket 15431->15432 15433 40f382 ioctlsocket 15432->15433 15434 40f374 closesocket 15432->15434 15435 40f3aa connect select 15433->15435 15436 40f39d 15433->15436 15434->15438 15435->15438 15439 40f3f2 __WSAFDIsSet 15435->15439 15437 40f39f closesocket 15436->15437 15437->15438 15438->14749 15438->15303 15439->15437 15440 40f403 ioctlsocket 15439->15440 15442 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 15440->15442 15442->15438 15444 407dc8 InterlockedExchange 15443->15444 15445 407dc0 Sleep 15444->15445 15446 407dd4 15444->15446 15445->15444 15446->15330 15446->15331 15448 40e184 15447->15448 15449 40e2e4 15448->15449 15450 40e223 15448->15450 15463 40dfe2 15448->15463 15449->15358 15450->15449 15452 40dfe2 8 API calls 15450->15452 15454 40e23c 15452->15454 15453 40e1be 15453->15450 15455 40dbcf 3 API calls 15453->15455 15454->15449 15467 40e095 RegCreateKeyExA 15454->15467 15457 40e1d6 15455->15457 15456 40e21a CloseHandle 15456->15450 15457->15450 15457->15456 15458 40e1f9 WriteFile 15457->15458 15458->15456 15460 40e213 15458->15460 15460->15456 15461 40e2a3 15461->15449 15462 40e095 4 API calls 15461->15462 15462->15449 15464 40dffc 15463->15464 15466 40e024 15463->15466 15465 40db2e 8 API calls 15464->15465 15464->15466 15465->15466 15466->15453 15468 40e172 15467->15468 15471 40e0c0 15467->15471 15468->15461 15469 40e13d 15470 40e14e RegDeleteValueA RegCloseKey 15469->15470 15470->15468 15471->15469 15472 40e115 RegSetValueExA 15471->15472 15472->15469 15472->15471 15474 403122 InterlockedExchange 15473->15474 15475 40312e 15474->15475 15476 40310f GetTickCount 15474->15476 15475->15375 15476->15475 15477 40311a Sleep 15476->15477 15477->15474 15479 40f04e 4 API calls 15478->15479 15486 403a83 15479->15486 15480 403ac1 15480->15381 15480->15382 15481 403be6 15483 40ec2e codecvt 4 API calls 15481->15483 15482 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15484 403bc0 15482->15484 15483->15480 15484->15481 15484->15482 15485 403b66 lstrlenA 15485->15480 15485->15486 15486->15480 15486->15484 15486->15485 15487->15396 15488->15398 15490 402419 4 API calls 15489->15490 15491 4024b6 15490->15491 15491->15415 15493 40dd79 lstrlenA 15492->15493 15493->14788 15495 404084 15494->15495 15496 40407d 15494->15496 15497 403ecd 6 API calls 15495->15497 15498 40408f 15497->15498 15499 404000 3 API calls 15498->15499 15501 404095 15499->15501 15500 404130 15502 403ecd 6 API calls 15500->15502 15501->15500 15506 403f18 4 API calls 15501->15506 15503 404159 CreateNamedPipeA 15502->15503 15504 404167 Sleep 15503->15504 15505 404188 ConnectNamedPipe 15503->15505 15504->15500 15507 404176 CloseHandle 15504->15507 15509 404195 GetLastError 15505->15509 15519 4041ab 15505->15519 15508 4040da 15506->15508 15507->15505 15510 403f8c 4 API calls 15508->15510 15511 40425e DisconnectNamedPipe 15509->15511 15509->15519 15512 4040ec 15510->15512 15511->15505 15513 404127 CloseHandle 15512->15513 15514 404101 15512->15514 15513->15500 15516 403f18 4 API calls 15514->15516 15515 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 15515->15519 15517 40411c ExitProcess 15516->15517 15518 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 15518->15519 15519->15505 15519->15511 15519->15515 15519->15518 15520 40426a CloseHandle CloseHandle 15519->15520 15521 40e318 23 API calls 15520->15521 15522 40427b 15521->15522 15522->15522 15524 408791 15523->15524 15525 40879f 15523->15525 15526 40f04e 4 API calls 15524->15526 15527 4087bc 15525->15527 15528 40f04e 4 API calls 15525->15528 15526->15525 15529 40e819 11 API calls 15527->15529 15528->15527 15530 4087d7 15529->15530 15533 408803 15530->15533 15545 4026b2 gethostbyaddr 15530->15545 15539 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15533->15539 15540 40e819 11 API calls 15533->15540 15541 4088a0 Sleep 15533->15541 15542 4026b2 2 API calls 15533->15542 15544 40e8a1 30 API calls 15533->15544 15550 408cee 15533->15550 15558 40c4d6 15533->15558 15561 40c4e2 15533->15561 15564 402011 15533->15564 15599 408328 15533->15599 15534 4087eb 15534->15533 15536 40e8a1 30 API calls 15534->15536 15536->15533 15539->15533 15540->15533 15541->15533 15542->15533 15544->15533 15546 4026fb 15545->15546 15547 4026cd 15545->15547 15546->15534 15548 4026e1 inet_ntoa 15547->15548 15549 4026de 15547->15549 15548->15549 15549->15534 15551 408d02 GetTickCount 15550->15551 15552 408dae 15550->15552 15551->15552 15554 408d19 15551->15554 15552->15533 15553 408da1 GetTickCount 15553->15552 15554->15553 15557 408d89 15554->15557 15651 40a677 15554->15651 15654 40a688 15554->15654 15557->15553 15662 40c2dc 15558->15662 15562 40c2dc 134 API calls 15561->15562 15563 40c4ec 15562->15563 15563->15533 15565 402020 15564->15565 15566 40202e 15564->15566 15568 40f04e 4 API calls 15565->15568 15567 40204b 15566->15567 15569 40f04e 4 API calls 15566->15569 15570 40206e GetTickCount 15567->15570 15571 40f04e 4 API calls 15567->15571 15568->15566 15569->15567 15572 4020db GetTickCount 15570->15572 15581 402090 15570->15581 15574 402068 15571->15574 15573 402132 GetTickCount GetTickCount 15572->15573 15584 4020e7 15572->15584 15576 40f04e 4 API calls 15573->15576 15574->15570 15575 4020d4 GetTickCount 15575->15572 15578 402159 15576->15578 15577 40212b GetTickCount 15577->15573 15583 40e854 13 API calls 15578->15583 15598 4021b4 15578->15598 15579 402684 2 API calls 15579->15581 15581->15575 15581->15579 15586 4020ce 15581->15586 15926 401978 15581->15926 15582 40f04e 4 API calls 15585 4021d1 15582->15585 15587 40218e 15583->15587 15584->15577 15590 401978 15 API calls 15584->15590 15593 402125 15584->15593 15931 402ef8 15584->15931 15591 40ea84 30 API calls 15585->15591 15596 4021f2 15585->15596 15586->15575 15589 40e819 11 API calls 15587->15589 15595 40219c 15589->15595 15590->15584 15592 4021ec 15591->15592 15594 40f04e 4 API calls 15592->15594 15593->15577 15594->15596 15595->15598 15939 401c5f 15595->15939 15596->15533 15598->15582 15600 407dd6 6 API calls 15599->15600 15601 40833c 15600->15601 15602 408340 15601->15602 15603 406ec3 2 API calls 15601->15603 15602->15533 15604 40834f 15603->15604 15605 40835c 15604->15605 15609 40846b 15604->15609 15606 4073ff 17 API calls 15605->15606 15607 408373 15606->15607 15607->15602 15629 4083ea RegOpenKeyExA 15607->15629 15640 408450 15607->15640 15608 40675c 21 API calls 15612 4085df 15608->15612 15613 4084a7 RegOpenKeyExA 15609->15613 15609->15640 15610 408626 GetTempPathA 15611 408638 15610->15611 16011 406ba7 IsBadCodePtr 15611->16011 15612->15610 15612->15611 15619 408762 15612->15619 15615 4084c0 RegQueryValueExA 15613->15615 15616 40852f 15613->15616 15617 408521 RegCloseKey 15615->15617 15618 4084dd 15615->15618 15621 408564 RegOpenKeyExA 15616->15621 15631 4085a5 15616->15631 15617->15616 15618->15617 15624 40ebcc 4 API calls 15618->15624 15619->15602 15626 40ec2e codecvt 4 API calls 15619->15626 15620 4086ad 15620->15619 15622 407e2f 6 API calls 15620->15622 15623 408573 RegSetValueExA RegCloseKey 15621->15623 15621->15631 15632 4086bb 15622->15632 15623->15631 15628 4084f0 15624->15628 15625 40875b DeleteFileA 15625->15619 15626->15602 15628->15617 15630 4084f8 RegQueryValueExA 15628->15630 15633 4083fd RegQueryValueExA 15629->15633 15629->15640 15630->15617 15634 408515 15630->15634 15635 40ec2e codecvt 4 API calls 15631->15635 15631->15640 15632->15625 15636 4086e0 lstrcpyA lstrlenA 15632->15636 15637 40842d RegSetValueExA 15633->15637 15638 40841e 15633->15638 15639 40ec2e codecvt 4 API calls 15634->15639 15635->15640 15641 407fcf 64 API calls 15636->15641 15642 408447 RegCloseKey 15637->15642 15638->15637 15638->15642 15643 40851d 15639->15643 15640->15608 15640->15612 15644 408719 CreateProcessA 15641->15644 15642->15640 15643->15617 15645 40873d CloseHandle CloseHandle 15644->15645 15646 40874f 15644->15646 15645->15619 15647 407ee6 64 API calls 15646->15647 15648 408754 15647->15648 15649 407ead 6 API calls 15648->15649 15650 40875a 15649->15650 15650->15625 15657 40a63d 15651->15657 15653 40a685 15653->15554 15655 40a63d GetTickCount 15654->15655 15656 40a696 15655->15656 15656->15554 15658 40a645 15657->15658 15659 40a64d 15657->15659 15658->15653 15660 40a66e 15659->15660 15661 40a65e GetTickCount 15659->15661 15660->15653 15661->15660 15678 40a4c7 GetTickCount 15662->15678 15665 40c45e 15670 40c4d2 15665->15670 15671 40c4ab InterlockedIncrement CreateThread 15665->15671 15666 40c300 GetTickCount 15668 40c337 15666->15668 15667 40c326 15667->15668 15669 40c32b GetTickCount 15667->15669 15668->15665 15673 40c363 GetTickCount 15668->15673 15669->15668 15670->15533 15671->15670 15672 40c4cb CloseHandle 15671->15672 15683 40b535 15671->15683 15672->15670 15673->15665 15674 40c373 15673->15674 15675 40c378 GetTickCount 15674->15675 15676 40c37f 15674->15676 15675->15676 15677 40c43b GetTickCount 15676->15677 15677->15665 15679 40a4f7 InterlockedExchange 15678->15679 15680 40a500 15679->15680 15681 40a4e4 GetTickCount 15679->15681 15680->15665 15680->15666 15680->15667 15681->15680 15682 40a4ef Sleep 15681->15682 15682->15679 15684 40b566 15683->15684 15685 40ebcc 4 API calls 15684->15685 15686 40b587 15685->15686 15687 40ebcc 4 API calls 15686->15687 15738 40b590 15687->15738 15688 40bdcd InterlockedDecrement 15689 40bde2 15688->15689 15691 40ec2e codecvt 4 API calls 15689->15691 15692 40bdea 15691->15692 15694 40ec2e codecvt 4 API calls 15692->15694 15693 40bdb7 Sleep 15693->15738 15695 40bdf2 15694->15695 15696 40be05 15695->15696 15698 40ec2e codecvt 4 API calls 15695->15698 15697 40bdcc 15697->15688 15698->15696 15699 40ebed 8 API calls 15699->15738 15702 40b6b6 lstrlenA 15702->15738 15703 4030b5 2 API calls 15703->15738 15704 40e819 11 API calls 15704->15738 15705 40b6ed lstrcpyA 15758 405ce1 15705->15758 15708 40b731 lstrlenA 15708->15738 15709 40b71f lstrcmpA 15709->15708 15709->15738 15710 40b772 GetTickCount 15710->15738 15711 40bd49 InterlockedIncrement 15850 40a628 15711->15850 15713 40ab81 lstrcpynA InterlockedIncrement 15713->15738 15715 40b7ce InterlockedIncrement 15766 40acd7 15715->15766 15716 40bc5b InterlockedIncrement 15716->15738 15719 40b912 GetTickCount 15719->15738 15720 40b826 InterlockedIncrement 15720->15710 15721 40b932 GetTickCount 15723 40bc6d InterlockedIncrement 15721->15723 15721->15738 15722 40bcdc closesocket 15722->15738 15723->15738 15724 4038f0 6 API calls 15724->15738 15726 40bba6 InterlockedIncrement 15726->15738 15729 40bc4c closesocket 15729->15738 15731 40ba71 wsprintfA 15784 40a7c1 15731->15784 15732 405ded 12 API calls 15732->15738 15734 405ce1 GetTickCount GetTickCount Sleep InterlockedExchange 15734->15738 15736 40a7c1 22 API calls 15736->15738 15737 40ef1e lstrlenA 15737->15738 15738->15688 15738->15693 15738->15697 15738->15699 15738->15702 15738->15703 15738->15704 15738->15705 15738->15708 15738->15709 15738->15710 15738->15711 15738->15713 15738->15715 15738->15716 15738->15719 15738->15720 15738->15721 15738->15722 15738->15724 15738->15726 15738->15729 15738->15731 15738->15732 15738->15734 15738->15736 15738->15737 15739 40a688 GetTickCount 15738->15739 15740 403e10 15738->15740 15743 403e4f 15738->15743 15746 40384f 15738->15746 15764 40a7a3 inet_ntoa 15738->15764 15771 40abee 15738->15771 15783 401feb GetTickCount 15738->15783 15804 403cfb 15738->15804 15807 40b3c5 15738->15807 15838 40ab81 15738->15838 15739->15738 15741 4030fa 4 API calls 15740->15741 15742 403e1d 15741->15742 15742->15738 15744 4030fa 4 API calls 15743->15744 15745 403e5c 15744->15745 15745->15738 15747 4030fa 4 API calls 15746->15747 15749 403863 15747->15749 15748 4038b2 15748->15738 15749->15748 15750 4038b9 15749->15750 15751 403889 15749->15751 15859 4035f9 15750->15859 15853 403718 15751->15853 15756 403718 6 API calls 15756->15748 15757 4035f9 6 API calls 15757->15748 15759 405cf4 15758->15759 15760 405cec 15758->15760 15762 404bd1 4 API calls 15759->15762 15865 404bd1 GetTickCount 15760->15865 15763 405d02 15762->15763 15763->15738 15765 40a7b9 15764->15765 15765->15738 15767 40f315 14 API calls 15766->15767 15768 40aceb 15767->15768 15769 40acff 15768->15769 15770 40f315 14 API calls 15768->15770 15769->15738 15770->15769 15772 40abfb 15771->15772 15775 40ac65 15772->15775 15870 402f22 15772->15870 15774 40f315 14 API calls 15774->15775 15775->15774 15776 40ac8a 15775->15776 15777 40ac6f 15775->15777 15776->15738 15779 40ab81 2 API calls 15777->15779 15778 40ac23 15778->15775 15780 402684 2 API calls 15778->15780 15781 40ac81 15779->15781 15780->15778 15878 4038f0 15781->15878 15783->15738 15785 40a87d lstrlenA send 15784->15785 15788 40a7df 15784->15788 15786 40a899 15785->15786 15787 40a8bf 15785->15787 15789 40a8a5 wsprintfA 15786->15789 15803 40a89e 15786->15803 15790 40a8c4 send 15787->15790 15796 40a8f2 15787->15796 15788->15785 15792 40a7fa wsprintfA 15788->15792 15793 40a80a 15788->15793 15788->15796 15789->15803 15794 40a8d8 wsprintfA 15790->15794 15790->15796 15791 40a978 recv 15791->15796 15797 40a982 15791->15797 15792->15793 15793->15785 15794->15803 15795 40a9b0 wsprintfA 15795->15803 15796->15791 15796->15795 15796->15797 15798 4030b5 2 API calls 15797->15798 15797->15803 15799 40ab05 15798->15799 15800 40e819 11 API calls 15799->15800 15801 40ab17 15800->15801 15802 40a7a3 inet_ntoa 15801->15802 15802->15803 15803->15738 15805 4030fa 4 API calls 15804->15805 15806 403d0b 15805->15806 15806->15738 15808 405ce1 4 API calls 15807->15808 15809 40b3e6 15808->15809 15810 405ce1 4 API calls 15809->15810 15811 40b404 15810->15811 15812 40b440 15811->15812 15892 40ef7c lstrlenA lstrlenA lstrlenA 15811->15892 15814 40ef7c 3 API calls 15812->15814 15816 40b458 wsprintfA 15814->15816 15815 40b42b 15817 40ef7c 3 API calls 15815->15817 15818 40ef7c 3 API calls 15816->15818 15817->15812 15819 40b480 15818->15819 15820 40ef7c 3 API calls 15819->15820 15821 40b493 15820->15821 15822 40ef7c 3 API calls 15821->15822 15823 40b4bb 15822->15823 15894 40ad89 GetLocalTime SystemTimeToFileTime 15823->15894 15827 40b4cc 15828 40ef7c 3 API calls 15827->15828 15829 40b4dd 15828->15829 15830 40b211 7 API calls 15829->15830 15831 40b4ec 15830->15831 15832 40ef7c 3 API calls 15831->15832 15833 40b4fd 15832->15833 15834 40b211 7 API calls 15833->15834 15835 40b509 15834->15835 15836 40ef7c 3 API calls 15835->15836 15837 40b51a 15836->15837 15837->15738 15839 40abe9 GetTickCount 15838->15839 15841 40ab8c 15838->15841 15843 40a51d 15839->15843 15840 40aba8 lstrcpynA 15840->15841 15841->15839 15841->15840 15842 40abe1 InterlockedIncrement 15841->15842 15842->15841 15844 40a4c7 4 API calls 15843->15844 15845 40a52c 15844->15845 15846 40a542 GetTickCount 15845->15846 15848 40a539 GetTickCount 15845->15848 15846->15848 15849 40a56c 15848->15849 15849->15738 15851 40a4c7 4 API calls 15850->15851 15852 40a633 15851->15852 15852->15738 15854 40f04e 4 API calls 15853->15854 15857 40372a 15854->15857 15855 403847 15855->15748 15855->15756 15856 4037b3 GetCurrentThreadId 15856->15857 15858 4037c8 GetCurrentThreadId 15856->15858 15857->15855 15857->15856 15858->15857 15860 40f04e 4 API calls 15859->15860 15861 40360c 15860->15861 15862 4036da GetCurrentThreadId 15861->15862 15863 4036f1 15861->15863 15862->15863 15864 4036e5 GetCurrentThreadId 15862->15864 15863->15748 15863->15757 15864->15863 15866 404bff InterlockedExchange 15865->15866 15867 404c08 15866->15867 15868 404bec GetTickCount 15866->15868 15867->15759 15868->15867 15869 404bf7 Sleep 15868->15869 15869->15866 15885 402d21 GetModuleHandleA 15870->15885 15873 402fcf GetProcessHeap HeapFree 15877 402f44 15873->15877 15874 402f4f 15876 402f6b GetProcessHeap HeapFree 15874->15876 15875 402f85 15875->15873 15875->15875 15876->15877 15877->15778 15879 403900 15878->15879 15880 403980 15878->15880 15881 4030fa 4 API calls 15879->15881 15880->15776 15884 40390a 15881->15884 15882 40391b GetCurrentThreadId 15882->15884 15883 403939 GetCurrentThreadId 15883->15884 15884->15880 15884->15882 15884->15883 15886 402d46 LoadLibraryA 15885->15886 15887 402d5b GetProcAddress 15885->15887 15886->15887 15889 402d54 15886->15889 15887->15889 15891 402d6b 15887->15891 15888 402d97 GetProcessHeap HeapAlloc 15888->15889 15888->15891 15889->15874 15889->15875 15889->15877 15890 402db5 lstrcpynA 15890->15891 15891->15888 15891->15889 15891->15890 15893 40efb4 15892->15893 15893->15815 15895 40adbf 15894->15895 15919 40ad08 gethostname 15895->15919 15898 4030b5 2 API calls 15899 40add3 15898->15899 15900 40a7a3 inet_ntoa 15899->15900 15907 40ade4 15899->15907 15900->15907 15901 40ae85 wsprintfA 15902 40ef7c 3 API calls 15901->15902 15904 40aebb 15902->15904 15903 40ae36 wsprintfA wsprintfA 15905 40ef7c 3 API calls 15903->15905 15906 40ef7c 3 API calls 15904->15906 15905->15907 15908 40aed2 15906->15908 15907->15901 15907->15903 15909 40b211 15908->15909 15910 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 15909->15910 15911 40b2af GetLocalTime 15909->15911 15912 40b2d2 15910->15912 15911->15912 15913 40b2d9 SystemTimeToFileTime 15912->15913 15914 40b31c GetTimeZoneInformation 15912->15914 15915 40b2ec 15913->15915 15916 40b33a wsprintfA 15914->15916 15917 40b312 FileTimeToSystemTime 15915->15917 15916->15827 15917->15914 15920 40ad71 15919->15920 15921 40ad26 lstrlenA 15919->15921 15922 40ad85 15920->15922 15923 40ad79 lstrcpyA 15920->15923 15921->15920 15925 40ad68 lstrlenA 15921->15925 15922->15898 15923->15922 15925->15920 15927 40f428 14 API calls 15926->15927 15928 40198a 15927->15928 15929 401990 closesocket 15928->15929 15930 401998 15928->15930 15929->15930 15930->15581 15932 402d21 6 API calls 15931->15932 15933 402f01 15932->15933 15934 402f0f 15933->15934 15947 402df2 GetModuleHandleA 15933->15947 15936 402684 2 API calls 15934->15936 15938 402f1f 15934->15938 15937 402f1d 15936->15937 15937->15584 15938->15584 15940 401c80 15939->15940 15941 401cc2 wsprintfA 15940->15941 15943 401d1c 15940->15943 15946 401d79 15940->15946 15942 402684 2 API calls 15941->15942 15942->15940 15944 401d47 wsprintfA 15943->15944 15945 402684 2 API calls 15944->15945 15945->15946 15946->15598 15948 402e10 LoadLibraryA 15947->15948 15949 402e0b 15947->15949 15950 402e17 15948->15950 15949->15948 15949->15950 15951 402ef1 15950->15951 15952 402e28 GetProcAddress 15950->15952 15951->15934 15952->15951 15953 402e3e GetProcessHeap HeapAlloc 15952->15953 15955 402e62 15953->15955 15954 402ede GetProcessHeap HeapFree 15954->15951 15955->15951 15955->15954 15956 402e7f htons inet_addr 15955->15956 15957 402ea5 gethostbyname 15955->15957 15959 402ceb 15955->15959 15956->15955 15956->15957 15957->15955 15960 402cf2 15959->15960 15962 402d1c 15960->15962 15963 402d0e Sleep 15960->15963 15964 402a62 GetProcessHeap HeapAlloc 15960->15964 15962->15955 15963->15960 15963->15962 15965 402a92 15964->15965 15966 402a99 socket 15964->15966 15965->15960 15967 402cd3 GetProcessHeap HeapFree 15966->15967 15968 402ab4 15966->15968 15967->15965 15968->15967 15982 402abd 15968->15982 15969 402adb htons 15984 4026ff 15969->15984 15971 402b04 select 15971->15982 15972 402ca4 15973 402cb3 GetProcessHeap HeapFree closesocket 15972->15973 15973->15965 15974 402b3f recv 15974->15982 15975 402b66 htons 15975->15972 15975->15982 15976 402b87 htons 15976->15972 15976->15982 15979 402bf3 GetProcessHeap HeapAlloc 15979->15982 15980 402c17 htons 15999 402871 15980->15999 15982->15969 15982->15971 15982->15972 15982->15973 15982->15974 15982->15975 15982->15976 15982->15979 15982->15980 15983 402c4d GetProcessHeap HeapFree 15982->15983 15991 402923 15982->15991 16003 402904 15982->16003 15983->15982 15985 40271d 15984->15985 15986 402717 15984->15986 15988 40272b GetTickCount htons 15985->15988 15987 40ebcc 4 API calls 15986->15987 15987->15985 15989 4027cc htons htons sendto 15988->15989 15990 40278a 15988->15990 15989->15982 15990->15989 15992 402944 15991->15992 15994 40293d 15991->15994 16007 402816 htons 15992->16007 15994->15982 15995 402871 htons 15996 402950 15995->15996 15996->15994 15996->15995 15997 4029bd htons htons htons 15996->15997 15997->15994 15998 4029f6 GetProcessHeap HeapAlloc 15997->15998 15998->15994 15998->15996 16000 4028e3 15999->16000 16002 402889 15999->16002 16000->15982 16001 4028c3 htons 16001->16000 16001->16002 16002->16000 16002->16001 16004 402908 16003->16004 16006 402921 16003->16006 16005 402909 GetProcessHeap HeapFree 16004->16005 16005->16005 16005->16006 16006->15982 16008 40286b 16007->16008 16009 402836 16007->16009 16008->15996 16009->16008 16010 40285c htons 16009->16010 16010->16008 16010->16009 16012 406bc0 16011->16012 16013 406bbc 16011->16013 16014 406bd4 16012->16014 16015 40ebcc 4 API calls 16012->16015 16013->15620 16014->15620 16016 406be4 16015->16016 16016->16014 16017 406c07 CreateFileA 16016->16017 16018 406bfc 16016->16018 16020 406c34 WriteFile 16017->16020 16021 406c2a 16017->16021 16019 40ec2e codecvt 4 API calls 16018->16019 16019->16014 16022 406c49 CloseHandle DeleteFileA 16020->16022 16023 406c5a CloseHandle 16020->16023 16024 40ec2e codecvt 4 API calls 16021->16024 16022->16021 16025 40ec2e codecvt 4 API calls 16023->16025 16024->16014 16025->16014 14310 24cdbed 14313 24cdbf9 14310->14313 14314 24cdc08 14313->14314 14317 24ce399 14314->14317 14319 24ce3b4 14317->14319 14318 24ce3bd CreateToolhelp32Snapshot 14318->14319 14320 24ce3d9 Module32First 14318->14320 14319->14318 14319->14320 14321 24cdbf8 14320->14321 14322 24ce3e8 14320->14322 14324 24ce058 14322->14324 14325 24ce083 14324->14325 14326 24ce094 VirtualAlloc 14325->14326 14327 24ce0cc 14325->14327 14326->14327 14327->14327
                                                                                          APIs
                                                                                          • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                          • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                            • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                            • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                            • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                          • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                          • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                          • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                          • ExitProcess.KERNEL32 ref: 00409C06
                                                                                          • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                          • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                          • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                          • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                          • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                          • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                          • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                          • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                          • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                          • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                          • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                          • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                          • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                          • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                          • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                          • wsprintfA.USER32 ref: 0040A0B6
                                                                                          • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                          • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                          • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                          • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                          • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                          • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                          • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                          • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                            • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                            • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                            • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                          • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                          • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                          • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                          • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                          • DeleteFileA.KERNEL32(004133D8), ref: 0040A407
                                                                                          • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                          • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                          • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                          • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                          • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                          • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                          • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                          • String ID: "$"$"$%X%08X$D$P$PromptOnSecureDesktop$\
                                                                                          • API String ID: 2089075347-2824936573
                                                                                          • Opcode ID: 603121095b7679364f468b5179938349acae34033f0d3c12a89c9af7faf008a0
                                                                                          • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                          • Opcode Fuzzy Hash: 603121095b7679364f468b5179938349acae34033f0d3c12a89c9af7faf008a0
                                                                                          • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 497 409326-409348 call 401910 GetVersionExA 500 409358-40935c 497->500 501 40934a-409356 497->501 502 409360-40937d GetModuleHandleA GetModuleFileNameA 500->502 501->502 503 409385-4093a2 502->503 504 40937f 502->504 505 4093a4-4093d7 call 402544 wsprintfA 503->505 506 4093d9-409412 call 402544 wsprintfA 503->506 504->503 511 409415-40942c call 40ee2a 505->511 506->511 514 4094a3-4094b3 call 406edd 511->514 515 40942e-409432 511->515 520 4094b9-4094f9 call 402544 RegOpenKeyExA 514->520 521 40962f-409632 514->521 515->514 516 409434-4094a0 call 406cc9 call 40ef00 call 402544 call 40ef1e call 402544 wsprintfA call 40ee2a 515->516 516->514 531 409502-40952e call 402544 RegQueryValueExA 520->531 532 4094fb-409500 520->532 523 409634-409637 521->523 526 409639-40964a call 401820 523->526 527 40967b-409682 523->527 540 40964c-409662 526->540 541 40966d-409679 526->541 534 409683 call 4091eb 527->534 550 409530-409537 531->550 551 409539-409565 call 402544 RegQueryValueExA 531->551 536 40957a-40957f 532->536 544 409688-409690 534->544 545 409581-409584 536->545 546 40958a-40958d 536->546 548 409664-40966b 540->548 549 40962b-40962d 540->549 541->534 553 409692 544->553 554 409698-4096a0 544->554 545->523 545->546 546->527 547 409593-40959a 546->547 555 40961a-40961f 547->555 556 40959c-4095a1 547->556 548->549 560 4096a2-4096a9 549->560 557 40956e-409577 RegCloseKey 550->557 551->557 566 409567 551->566 553->554 554->560 564 409625 555->564 556->555 561 4095a3-4095c0 call 40f0e4 556->561 557->536 570 4095c2-4095db call 4018e0 561->570 571 40960c-409618 561->571 564->549 566->557 570->560 574 4095e1-4095f9 570->574 571->564 574->560 575 4095ff-409607 574->575 575->560
                                                                                          APIs
                                                                                          • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                          • wsprintfA.USER32 ref: 004093CE
                                                                                          • wsprintfA.USER32 ref: 0040940C
                                                                                          • wsprintfA.USER32 ref: 0040948D
                                                                                          • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                          • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                          • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                          • String ID: PromptOnSecureDesktop$runas
                                                                                          • API String ID: 3696105349-2220793183
                                                                                          • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                          • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                          • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                          • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 614 406a60-406a89 CreateFileA 615 406b8c-406ba1 GetLastError 614->615 616 406a8f-406ac3 GetDiskFreeSpaceA 614->616 617 406ba3-406ba6 615->617 618 406ac5-406adc call 40eb0e 616->618 619 406b1d-406b34 call 406987 616->619 618->619 624 406ade 618->624 625 406b56-406b63 CloseHandle 619->625 626 406b36-406b54 GetLastError CloseHandle 619->626 629 406ae0-406ae5 624->629 630 406ae7-406afb call 40eca5 624->630 627 406b65-406b7d GetLastError CloseHandle 625->627 628 406b86-406b8a 625->628 631 406b7f-406b80 DeleteFileA 626->631 627->631 628->617 629->630 632 406afd-406aff 629->632 630->619 631->628 632->619 635 406b01 632->635 636 406b03-406b08 635->636 637 406b0a-406b17 call 40eca5 635->637 636->619 636->637 637->619
                                                                                          APIs
                                                                                          • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,76228A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                          • GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                          • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                          • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                          • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 3188212458-2980165447
                                                                                          • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                          • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                          • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                          • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                          • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                          • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Time$CountFileInformationSystemTickVolume
                                                                                          • String ID:
                                                                                          • API String ID: 1209300637-0
                                                                                          • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                          • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                          • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                          • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 811 24ce399-24ce3b2 812 24ce3b4-24ce3b6 811->812 813 24ce3bd-24ce3c9 CreateToolhelp32Snapshot 812->813 814 24ce3b8 812->814 815 24ce3d9-24ce3e6 Module32First 813->815 816 24ce3cb-24ce3d1 813->816 814->813 817 24ce3ef-24ce3f7 815->817 818 24ce3e8-24ce3e9 call 24ce058 815->818 816->815 823 24ce3d3-24ce3d7 816->823 821 24ce3ee 818->821 821->817 823->812 823->815
                                                                                          APIs
                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 024CE3C1
                                                                                          • Module32First.KERNEL32(00000000,00000224), ref: 024CE3E1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174520005.00000000024BE000.00000040.00000020.00020000.00000000.sdmp, Offset: 024BE000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_24be000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                          • String ID:
                                                                                          • API String ID: 3833638111-0
                                                                                          • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                          • Instruction ID: ec452be82afc36b232cf059265832c9cd0b2df4c947c303ff16d95b6911a6eba
                                                                                          • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                          • Instruction Fuzzy Hash: DAF062392007146BE7602AF9988DB6B76E8AF49625F20152EE647D21D0DBF0F8454A61

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 827 40ebcc-40ebec GetProcessHeap RtlAllocateHeap call 40eb74
                                                                                          APIs
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                          • RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                            • Part of subcall function 0040EB74: GetProcessHeap.KERNEL32(00000000,00000000,0040EC28,00000000,?,0040DB55,7FFF0001), ref: 0040EB81
                                                                                            • Part of subcall function 0040EB74: HeapSize.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EB88
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$Process$AllocateSize
                                                                                          • String ID:
                                                                                          • API String ID: 2559512979-0
                                                                                          • Opcode ID: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                          • Instruction ID: 42103369b453d960252fa070f8f6fdc0a0ffae9c693debdf4c74a5c852f77059
                                                                                          • Opcode Fuzzy Hash: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                          • Instruction Fuzzy Hash: 54C0803210422077C60127A57C0CEDA3E74DF04352F084425F505C1160CB794880879D

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 264 4073ff-407419 265 40741b 264->265 266 40741d-407422 264->266 265->266 267 407424 266->267 268 407426-40742b 266->268 267->268 269 407430-407435 268->269 270 40742d 268->270 271 407437 269->271 272 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 269->272 270->269 271->272 277 407487-40749d call 40ee2a 272->277 278 4077f9-4077fe call 40ee2a 272->278 284 407703-40770e RegEnumKeyA 277->284 283 407801 278->283 285 407804-407808 283->285 286 4074a2-4074b1 call 406cad 284->286 287 407714-40771d RegCloseKey 284->287 290 4074b7-4074cc call 40f1a5 286->290 291 4076ed-407700 286->291 287->283 290->291 294 4074d2-4074f8 RegOpenKeyExA 290->294 291->284 295 407727-40772a 294->295 296 4074fe-407530 call 402544 RegQueryValueExA 294->296 297 407755-407764 call 40ee2a 295->297 298 40772c-407740 call 40ef00 295->298 296->295 304 407536-40753c 296->304 309 4076df-4076e2 297->309 306 407742-407745 RegCloseKey 298->306 307 40774b-40774e 298->307 308 40753f-407544 304->308 306->307 311 4077ec-4077f7 RegCloseKey 307->311 308->308 310 407546-40754b 308->310 309->291 312 4076e4-4076e7 RegCloseKey 309->312 310->297 313 407551-40756b call 40ee95 310->313 311->285 312->291 313->297 316 407571-407593 call 402544 call 40ee95 313->316 321 407753 316->321 322 407599-4075a0 316->322 321->297 323 4075a2-4075c6 call 40ef00 call 40ed03 322->323 324 4075c8-4075d7 call 40ed03 322->324 330 4075d8-4075da 323->330 324->330 332 4075dc 330->332 333 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 330->333 332->333 342 407626-40762b 333->342 342->342 343 40762d-407634 342->343 344 407637-40763c 343->344 344->344 345 40763e-407642 344->345 346 407644-407656 call 40ed77 345->346 347 40765c-407673 call 40ed23 345->347 346->347 352 407769-40777c call 40ef00 346->352 353 407680 347->353 354 407675-40767e 347->354 359 4077e3-4077e6 RegCloseKey 352->359 356 407683-40768e call 406cad 353->356 354->356 361 407722-407725 356->361 362 407694-4076bf call 40f1a5 call 406c96 356->362 359->311 364 4076dd 361->364 368 4076c1-4076c7 362->368 369 4076d8 362->369 364->309 368->369 370 4076c9-4076d2 368->370 369->364 370->369 371 40777e-407797 GetFileAttributesExA 370->371 372 407799 371->372 373 40779a-40779f 371->373 372->373 374 4077a1 373->374 375 4077a3-4077a8 373->375 374->375 376 4077c4-4077c8 375->376 377 4077aa-4077c0 call 40ee08 375->377 379 4077d7-4077dc 376->379 380 4077ca-4077d6 call 40ef00 376->380 377->376 383 4077e0-4077e2 379->383 384 4077de 379->384 380->379 383->359 384->383
                                                                                          APIs
                                                                                          • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,76230F10,00000000), ref: 00407472
                                                                                          • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00000101,?,?,?,?,?,?,?,76230F10,00000000), ref: 004074F0
                                                                                          • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,76230F10,00000000), ref: 00407528
                                                                                          • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,76230F10,00000000), ref: 004076E7
                                                                                          • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                          • RegCloseKey.KERNELBASE(00000000,?,?,?,?,?,?,76230F10,00000000), ref: 00407717
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,76230F10,00000000), ref: 00407745
                                                                                          • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,76230F10,00000000), ref: 004077EF
                                                                                            • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                          • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 004077E6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                          • String ID: "$PromptOnSecureDesktop
                                                                                          • API String ID: 3433985886-3108538426
                                                                                          • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                          • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                          • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                          • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 386 40704c-407071 387 407073 386->387 388 407075-40707a 386->388 387->388 389 40707c 388->389 390 40707e-407083 388->390 389->390 391 407085 390->391 392 407087-40708c 390->392 391->392 393 407090-4070ca call 402544 RegOpenKeyExA 392->393 394 40708e 392->394 397 4070d0-4070f6 call 406dc2 393->397 398 4071b8-4071c8 call 40ee2a 393->398 394->393 404 40719b-4071a9 RegEnumValueA 397->404 403 4071cb-4071cf 398->403 405 4070fb-4070fd 404->405 406 4071af-4071b2 RegCloseKey 404->406 407 40716e-407194 405->407 408 4070ff-407102 405->408 406->398 407->404 408->407 409 407104-407107 408->409 409->407 410 407109-40710d 409->410 410->407 411 40710f-407133 call 402544 call 40eed1 410->411 416 4071d0-407203 call 402544 call 40ee95 call 40ee2a 411->416 417 407139-407145 call 406cad 411->417 432 407205-407212 RegCloseKey 416->432 433 407227-40722e 416->433 423 407147-40715c call 40f1a5 417->423 424 40715e-40716b call 40ee2a 417->424 423->416 423->424 424->407 436 407222-407225 432->436 437 407214-407221 call 40ef00 432->437 434 407230-407256 call 40ef00 call 40ed23 433->434 435 40725b-40728c call 402544 call 40ee95 call 40ee2a 433->435 434->435 448 407258 434->448 451 4072b8-4072cb call 40ed77 435->451 452 40728e-40729a RegCloseKey 435->452 436->403 437->436 448->435 459 4072dd-4072f4 call 40ed23 451->459 460 4072cd-4072d8 RegCloseKey 451->460 454 4072aa-4072b3 452->454 455 40729c-4072a9 call 40ef00 452->455 454->403 455->454 463 407301 459->463 464 4072f6-4072ff 459->464 460->403 465 407304-40730f call 406cad 463->465 464->465 468 407311-40731d RegCloseKey 465->468 469 407335-40735d call 406c96 465->469 471 40732d-407330 468->471 472 40731f-40732c call 40ef00 468->472 476 4073d5-4073e2 RegCloseKey 469->476 477 40735f-407365 469->477 471->454 472->471 479 4073f2-4073f7 476->479 480 4073e4-4073f1 call 40ef00 476->480 477->476 478 407367-407370 477->478 478->476 481 407372-40737c 478->481 480->479 483 40739d-4073a2 481->483 484 40737e-407395 GetFileAttributesExA 481->484 487 4073a4 483->487 488 4073a6-4073a9 483->488 484->483 486 407397 484->486 486->483 487->488 489 4073b9-4073bc 488->489 490 4073ab-4073b8 call 40ef00 488->490 491 4073cb-4073cd 489->491 492 4073be-4073ca call 40ef00 489->492 490->489 491->476 492->491
                                                                                          APIs
                                                                                          • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000101,76230F10,?,76230F10,00000000), ref: 004070C2
                                                                                          • RegEnumValueA.KERNELBASE(76230F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,76230F10,00000000), ref: 0040719E
                                                                                          • RegCloseKey.KERNELBASE(76230F10,?,76230F10,00000000), ref: 004071B2
                                                                                          • RegCloseKey.ADVAPI32(76230F10), ref: 00407208
                                                                                          • RegCloseKey.ADVAPI32(76230F10), ref: 00407291
                                                                                          • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                          • RegCloseKey.ADVAPI32(76230F10), ref: 004072D0
                                                                                          • RegCloseKey.ADVAPI32(76230F10), ref: 00407314
                                                                                          • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                          • RegCloseKey.ADVAPI32(76230F10), ref: 004073D8
                                                                                            • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                          • String ID: $"$PromptOnSecureDesktop
                                                                                          • API String ID: 4293430545-98143240
                                                                                          • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                          • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                          • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                          • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 576 40675c-406778 577 406784-4067a2 CreateFileA 576->577 578 40677a-40677e SetFileAttributesA 576->578 579 4067a4-4067b2 CreateFileA 577->579 580 4067b5-4067b8 577->580 578->577 579->580 581 4067c5-4067c9 580->581 582 4067ba-4067bf SetFileAttributesA 580->582 583 406977-406986 581->583 584 4067cf-4067df GetFileSize 581->584 582->581 585 4067e5-4067e7 584->585 586 40696b 584->586 585->586 588 4067ed-40680b ReadFile 585->588 587 40696e-406971 CloseHandle 586->587 587->583 588->586 589 406811-406824 SetFilePointer 588->589 589->586 590 40682a-406842 ReadFile 589->590 590->586 591 406848-406861 SetFilePointer 590->591 591->586 592 406867-406876 591->592 593 4068d5-4068df 592->593 594 406878-40688f ReadFile 592->594 593->587 595 4068e5-4068eb 593->595 596 406891-40689e 594->596 597 4068d2 594->597 598 4068f0-4068fe call 40ebcc 595->598 599 4068ed 595->599 600 4068a0-4068b5 596->600 601 4068b7-4068ba 596->601 597->593 598->586 608 406900-40690b SetFilePointer 598->608 599->598 602 4068bd-4068c3 600->602 601->602 604 4068c5 602->604 605 4068c8-4068ce 602->605 604->605 605->594 607 4068d0 605->607 607->593 609 40695a-406969 call 40ec2e 608->609 610 40690d-406920 ReadFile 608->610 609->587 610->609 612 406922-406958 610->612 612->587
                                                                                          APIs
                                                                                          • SetFileAttributesA.KERNEL32(?,00000080,?,76230F10,00000000), ref: 0040677E
                                                                                          • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,76230F10,00000000), ref: 0040679A
                                                                                          • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,76230F10,00000000), ref: 004067B0
                                                                                          • SetFileAttributesA.KERNEL32(?,00000002,?,76230F10,00000000), ref: 004067BF
                                                                                          • GetFileSize.KERNEL32(000000FF,00000000,?,76230F10,00000000), ref: 004067D3
                                                                                          • ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,76230F10,00000000), ref: 00406807
                                                                                          • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0040681F
                                                                                          • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,76230F10,00000000), ref: 0040683E
                                                                                          • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0040685C
                                                                                          • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,76230F10,00000000), ref: 0040688B
                                                                                          • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,76230F10,00000000), ref: 00406906
                                                                                          • ReadFile.KERNEL32(000000FF,004121A8,00000000,00408244,00000000,?,76230F10,00000000), ref: 0040691C
                                                                                          • CloseHandle.KERNELBASE(000000FF,?,76230F10,00000000), ref: 00406971
                                                                                            • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                            • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                                          • String ID:
                                                                                          • API String ID: 2622201749-0
                                                                                          • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                          • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                          • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                          • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 640 40a003c-40a0047 641 40a0049 640->641 642 40a004c-40a0263 call 40a0a3f call 40a0e0f call 40a0d90 VirtualAlloc 640->642 641->642 657 40a028b-40a0292 642->657 658 40a0265-40a0289 call 40a0a69 642->658 659 40a02a1-40a02b0 657->659 661 40a02ce-40a03c2 VirtualProtect call 40a0cce call 40a0ce7 658->661 659->661 662 40a02b2-40a02cc 659->662 669 40a03d1-40a03e0 661->669 662->659 670 40a0439-40a04b8 VirtualFree 669->670 671 40a03e2-40a0437 call 40a0ce7 669->671 673 40a04be-40a04cd 670->673 674 40a05f4-40a05fe 670->674 671->669 678 40a04d3-40a04dd 673->678 675 40a077f-40a0789 674->675 676 40a0604-40a060d 674->676 682 40a078b-40a07a3 675->682 683 40a07a6-40a07b0 675->683 676->675 680 40a0613-40a0637 676->680 678->674 679 40a04e3-40a0505 LoadLibraryA 678->679 684 40a0517-40a0520 679->684 685 40a0507-40a0515 679->685 688 40a063e-40a0648 680->688 682->683 686 40a086e-40a08be LoadLibraryA 683->686 687 40a07b6-40a07cb 683->687 689 40a0526-40a0547 684->689 685->689 696 40a08c7-40a08f9 686->696 690 40a07d2-40a07d5 687->690 688->675 691 40a064e-40a065a 688->691 694 40a054d-40a0550 689->694 692 40a07d7-40a07e0 690->692 693 40a0824-40a0833 690->693 691->675 695 40a0660-40a066a 691->695 699 40a07e2 692->699 700 40a07e4-40a0822 692->700 704 40a0839-40a083c 693->704 701 40a05e0-40a05ef 694->701 702 40a0556-40a056b 694->702 703 40a067a-40a0689 695->703 697 40a08fb-40a0901 696->697 698 40a0902-40a091d 696->698 697->698 699->693 700->690 701->678 705 40a056f-40a057a 702->705 706 40a056d 702->706 707 40a068f-40a06b2 703->707 708 40a0750-40a077a 703->708 704->686 709 40a083e-40a0847 704->709 711 40a059b-40a05bb 705->711 712 40a057c-40a0599 705->712 706->701 713 40a06ef-40a06fc 707->713 714 40a06b4-40a06ed 707->714 708->688 715 40a084b-40a086c 709->715 716 40a0849 709->716 723 40a05bd-40a05db 711->723 712->723 717 40a074b 713->717 718 40a06fe-40a0748 713->718 714->713 715->704 716->686 717->703 718->717 723->694
                                                                                          APIs
                                                                                          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 040A024D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID: cess$kernel32.dll
                                                                                          • API String ID: 4275171209-1230238691
                                                                                          • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                          • Instruction ID: c4baa1a36c1c88623e039b4033ffd85db8839454ea71c4ae51a53c35e0e006b6
                                                                                          • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                          • Instruction Fuzzy Hash: 2E526B74A01229DFDB64CFA8C984BACBBB1BF09304F1480D9E54DAB351DB30AA95DF15

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                          • lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                          • lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                            • Part of subcall function 00406A60: CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,76228A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                            • Part of subcall function 00406A60: GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                            • Part of subcall function 00406A60: GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                            • Part of subcall function 00406A60: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                            • Part of subcall function 00406A60: DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Filelstrcat$CloseCreateDeleteDiskErrorFreeHandleLastSpacelstrcpy
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 4131120076-2980165447
                                                                                          • Opcode ID: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                          • Instruction ID: c4e01e0c9c22f42140b45f86cbdbc152d24ce0e59ed2090f1037bb69612005af
                                                                                          • Opcode Fuzzy Hash: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                          • Instruction Fuzzy Hash: 0501A27294020877EA103F62EC47F9F3F1DEB44728F00483AF619790D2D9BA95709AAC

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 739 404000-404008 740 40400b-40402a CreateFileA 739->740 741 404057 740->741 742 40402c-404035 GetLastError 740->742 745 404059-40405c 741->745 743 404052 742->743 744 404037-40403a 742->744 747 404054-404056 743->747 744->743 746 40403c-40403f 744->746 745->747 746->745 748 404041-404050 Sleep 746->748 748->740 748->743
                                                                                          APIs
                                                                                          • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,PromptOnSecureDesktop,004042B6,00000000,00000001,PromptOnSecureDesktop,00000000,?,004098FD), ref: 00404021
                                                                                          • GetLastError.KERNEL32(?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 0040402C
                                                                                          • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404046
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateErrorFileLastSleep
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 408151869-2980165447
                                                                                          • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                          • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                          • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                          • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 749 406987-4069b7 750 4069e0 749->750 751 4069b9-4069be 749->751 753 4069e4-4069fd WriteFile 750->753 751->750 752 4069c0-4069d0 751->752 754 4069d2 752->754 755 4069d5-4069de 752->755 756 406a4d-406a51 753->756 757 4069ff-406a02 753->757 754->755 755->753 758 406a53-406a56 756->758 759 406a59 756->759 757->756 760 406a04-406a08 757->760 758->759 761 406a5b-406a5f 759->761 762 406a0a-406a0d 760->762 763 406a3c-406a3e 760->763 764 406a10-406a2e WriteFile 762->764 763->761 765 406a40-406a4b 764->765 766 406a30-406a33 764->766 765->761 766->765 767 406a35-406a3a 766->767 767->763 767->764
                                                                                          APIs
                                                                                          • WriteFile.KERNELBASE(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                          • WriteFile.KERNELBASE(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: FileWrite
                                                                                          • String ID: ,k@
                                                                                          • API String ID: 3934441357-1053005162
                                                                                          • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                          • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                          • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                          • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 769 4091eb-409208 770 409308 769->770 771 40920e-40921c call 40ed03 769->771 772 40930b-40930f 770->772 775 40921e-40922c call 40ed03 771->775 776 40923f-409249 771->776 775->776 782 40922e-409230 775->782 778 409250-409270 call 40ee08 776->778 779 40924b 776->779 785 409272-40927f 778->785 786 4092dd-4092e1 778->786 779->778 784 409233-409238 782->784 784->784 787 40923a-40923c 784->787 788 409281-409285 785->788 789 40929b-40929e 785->789 790 4092e3-4092e5 786->790 791 4092e7-4092e8 786->791 787->776 788->788 794 409287 788->794 792 4092a0 789->792 793 40928e-409293 789->793 790->791 795 4092ea-4092ef 790->795 791->786 800 4092a8-4092ab 792->800 796 409295-409298 793->796 797 409289-40928c 793->797 794->789 798 4092f1-4092f6 Sleep 795->798 799 4092fc-409302 795->799 796->800 801 40929a 796->801 797->793 797->801 798->799 799->770 799->771 802 4092a2-4092a5 800->802 803 4092ad-4092b0 800->803 801->789 804 4092b2 802->804 805 4092a7 802->805 803->804 806 4092bd 803->806 807 4092b5-4092b9 804->807 805->800 808 4092bf-4092db ShellExecuteA 806->808 807->807 809 4092bb 807->809 808->786 810 409310-409324 808->810 809->808 810->772
                                                                                          APIs
                                                                                          • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000023,00000000,00000000), ref: 004092CF
                                                                                          • Sleep.KERNELBASE(000001F4,00000000,00000000,000000C8), ref: 004092F6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExecuteShellSleep
                                                                                          • String ID:
                                                                                          • API String ID: 4194306370-0
                                                                                          • Opcode ID: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                                          • Instruction ID: 2238cefa34e52eac0eed51a1b9fc18e9663c37cde2c16e9a3df151323357230f
                                                                                          • Opcode Fuzzy Hash: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                                          • Instruction Fuzzy Hash: E941EE718083497EEB269664988C7E73BA49B52300F2809FFD492B72D3D7BC4D818759

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 824 40a0e0f-40a0e24 SetErrorMode * 2 825 40a0e2b-40a0e2c 824->825 826 40a0e26 824->826 826->825
                                                                                          APIs
                                                                                          • SetErrorMode.KERNELBASE(00000400,?,?,040A0223,?,?), ref: 040A0E19
                                                                                          • SetErrorMode.KERNELBASE(00000000,?,?,040A0223,?,?), ref: 040A0E1E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorMode
                                                                                          • String ID:
                                                                                          • API String ID: 2340568224-0
                                                                                          • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                          • Instruction ID: aa8218d920a278acd49a8db63b1ae2b83c19079fa7ae511ab9695a0ffe455710
                                                                                          • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                          • Instruction Fuzzy Hash: E5D0123114512C77DB402ED4DC09BCD7B5CDF09B62F008011FB0DE9080C770954046E5

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 830 406dc2-406dd5 831 406e33-406e35 830->831 832 406dd7-406df1 call 406cc9 call 40ef00 830->832 837 406df4-406df9 832->837 837->837 838 406dfb-406e00 837->838 839 406e02-406e22 GetVolumeInformationA 838->839 840 406e24 838->840 839->840 841 406e2e 839->841 840->841 841->831
                                                                                          APIs
                                                                                            • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                            • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                            • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                            • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                          • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                          • String ID:
                                                                                          • API String ID: 1823874839-0
                                                                                          • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                          • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                          • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                          • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C
                                                                                          APIs
                                                                                          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 024CE0A9
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174520005.00000000024BE000.00000040.00000020.00020000.00000000.sdmp, Offset: 024BE000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_24be000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 4275171209-0
                                                                                          • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                          • Instruction ID: 291bcedeae03a2eb77a018646de168a01b7dedaf746735bddb3311b58a0fb23c
                                                                                          • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                          • Instruction Fuzzy Hash: 66113C79A00208EFDB01DF99C985E99BBF5AF08351F1580A5FA489B361D371EA50DF80
                                                                                          APIs
                                                                                          • closesocket.WS2_32(?), ref: 0040CA4E
                                                                                          • closesocket.WS2_32(?), ref: 0040CB63
                                                                                          • GetTempPathA.KERNEL32(00000120,?), ref: 0040CC28
                                                                                          • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040CCB4
                                                                                          • WriteFile.KERNEL32(0040A4B3,?,-000000E8,?,00000000), ref: 0040CCDC
                                                                                          • CloseHandle.KERNEL32(0040A4B3), ref: 0040CCED
                                                                                          • wsprintfA.USER32 ref: 0040CD21
                                                                                          • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040CD77
                                                                                          • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0040CD89
                                                                                          • CloseHandle.KERNEL32(?), ref: 0040CD98
                                                                                          • CloseHandle.KERNEL32(?), ref: 0040CD9D
                                                                                          • DeleteFileA.KERNEL32(?), ref: 0040CDC4
                                                                                          • CloseHandle.KERNEL32(0040A4B3), ref: 0040CDCC
                                                                                          • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040CFB1
                                                                                          • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040CFEF
                                                                                          • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040D033
                                                                                          • lstrcatA.KERNEL32(?,?), ref: 0040D10C
                                                                                          • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040D155
                                                                                          • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0040D171
                                                                                          • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040D195
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0040D19C
                                                                                          • SetFileAttributesA.KERNEL32(?,00000002), ref: 0040D1C8
                                                                                          • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D231
                                                                                          • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D27C
                                                                                          • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D2AB
                                                                                          • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2C7
                                                                                          • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2EB
                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2F2
                                                                                          • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D326
                                                                                          • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D372
                                                                                          • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D3BD
                                                                                          • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D3EC
                                                                                          • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D408
                                                                                          • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D428
                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D42F
                                                                                          • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D45B
                                                                                          • CreateProcessA.KERNEL32(?,00410264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040D4DE
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4F4
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4FC
                                                                                          • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D513
                                                                                          • closesocket.WS2_32(?), ref: 0040D56C
                                                                                          • Sleep.KERNEL32(000003E8), ref: 0040D577
                                                                                          • ExitProcess.KERNEL32 ref: 0040D583
                                                                                          • wsprintfA.USER32 ref: 0040D81F
                                                                                            • Part of subcall function 0040C65C: send.WS2_32(00000000,?,00000000), ref: 0040C74B
                                                                                          • closesocket.WS2_32(?), ref: 0040DAD5
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                          • String ID: .dat$.sys$4$@$PromptOnSecureDesktop$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                          • API String ID: 562065436-3791576231
                                                                                          • Opcode ID: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                                          • Instruction ID: 1bec03d5b3261cfbda03ea9d0ba23ae7472bbf6119f1c93de8fbd0284471d070
                                                                                          • Opcode Fuzzy Hash: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                                          • Instruction Fuzzy Hash: 1BB2B471D00209BBEB209FA4DD85FEA7BB9EB08304F14457BF505B22D1D7789A898B5C
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                          • GetProcAddress.KERNEL32(?,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                          • GetProcAddress.KERNEL32(?,RtlSetLastWin32Error), ref: 004010E1
                                                                                          • GetProcAddress.KERNEL32(?,NtTerminateProcess), ref: 00401101
                                                                                          • GetProcAddress.KERNEL32(?,RtlFreeSid), ref: 00401121
                                                                                          • GetProcAddress.KERNEL32(?,RtlInitUnicodeString), ref: 00401140
                                                                                          • GetProcAddress.KERNEL32(?,NtSetInformationThread), ref: 00401160
                                                                                          • GetProcAddress.KERNEL32(?,NtSetInformationToken), ref: 00401180
                                                                                          • GetProcAddress.KERNEL32(?,RtlNtStatusToDosError), ref: 0040119F
                                                                                          • GetProcAddress.KERNEL32(?,NtClose), ref: 004011BF
                                                                                          • GetProcAddress.KERNEL32(?,NtOpenProcessToken), ref: 004011DF
                                                                                          • GetProcAddress.KERNEL32(?,NtDuplicateToken), ref: 004011FE
                                                                                          • GetProcAddress.KERNEL32(?,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressProc$LibraryLoad
                                                                                          • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                          • API String ID: 2238633743-3228201535
                                                                                          • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                          • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                          • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                          • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                          APIs
                                                                                          • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                          • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                          • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                          • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                          • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                          • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                          • wsprintfA.USER32 ref: 0040B3B7
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                          • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                          • API String ID: 766114626-2976066047
                                                                                          • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                          • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                          • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                          • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                          APIs
                                                                                          • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                          • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                          • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                          • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                          • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                          • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                          • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                          • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                          • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                          • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                          • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                          • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                          • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                          • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                          • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                          • String ID: D
                                                                                          • API String ID: 3722657555-2746444292
                                                                                          • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                          • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                          • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                          • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                          APIs
                                                                                          • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                          • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExecuteShelllstrlen
                                                                                          • String ID: $%systemroot%\system32\cmd.exe$<$@$D$uac$useless$wusa.exe
                                                                                          • API String ID: 1628651668-1839596206
                                                                                          • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                          • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                          • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                          • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                          APIs
                                                                                          • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                          • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                          • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                          • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                          • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                            • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                          • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                          • API String ID: 4207808166-1381319158
                                                                                          • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                          • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                          • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                          • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                          APIs
                                                                                          • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7622F380), ref: 00402A83
                                                                                          • HeapAlloc.KERNEL32(00000000,?,7622F380), ref: 00402A86
                                                                                          • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                          • htons.WS2_32(00000000), ref: 00402ADB
                                                                                          • select.WS2_32 ref: 00402B28
                                                                                          • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                          • htons.WS2_32(?), ref: 00402B71
                                                                                          • htons.WS2_32(?), ref: 00402B8C
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                          • String ID:
                                                                                          • API String ID: 1639031587-0
                                                                                          • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                          • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                          • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                          • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                          APIs
                                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                          • ExitProcess.KERNEL32 ref: 00404121
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateEventExitProcess
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 2404124870-2980165447
                                                                                          • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                          • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                          • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                          • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                          APIs
                                                                                          • IsBadReadPtr.KERNEL32(?,00000014), ref: 0040609C
                                                                                          • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                          • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                          • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Read$AddressLibraryLoadProc
                                                                                          • String ID:
                                                                                          • API String ID: 2438460464-0
                                                                                          • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                          • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                          • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                          • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                          APIs
                                                                                          • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                          • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                          • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                          • String ID: *p@
                                                                                          • API String ID: 3429775523-2474123842
                                                                                          • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                          • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                          • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                          • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00000000), ref: 040A65F6
                                                                                          • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 040A6610
                                                                                          • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 040A6631
                                                                                          • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 040A6652
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                          • String ID:
                                                                                          • API String ID: 1965334864-0
                                                                                          • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                          • Instruction ID: 43a975dfa60250de319b7f71bb5c5e4c861be54be4288b4525b037cf1522fdfa
                                                                                          • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                          • Instruction Fuzzy Hash: E611A371600218BFEB619FB5DC05F9B3FB8EB057A9F044424FA09E7250D7B2ED1086A4
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                          • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                          • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                          • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                          • String ID:
                                                                                          • API String ID: 1965334864-0
                                                                                          • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                          • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                          • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                          • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8
                                                                                          APIs
                                                                                          • CreateFileW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000100), ref: 00408E5F
                                                                                          • DeviceIoControl.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00408EAB
                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408EB4
                                                                                            • Part of subcall function 00408DF1: GetSystemTime.KERNEL32(?,004129F8,?,?,00408E8B,?), ref: 00408DFC
                                                                                            • Part of subcall function 00408DF1: SystemTimeToFileTime.KERNEL32(?,00408E8B,?,?,00408E8B,?), ref: 00408E0A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Time$FileSystem$CloseControlCreateDeviceHandle
                                                                                          • String ID:
                                                                                          • API String ID: 3754425949-0
                                                                                          • Opcode ID: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                          • Instruction ID: 6158522553dbc768b3fa764069f531a078bfca64040c8912efb0c234455cb59d
                                                                                          • Opcode Fuzzy Hash: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                          • Instruction Fuzzy Hash: CD11C8726402047BEB115F95CD4EEDB3F6DEB85714F00452AF611B62C1DAB9985087A8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: .$GetProcAddress.$l
                                                                                          • API String ID: 0-2784972518
                                                                                          • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                          • Instruction ID: a82863a47a7ee32a9593f35e3836f8bcdee46c17d62b6d218b556de78f494dec
                                                                                          • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                          • Instruction Fuzzy Hash: AA3139B6910609DFEB10CF99C884AAEBBF5FF48328F15404AD541BB210D771FA55CBA4
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                          • Instruction ID: 64893a5cec851924fefc00027ac9d8258265f32e823952a4835c6918c3f2ac29
                                                                                          • Opcode Fuzzy Hash: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                          • Instruction Fuzzy Hash: 59714BB4501B41CFD360CF66D548782BBE0BB54308F10CD6ED5AAAB790DBB86588DF98
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174520005.00000000024BE000.00000040.00000020.00020000.00000000.sdmp, Offset: 024BE000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_24be000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                          • Instruction ID: 532cf22512788b0f98e154439420d282e30f865b5328758a848e5b646e45ced1
                                                                                          • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                          • Instruction Fuzzy Hash: 92118276740100DFD744DF59DCC0EA673EAFB89320B29806AED09CB351D6B5E842C760
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                          • Instruction ID: 27bfe31bfb35ad12db8d1555e65b8e29a56a6146f1affa9217d62723929b1f3d
                                                                                          • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                          • Instruction Fuzzy Hash: 2E01DB776016088FDF21CFA4C804BAA33F5FB86315F4544B5E506E7241E774B941CB90
                                                                                          APIs
                                                                                          • ExitProcess.KERNEL32 ref: 040A9E6D
                                                                                          • lstrcpy.KERNEL32(?,00000000), ref: 040A9FE1
                                                                                          • lstrcat.KERNEL32(?,?), ref: 040A9FF2
                                                                                          • lstrcat.KERNEL32(?,0041070C), ref: 040AA004
                                                                                          • GetFileAttributesExA.KERNEL32(?,?,?), ref: 040AA054
                                                                                          • DeleteFileA.KERNEL32(?), ref: 040AA09F
                                                                                          • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 040AA0D6
                                                                                          • lstrcpy.KERNEL32 ref: 040AA12F
                                                                                          • lstrlen.KERNEL32(00000022), ref: 040AA13C
                                                                                          • GetTempPathA.KERNEL32(000001F4,?), ref: 040A9F13
                                                                                            • Part of subcall function 040A7029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 040A7081
                                                                                            • Part of subcall function 040A6F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\mtjsuzee,040A7043), ref: 040A6F4E
                                                                                            • Part of subcall function 040A6F30: GetProcAddress.KERNEL32(00000000), ref: 040A6F55
                                                                                            • Part of subcall function 040A6F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 040A6F7B
                                                                                            • Part of subcall function 040A6F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 040A6F92
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 040AA1A2
                                                                                          • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 040AA1C5
                                                                                          • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 040AA214
                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 040AA21B
                                                                                          • GetDriveTypeA.KERNEL32(?), ref: 040AA265
                                                                                          • lstrcat.KERNEL32(?,00000000), ref: 040AA29F
                                                                                          • lstrcat.KERNEL32(?,00410A34), ref: 040AA2C5
                                                                                          • lstrcat.KERNEL32(?,00000022), ref: 040AA2D9
                                                                                          • lstrcat.KERNEL32(?,00410A34), ref: 040AA2F4
                                                                                          • wsprintfA.USER32 ref: 040AA31D
                                                                                          • lstrcat.KERNEL32(?,00000000), ref: 040AA345
                                                                                          • lstrcat.KERNEL32(?,?), ref: 040AA364
                                                                                          • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 040AA387
                                                                                          • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 040AA398
                                                                                          • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 040AA1D1
                                                                                            • Part of subcall function 040A9966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 040A999D
                                                                                            • Part of subcall function 040A9966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 040A99BD
                                                                                            • Part of subcall function 040A9966: RegCloseKey.ADVAPI32(?), ref: 040A99C6
                                                                                          • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 040AA3DB
                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 040AA3E2
                                                                                          • GetDriveTypeA.KERNEL32(00000022), ref: 040AA41D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                          • String ID: "$"$"$D$P$\
                                                                                          • API String ID: 1653845638-2605685093
                                                                                          • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                          • Instruction ID: 1ce395d4448e1cb05f0ab651d1e8333ac623301787928a6566b97caccf64e3a4
                                                                                          • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                          • Instruction Fuzzy Hash: BCF12EB1D40259AFDF61DBE08C48EEF7BBCAB08304F0484A6E605F2141E775AA95CF65
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 040A7D21
                                                                                          • GetUserNameA.ADVAPI32(?,?), ref: 040A7D46
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 040A7D7D
                                                                                          • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 040A7DA2
                                                                                          • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 040A7DC0
                                                                                          • EqualSid.ADVAPI32(?,?), ref: 040A7DD1
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 040A7DE5
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 040A7DF3
                                                                                          • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 040A7E03
                                                                                          • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 040A7E12
                                                                                          • LocalFree.KERNEL32(00000000), ref: 040A7E19
                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 040A7E35
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                          • String ID: D$PromptOnSecureDesktop
                                                                                          • API String ID: 2976863881-1403908072
                                                                                          • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                          • Instruction ID: 955980c3ded740255677abdb136ec4b48f1cf94de033d0485eca69849eb8def5
                                                                                          • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                          • Instruction Fuzzy Hash: A8A14A72900219AFDB51DFA0DD88FEEBBB9FB08304F04806AE505F6150D775EA95CB64
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                          • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,004133B0,?), ref: 00407B16
                                                                                          • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                          • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                          • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                          • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                          • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                          • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                          • String ID: D$PromptOnSecureDesktop
                                                                                          • API String ID: 2976863881-1403908072
                                                                                          • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                          • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                          • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                          • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                          • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                          • API String ID: 2400214276-165278494
                                                                                          • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                          • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                          • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                          • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                          APIs
                                                                                          • wsprintfA.USER32 ref: 0040A7FB
                                                                                          • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                          • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                          • wsprintfA.USER32 ref: 0040A8AF
                                                                                          • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                          • wsprintfA.USER32 ref: 0040A8E2
                                                                                          • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                          • wsprintfA.USER32 ref: 0040A9B9
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wsprintf$send$lstrlenrecv
                                                                                          • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                          • API String ID: 3650048968-2394369944
                                                                                          • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                          • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                          • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                          • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                          APIs
                                                                                          • GetUserNameA.ADVAPI32(?,?), ref: 040A7A96
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 040A7ACD
                                                                                          • GetLengthSid.ADVAPI32(?), ref: 040A7ADF
                                                                                          • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 040A7B01
                                                                                          • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 040A7B1F
                                                                                          • EqualSid.ADVAPI32(?,?), ref: 040A7B39
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 040A7B4A
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 040A7B58
                                                                                          • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 040A7B68
                                                                                          • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 040A7B77
                                                                                          • LocalFree.KERNEL32(00000000), ref: 040A7B7E
                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 040A7B9A
                                                                                          • GetAce.ADVAPI32(?,?,?), ref: 040A7BCA
                                                                                          • EqualSid.ADVAPI32(?,?), ref: 040A7BF1
                                                                                          • DeleteAce.ADVAPI32(?,?), ref: 040A7C0A
                                                                                          • EqualSid.ADVAPI32(?,?), ref: 040A7C2C
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 040A7CB1
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 040A7CBF
                                                                                          • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 040A7CD0
                                                                                          • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 040A7CE0
                                                                                          • LocalFree.KERNEL32(00000000), ref: 040A7CEE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                          • String ID: D
                                                                                          • API String ID: 3722657555-2746444292
                                                                                          • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                          • Instruction ID: 4c9818e8546395ba27227307fa84ee12635259e6baa82b505ce7d27c186bfe6d
                                                                                          • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                          • Instruction Fuzzy Hash: FC813A71910219ABDB21CFE4DD88FEEBBB8AF08304F04816AE605F7150D775EA55CBA4
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                          • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                          • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                          • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Value$CloseOpenQuery
                                                                                          • String ID: PromptOnSecureDesktop$localcfg
                                                                                          • API String ID: 237177642-1678164370
                                                                                          • Opcode ID: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                          • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                          • Opcode Fuzzy Hash: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                          • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                          APIs
                                                                                          • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                          • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                          • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                          • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                          • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                          • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                          • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                          • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                          • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                          • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                          • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                          • API String ID: 835516345-270533642
                                                                                          • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                          • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                          • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                          • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 040A865A
                                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 040A867B
                                                                                          • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 040A86A8
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 040A86B1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Value$CloseOpenQuery
                                                                                          • String ID: "$PromptOnSecureDesktop
                                                                                          • API String ID: 237177642-3108538426
                                                                                          • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                          • Instruction ID: c68a3eca156d2a109fbf70bd8d44ed363994997d268d0e4c4cf98ed964238bd5
                                                                                          • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                          • Instruction Fuzzy Hash: A4C193B2940109BEFB51EBE4DD84EEF7BBDEB04344F148465F604F6050EB70AAA48B65
                                                                                          APIs
                                                                                          • ShellExecuteExW.SHELL32(?), ref: 040A1601
                                                                                          • lstrlenW.KERNEL32(-00000003), ref: 040A17D8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExecuteShelllstrlen
                                                                                          • String ID: $<$@$D
                                                                                          • API String ID: 1628651668-1974347203
                                                                                          • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                          • Instruction ID: f59bd094d4bda4c31565db7254f6f54cf26bf94e03ad2349103b18cc25510632
                                                                                          • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                          • Instruction Fuzzy Hash: FEF17EB55083419FD720DFA4C888BABB7F5FB89304F00892DF596AB290D7B4E944CB56
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 040A76D9
                                                                                          • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 040A7757
                                                                                          • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 040A778F
                                                                                          • ___ascii_stricmp.LIBCMT ref: 040A78B4
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 040A794E
                                                                                          • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 040A796D
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 040A797E
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 040A79AC
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 040A7A56
                                                                                            • Part of subcall function 040AF40C: lstrlen.KERNEL32(000000E4,00000000,PromptOnSecureDesktop,000000E4,040A772A,?), ref: 040AF414
                                                                                          • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 040A79F6
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 040A7A4D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                          • String ID: "$PromptOnSecureDesktop
                                                                                          • API String ID: 3433985886-3108538426
                                                                                          • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                          • Instruction ID: 0ee7d44abeaf7184e0c47246a03695aa6e80c904efbf3105d767abfe8f8a20cf
                                                                                          • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                          • Instruction Fuzzy Hash: 1FC1B272900109ABEB11DFE4DC44FEE7BF9EB45314F1480A6E504F7150EB75EAA48B61
                                                                                          APIs
                                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 040A2CED
                                                                                          • socket.WS2_32(00000002,00000002,00000011), ref: 040A2D07
                                                                                          • htons.WS2_32(00000000), ref: 040A2D42
                                                                                          • select.WS2_32 ref: 040A2D8F
                                                                                          • recv.WS2_32(?,00000000,00001000,00000000), ref: 040A2DB1
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000108), ref: 040A2E62
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                          • String ID:
                                                                                          • API String ID: 127016686-0
                                                                                          • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                          • Instruction ID: 27eb83bcdb58d3029538719261c8e25cccdb495376c0309d6c0cd46c1679e81a
                                                                                          • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                          • Instruction Fuzzy Hash: 3461F571504305AFC320EFA0DC48BABBBE8FB44745F0048BDF945A7251D7B5E8909BA6
                                                                                          APIs
                                                                                          • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                            • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                            • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                            • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                            • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                            • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                            • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                          • wsprintfA.USER32 ref: 0040AEA5
                                                                                            • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                          • wsprintfA.USER32 ref: 0040AE4F
                                                                                          • wsprintfA.USER32 ref: 0040AE5E
                                                                                            • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                            • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                            • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                          • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                          • API String ID: 3631595830-1816598006
                                                                                          • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                          • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                          • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                          • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(iphlpapi.dll,762323A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                          • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                          • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                          • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                          • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                          • htons.WS2_32(00000035), ref: 00402E88
                                                                                          • inet_addr.WS2_32(?), ref: 00402E93
                                                                                          • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                          • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                          • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                          • String ID: GetNetworkParams$iphlpapi.dll
                                                                                          • API String ID: 929413710-2099955842
                                                                                          • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                          • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                          • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                          • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                          APIs
                                                                                          • GetVersionExA.KERNEL32(?), ref: 040A95A7
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 040A95D5
                                                                                          • GetModuleFileNameA.KERNEL32(00000000), ref: 040A95DC
                                                                                          • wsprintfA.USER32 ref: 040A9635
                                                                                          • wsprintfA.USER32 ref: 040A9673
                                                                                          • wsprintfA.USER32 ref: 040A96F4
                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 040A9758
                                                                                          • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 040A978D
                                                                                          • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 040A97D8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 3696105349-2980165447
                                                                                          • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                          • Instruction ID: fa488a19595d54aa6c423302a0e268b014ba2fbd40e41f52b05d027465d6d692
                                                                                          • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                          • Instruction Fuzzy Hash: D9A15DB1A00208AFEB21DFE0CC85FDE3BACEB44745F104426FA15A6151E7B5E5A48FA5
                                                                                          APIs
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcmpi
                                                                                          • String ID: 06A$46A$86A$smtp_ban$smtp_herr$smtp_retr
                                                                                          • API String ID: 1586166983-142018493
                                                                                          • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                          • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                          • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                          • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                          APIs
                                                                                          • wsprintfA.USER32 ref: 0040B467
                                                                                            • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                            • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                            • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$wsprintf
                                                                                          • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                          • API String ID: 1220175532-2340906255
                                                                                          • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                          • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                          • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                          • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                          APIs
                                                                                          • GetVersionExA.KERNEL32 ref: 040A202D
                                                                                          • GetSystemInfo.KERNEL32(?), ref: 040A204F
                                                                                          • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 040A206A
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 040A2071
                                                                                          • GetCurrentProcess.KERNEL32(?), ref: 040A2082
                                                                                          • GetTickCount.KERNEL32 ref: 040A2230
                                                                                            • Part of subcall function 040A1E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 040A1E7C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                          • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                                          • API String ID: 4207808166-1391650218
                                                                                          • Opcode ID: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                          • Instruction ID: a521226c572fa628be88de15e0042dbdd645aa3d083bdfff3460a1079582d631
                                                                                          • Opcode Fuzzy Hash: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                          • Instruction Fuzzy Hash: 5551B570540344AFE320AFA58C89FA77AECEF5470CF00492DF996A2242D7B9B56487A5
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 00402078
                                                                                          • GetTickCount.KERNEL32 ref: 004020D4
                                                                                          • GetTickCount.KERNEL32 ref: 004020DB
                                                                                          • GetTickCount.KERNEL32 ref: 0040212B
                                                                                          • GetTickCount.KERNEL32 ref: 00402132
                                                                                          • GetTickCount.KERNEL32 ref: 00402142
                                                                                            • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,75B4EA50,80000001,00000000,0040E513,?,?,?,?,000000E4), ref: 0040F089
                                                                                            • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,75B4EA50,80000001,00000000,0040E513,?,?,?,?,000000E4,000000C8), ref: 0040F093
                                                                                            • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                            • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                            • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                          • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                          • API String ID: 3976553417-1522128867
                                                                                          • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                          • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                          • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                          • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                          APIs
                                                                                          • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                          • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                          • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: closesockethtonssocket
                                                                                          • String ID: time_cfg
                                                                                          • API String ID: 311057483-2401304539
                                                                                          • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                          • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                          • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                          • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                          APIs
                                                                                            • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                            • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                          • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                          • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                          • GetTickCount.KERNEL32 ref: 0040C363
                                                                                          • GetTickCount.KERNEL32 ref: 0040C378
                                                                                          • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                          • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                          • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                          • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 1553760989-1857712256
                                                                                          • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                          • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                          • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                          • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 040A3068
                                                                                          • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 040A3078
                                                                                          • GetProcAddress.KERNEL32(00000000,00410408), ref: 040A3095
                                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 040A30B6
                                                                                          • htons.WS2_32(00000035), ref: 040A30EF
                                                                                          • inet_addr.WS2_32(?), ref: 040A30FA
                                                                                          • gethostbyname.WS2_32(?), ref: 040A310D
                                                                                          • HeapFree.KERNEL32(00000000), ref: 040A314D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                          • String ID: iphlpapi.dll
                                                                                          • API String ID: 2869546040-3565520932
                                                                                          • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                          • Instruction ID: 52e3541e3b0da4298ffe0ac6180ee1305a3249f5578aea5d194d44462416a299
                                                                                          • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                          • Instruction Fuzzy Hash: B831B631A00606ABDB519FF89C4CAAE7BF8EF44760F144125ED18F7290DB74E5918B58
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00000000,762323A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                          • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                          • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                          • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                          • String ID: DnsQuery_A$dnsapi.dll
                                                                                          • API String ID: 3560063639-3847274415
                                                                                          • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                          • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                          • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                          • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                          • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                          • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                          • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$PromptOnSecureDesktop$kernel32
                                                                                          • API String ID: 1082366364-2834986871
                                                                                          • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                          • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                          • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                          • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                          APIs
                                                                                          • CreateProcessA.KERNEL32(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,PromptOnSecureDesktop), ref: 004097B1
                                                                                          • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097EB
                                                                                          • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097F9
                                                                                          • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 00409831
                                                                                          • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040984E
                                                                                          • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040985B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                          • String ID: D$PromptOnSecureDesktop
                                                                                          • API String ID: 2981417381-1403908072
                                                                                          • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                          • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                          • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                          • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8
                                                                                          APIs
                                                                                          • IsBadReadPtr.KERNEL32(?,00000008), ref: 040A67C3
                                                                                          • htonl.WS2_32(?), ref: 040A67DF
                                                                                          • htonl.WS2_32(?), ref: 040A67EE
                                                                                          • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 040A68F1
                                                                                          • ExitProcess.KERNEL32 ref: 040A69BC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Processhtonl$CurrentExitRead
                                                                                          • String ID: except_info$localcfg
                                                                                          • API String ID: 1430491713-3605449297
                                                                                          • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                          • Instruction ID: f0bb42b0f64f5a56733657322c43ff760e5e8ae69b6da49046b6768909a820a2
                                                                                          • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                          • Instruction Fuzzy Hash: E0618E71A40208AFDB609FB4DC45FEA77F9FB08300F148466FA6DD2161EA75A9908F54
                                                                                          APIs
                                                                                          • htons.WS2_32(040ACC84), ref: 040AF5B4
                                                                                          • socket.WS2_32(00000002,00000001,00000000), ref: 040AF5CE
                                                                                          • closesocket.WS2_32(00000000), ref: 040AF5DC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: closesockethtonssocket
                                                                                          • String ID: time_cfg
                                                                                          • API String ID: 311057483-2401304539
                                                                                          • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                          • Instruction ID: 5253061560573a1845e4d07815e0a7e59406755da87540691d40e7d894d338d9
                                                                                          • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                          • Instruction Fuzzy Hash: C1317A7290011AABDB10DFB5DC88DEE7BBCEF88354F104566FA05E3150E770AA918BE5
                                                                                          APIs
                                                                                          • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                          • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                          • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                          • wsprintfA.USER32 ref: 00407036
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                          • String ID: /%d$|
                                                                                          • API String ID: 676856371-4124749705
                                                                                          • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                          • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                          • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                          • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(?), ref: 040A2FA1
                                                                                          • LoadLibraryA.KERNEL32(?), ref: 040A2FB1
                                                                                          • GetProcAddress.KERNEL32(00000000,004103F0), ref: 040A2FC8
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000108), ref: 040A3000
                                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 040A3007
                                                                                          • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 040A3032
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                          • String ID: dnsapi.dll
                                                                                          • API String ID: 1242400761-3175542204
                                                                                          • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                          • Instruction ID: 64f29e698faffc982f8f18361045497b47b7978b37ea70190280a230fa17ece0
                                                                                          • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                          • Instruction Fuzzy Hash: DB219271900229BBCB219F94DC44DEEBBB8EF08B10F008475F901F7240D7B4AA9197D4
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\mtjsuzee,040A7043), ref: 040A6F4E
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 040A6F55
                                                                                          • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 040A6F7B
                                                                                          • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 040A6F92
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                          • String ID: C:\Windows\SysWOW64\$PromptOnSecureDesktop$\\.\pipe\mtjsuzee
                                                                                          • API String ID: 1082366364-4095895868
                                                                                          • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                          • Instruction ID: 2bde7e9390c4460f3c422a05f445ad80fc39888ba5a0ea9ac9f1d9b459361e1d
                                                                                          • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                          • Instruction Fuzzy Hash: 982101217403407EF76257B19C8CFFB2E9C8B52768F1C80A5F544F6181DADAA4F682AD
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Code
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 3609698214-2980165447
                                                                                          • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                          • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                          • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                          • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                          APIs
                                                                                          • GetTempPathA.KERNEL32(00000400,?), ref: 040A92E2
                                                                                          • wsprintfA.USER32 ref: 040A9350
                                                                                          • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 040A9375
                                                                                          • lstrlen.KERNEL32(?,?,00000000), ref: 040A9389
                                                                                          • WriteFile.KERNEL32(00000000,?,00000000), ref: 040A9394
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 040A939B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 2439722600-2980165447
                                                                                          • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                          • Instruction ID: 1078254d5ca57d04f414ede1aabe4c7d51d38b9bef400473272314dd44e7860c
                                                                                          • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                          • Instruction Fuzzy Hash: 401184B27401147BF7206772EC0DFEF3A6DDBC8B18F00C065BB09F5091EAB55A5196A4
                                                                                          APIs
                                                                                          • GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                          • wsprintfA.USER32 ref: 004090E9
                                                                                          • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                          • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                          • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 2439722600-2980165447
                                                                                          • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                          • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                          • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                          • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                          APIs
                                                                                          • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 040A9A18
                                                                                          • GetThreadContext.KERNEL32(?,?), ref: 040A9A52
                                                                                          • TerminateProcess.KERNEL32(?,00000000), ref: 040A9A60
                                                                                          • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 040A9A98
                                                                                          • SetThreadContext.KERNEL32(?,00010002), ref: 040A9AB5
                                                                                          • ResumeThread.KERNEL32(?), ref: 040A9AC2
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                          • String ID: D
                                                                                          • API String ID: 2981417381-2746444292
                                                                                          • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                          • Instruction ID: d3c42ce4ec5c6cff300b515c05d2f0e2134698ba4993e92a09e75b5dfeb3815a
                                                                                          • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                          • Instruction Fuzzy Hash: 8A216BB1A01219BBDB119BE1DC08EEF7BBCEF04754F004461BA09F1050E7759A50CBA4
                                                                                          APIs
                                                                                          • inet_addr.WS2_32(004102D8), ref: 040A1C18
                                                                                          • LoadLibraryA.KERNEL32(004102C8), ref: 040A1C26
                                                                                          • GetProcessHeap.KERNEL32 ref: 040A1C84
                                                                                          • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 040A1C9D
                                                                                          • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 040A1CC1
                                                                                          • HeapFree.KERNEL32(?,00000000,00000000), ref: 040A1D02
                                                                                          • FreeLibrary.KERNEL32(?), ref: 040A1D0B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                          • String ID:
                                                                                          • API String ID: 2324436984-0
                                                                                          • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                          • Instruction ID: 530a7b60ad9dc9f14495406d8fca213f49ef52538654e3ddd85ba73ba7f7a216
                                                                                          • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                          • Instruction Fuzzy Hash: BB315832E00219BFCB519FE4DC888EEBAB9EB49301F24447AE501BA110D7B55E90DB94
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,PromptOnSecureDesktop), ref: 0040E3E6
                                                                                          • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                          • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                          • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                          • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: QueryValue$CloseOpen
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 1586453840-2980165447
                                                                                          • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                          • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                          • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                          • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                          APIs
                                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404290
                                                                                          • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                          • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseHandle$CreateEvent
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 1371578007-2980165447
                                                                                          • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                          • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                          • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                          • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                                          APIs
                                                                                          • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 040A6CE4
                                                                                          • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 040A6D22
                                                                                          • GetLastError.KERNEL32 ref: 040A6DA7
                                                                                          • CloseHandle.KERNEL32(?), ref: 040A6DB5
                                                                                          • GetLastError.KERNEL32 ref: 040A6DD6
                                                                                          • DeleteFileA.KERNEL32(?), ref: 040A6DE7
                                                                                          • GetLastError.KERNEL32 ref: 040A6DFD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                          • String ID:
                                                                                          • API String ID: 3873183294-0
                                                                                          • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                          • Instruction ID: 2ad32dc9023fe25916e0a1f02812a3ef1c3c175e0fe5dbc4f69706362a2b44c8
                                                                                          • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                          • Instruction Fuzzy Hash: E6312572D00149BFDB00DFE4DD44ADE7FB8EB48344F088465E291F7250E772A5658B61
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 040A93C6
                                                                                          • GetModuleFileNameA.KERNEL32(00000000), ref: 040A93CD
                                                                                          • CharToOemA.USER32(?,?), ref: 040A93DB
                                                                                          • wsprintfA.USER32 ref: 040A9410
                                                                                            • Part of subcall function 040A92CB: GetTempPathA.KERNEL32(00000400,?), ref: 040A92E2
                                                                                            • Part of subcall function 040A92CB: wsprintfA.USER32 ref: 040A9350
                                                                                            • Part of subcall function 040A92CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 040A9375
                                                                                            • Part of subcall function 040A92CB: lstrlen.KERNEL32(?,?,00000000), ref: 040A9389
                                                                                            • Part of subcall function 040A92CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 040A9394
                                                                                            • Part of subcall function 040A92CB: CloseHandle.KERNEL32(00000000), ref: 040A939B
                                                                                          • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 040A9448
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 3857584221-2980165447
                                                                                          • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                          • Instruction ID: a893474926c7db8513d8d1b99685b39b64c0b7f48a75b689af3ac84da8fbc604
                                                                                          • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                          • Instruction Fuzzy Hash: F90152F69001187BE721A7A19D89EDF377CDB95705F0040A1BB49F2080DAB497C58F75
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,PromptOnSecureDesktop), ref: 0040915F
                                                                                          • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                          • CharToOemA.USER32(?,?), ref: 00409174
                                                                                          • wsprintfA.USER32 ref: 004091A9
                                                                                            • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                            • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                            • Part of subcall function 00409064: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                            • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                            • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                            • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                          • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 3857584221-2980165447
                                                                                          • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                          • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                          • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                          • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen
                                                                                          • String ID: $localcfg
                                                                                          • API String ID: 1659193697-2018645984
                                                                                          • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                          • Instruction ID: 45d49bf0fa709b51dd9a6e9b4d359e2c1b062a2c536cda1f4626eee32201f501
                                                                                          • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                          • Instruction Fuzzy Hash: 56713971B10304AAEF718BD4DC85FEE37A9AB40309F244026F946B60D1DBA6B5B4CF65
                                                                                          APIs
                                                                                            • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                            • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                            • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                            • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                          • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                          • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                          • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                          • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                          • String ID: flags_upd$localcfg
                                                                                          • API String ID: 204374128-3505511081
                                                                                          • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                          • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                          • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                          • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                          APIs
                                                                                            • Part of subcall function 040ADF6C: GetCurrentThreadId.KERNEL32 ref: 040ADFBA
                                                                                          • lstrcmp.KERNEL32(00410178,00000000), ref: 040AE8FA
                                                                                          • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,040A6128), ref: 040AE950
                                                                                          • lstrcmp.KERNEL32(?,00000008), ref: 040AE989
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                          • String ID: A$ A$ A
                                                                                          • API String ID: 2920362961-1846390581
                                                                                          • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                          • Instruction ID: 1dfae623eba7f7103d4b6d36a1f69d8808136004605a4f60af2ed950b7a4b852
                                                                                          • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                          • Instruction Fuzzy Hash: 9031AD31640705DBDFB1CFA4C884BAA7BE4EF05724F00892AE595A7551E370F8A4CBD2
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Code
                                                                                          • String ID:
                                                                                          • API String ID: 3609698214-0
                                                                                          • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                          • Instruction ID: bd8598cd039ea67343e79682b2530bc5c70b67d0165614f5b41b672e6f1dc345
                                                                                          • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                          • Instruction Fuzzy Hash: 4A214D76204115FFDB10EBB0EC48EDF7FBDDB49264B148825F542E1091EB72AA5096B4
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                          • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                          • Sleep.KERNEL32(00000000,?,76230F10,?,00000000,0040E538,?,76230F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                          • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 3819781495-0
                                                                                          • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                          • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                          • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                          • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 040AC6B4
                                                                                          • InterlockedIncrement.KERNEL32(040AC74B), ref: 040AC715
                                                                                          • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,040AC747), ref: 040AC728
                                                                                          • CloseHandle.KERNEL32(00000000,?,040AC747,00413588,040A8A77), ref: 040AC733
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 1026198776-1857712256
                                                                                          • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                          • Instruction ID: 4e77356e77407582b0edc10f1384e15bddaf3cbd3004eb0c642953e40c7bb388
                                                                                          • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                          • Instruction Fuzzy Hash: 2251ACB1A04B418FE764CFB9C58462ABBE8FB48304B55593EE18BD7A90D774F850CB10
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 0040815F
                                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 00408187
                                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 004081BE
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 00408210
                                                                                            • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,76230F10,00000000), ref: 0040677E
                                                                                            • Part of subcall function 0040675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,76230F10,00000000), ref: 0040679A
                                                                                            • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,76230F10,00000000), ref: 004067B0
                                                                                            • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,76230F10,00000000), ref: 004067BF
                                                                                            • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,76230F10,00000000), ref: 004067D3
                                                                                            • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,76230F10,00000000), ref: 00406807
                                                                                            • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0040681F
                                                                                            • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,76230F10,00000000), ref: 0040683E
                                                                                            • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0040685C
                                                                                            • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                            • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 124786226-2980165447
                                                                                          • Opcode ID: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                          • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                          • Opcode Fuzzy Hash: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                          • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                          APIs
                                                                                          • RegCreateKeyExA.ADVAPI32(80000001,040AE50A,00000000,00000000,00000000,00020106,00000000,040AE50A,00000000,000000E4), ref: 040AE319
                                                                                          • RegSetValueExA.ADVAPI32(040AE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 040AE38E
                                                                                          • RegDeleteValueA.ADVAPI32(040AE50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 040AE3BF
                                                                                          • RegCloseKey.ADVAPI32(040AE50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,040AE50A), ref: 040AE3C8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Value$CloseCreateDelete
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 2667537340-2980165447
                                                                                          • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                          • Instruction ID: 617023ed2fc54c8a2774aa51fd004cd0bc850c348921dea723526904b60630fc
                                                                                          • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                          • Instruction Fuzzy Hash: E3216172A4021DBBDF209FE5EC89EDE7FB9EF08754F008061F908E6150E2719A64D790
                                                                                          APIs
                                                                                          • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                          • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                          • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                          • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Value$CloseCreateDelete
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 2667537340-2980165447
                                                                                          • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                          • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                          • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                          • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                          APIs
                                                                                          • GetUserNameA.ADVAPI32(?,?), ref: 040A71E1
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 040A7228
                                                                                          • LocalFree.KERNEL32(?,?,?), ref: 040A7286
                                                                                          • wsprintfA.USER32 ref: 040A729D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                          • String ID: |
                                                                                          • API String ID: 2539190677-2343686810
                                                                                          • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                          • Instruction ID: 13fb223c80973a8bb85251e493ae023b4fc743862a91f6c87c0fb79a76cef4cb
                                                                                          • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                          • Instruction Fuzzy Hash: 8F314D72A00109BFDB41DFE8DC48ADA3BECEF04358F14C066F959DB100EA75E6588B94
                                                                                          APIs
                                                                                          • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                          • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                          • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                          • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$gethostnamelstrcpy
                                                                                          • String ID: LocalHost
                                                                                          • API String ID: 3695455745-3154191806
                                                                                          • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                          • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                          • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                          • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                          APIs
                                                                                          • GetLocalTime.KERNEL32(?), ref: 040AB51A
                                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 040AB529
                                                                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 040AB548
                                                                                          • GetTimeZoneInformation.KERNEL32(?), ref: 040AB590
                                                                                          • wsprintfA.USER32 ref: 040AB61E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                          • String ID:
                                                                                          • API String ID: 4026320513-0
                                                                                          • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                          • Instruction ID: 58df86b7cf16c0a8cf5697d35424b54f7b14875fe1170ef9fbafcdb086d25863
                                                                                          • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                          • Instruction Fuzzy Hash: 435110B1D0021CAACF54DFD5D8885EEBBB9BF48304F10816AF605B6150E7B85AC9CF98
                                                                                          APIs
                                                                                          • IsBadReadPtr.KERNEL32(?,00000014), ref: 040A6303
                                                                                          • LoadLibraryA.KERNEL32(?), ref: 040A632A
                                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 040A63B1
                                                                                          • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 040A6405
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Read$AddressLibraryLoadProc
                                                                                          • String ID:
                                                                                          • API String ID: 2438460464-0
                                                                                          • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                          • Instruction ID: 02b12b4178dd7ee7b7109ce59385b648279139a2a802e2531d6895b314d7ad55
                                                                                          • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                          • Instruction Fuzzy Hash: 2B416072A00105EFDB54CF94C884AADB7F4FF04358F188969E995E7250E772F962CB50
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                          • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                          • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                          • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                          APIs
                                                                                            • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                            • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                            • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                          • lstrcmpA.KERNEL32(76230F18,00000000,?,76230F10,00000000,?,00405EC1), ref: 0040E693
                                                                                          • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,76230F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                          • lstrcmpA.KERNEL32(?,00000008,?,76230F10,00000000,?,00405EC1), ref: 0040E722
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                          • String ID: A$ A
                                                                                          • API String ID: 3343386518-686259309
                                                                                          • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                          • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                          • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                          • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 0040272E
                                                                                          • htons.WS2_32(00000001), ref: 00402752
                                                                                          • htons.WS2_32(0000000F), ref: 004027D5
                                                                                          • htons.WS2_32(00000001), ref: 004027E3
                                                                                          • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                            • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                            • Part of subcall function 0040EBCC: RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                          • String ID:
                                                                                          • API String ID: 1128258776-0
                                                                                          • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                          • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                          • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                          • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                          APIs
                                                                                          • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                          • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                          • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                          • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                          • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: setsockopt
                                                                                          • String ID:
                                                                                          • API String ID: 3981526788-0
                                                                                          • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                          • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                          • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                          • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                          APIs
                                                                                          • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                          • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                          • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                          • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$lstrcmpi
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 1808961391-1857712256
                                                                                          • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                          • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                          • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                          • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                          APIs
                                                                                            • Part of subcall function 040ADF6C: GetCurrentThreadId.KERNEL32 ref: 040ADFBA
                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,00410170,?,00000000,?,040AA6AC), ref: 040AE7BF
                                                                                          • ReadFile.KERNEL32(00000000,004136C4,00000000,?,00000000,?,00410170,?,00000000,?,040AA6AC), ref: 040AE7EA
                                                                                          • CloseHandle.KERNEL32(00000000,?,00410170,?,00000000,?,040AA6AC), ref: 040AE819
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseCurrentHandleReadSizeThread
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 1396056608-2980165447
                                                                                          • Opcode ID: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                          • Instruction ID: fc61bb7149b141fd40451fe3ac8c411eada7b612dbee1054dc24816c8a85d68a
                                                                                          • Opcode Fuzzy Hash: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                          • Instruction Fuzzy Hash: 6221F3B1A403007AF22177B19C45FEB3E4DDF64BACF500538BA09B51D3EAA5A57082F5
                                                                                          APIs
                                                                                            • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                            • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                            • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,76230F10,?,00000000,?,0040A445), ref: 0040E558
                                                                                          • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,76230F10,?,00000000,?,0040A445), ref: 0040E583
                                                                                          • CloseHandle.KERNEL32(00000000,?,76230F10,?,00000000,?,0040A445), ref: 0040E5B2
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 3683885500-2980165447
                                                                                          • Opcode ID: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                          • Instruction ID: 336cca8f28a0ae06816d6806ca3c094c6326420f96deeb8fe64773c8e7208e17
                                                                                          • Opcode Fuzzy Hash: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                          • Instruction Fuzzy Hash: F321EAB19402047AE2207B639C0AFAB3D1CDF54758F10093EBA09B11E3E9BDD96082BD
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                          • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressLibraryLoadProc
                                                                                          • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                          • API String ID: 2574300362-1087626847
                                                                                          • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                          • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                          • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                          • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 040A76D9
                                                                                          • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 040A796D
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 040A797E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseEnumOpen
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 1332880857-2980165447
                                                                                          • Opcode ID: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                          • Instruction ID: 349c74559443af82ce5a4b53810c2d9b8f5f5b416f8700af612909d6fb0d41ba
                                                                                          • Opcode Fuzzy Hash: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                          • Instruction Fuzzy Hash: F511DC30A00109AFEB129FA9DC44FEFBFB8EB91304F188161F510F7290E2B0D9608B61
                                                                                          APIs
                                                                                            • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                            • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                          • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                          • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                          • String ID: hi_id$localcfg
                                                                                          • API String ID: 2777991786-2393279970
                                                                                          • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                          • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                          • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                          • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 040A999D
                                                                                          • RegDeleteValueA.ADVAPI32(?,00000000), ref: 040A99BD
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 040A99C6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseDeleteOpenValue
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 849931509-2980165447
                                                                                          • Opcode ID: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                          • Instruction ID: 89f791ef51dc7005e66d207aacb99441aa4a49745c01044f5e99ce8cda7a29ef
                                                                                          • Opcode Fuzzy Hash: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                          • Instruction Fuzzy Hash: 05F0FCB2640108BFF7116B94EC06FDF3A2CDB54718F100074F605B5081F6E55BA042B9
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,00000000,PromptOnSecureDesktop,00000000,?,?,0040A14A), ref: 00409736
                                                                                          • RegDeleteValueA.ADVAPI32(0040A14A,00000000,?,?,?,?,?,?,?,?,?,0040A14A), ref: 00409756
                                                                                          • RegCloseKey.ADVAPI32(0040A14A,?,?,?,?,?,?,?,?,?,0040A14A), ref: 0040975F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseDeleteOpenValue
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 849931509-2980165447
                                                                                          • Opcode ID: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                          • Instruction ID: 5e38ed9511aa8cc069582274463af9cddeeab7037fd65aad7bdf8be664a95ff7
                                                                                          • Opcode Fuzzy Hash: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                          • Instruction Fuzzy Hash: 5AF0C8B2680118BBF3106B51AC0BFDF3A2CDB44704F100075F605B50D2E6E55E9082BD
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: gethostbynameinet_addr
                                                                                          • String ID: time_cfg$u6A
                                                                                          • API String ID: 1594361348-1940331995
                                                                                          • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                          • Instruction ID: e818041d9e7f97f785c879801260e19e9ed1f68deb74804eb3e524ba350013f6
                                                                                          • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                          • Instruction Fuzzy Hash: E3E08C306051118FCB808F28F948AC537E4AF0A230F0081E8F440E32A0C734AC909641
                                                                                          APIs
                                                                                          • SetFileAttributesA.KERNEL32(?,00000080), ref: 040A69E5
                                                                                          • SetFileAttributesA.KERNEL32(?,00000002), ref: 040A6A26
                                                                                          • GetFileSize.KERNEL32(000000FF,00000000), ref: 040A6A3A
                                                                                          • CloseHandle.KERNEL32(000000FF), ref: 040A6BD8
                                                                                            • Part of subcall function 040AEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,040A1DCF,?), ref: 040AEEA8
                                                                                            • Part of subcall function 040AEE95: HeapFree.KERNEL32(00000000), ref: 040AEEAF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                          • String ID:
                                                                                          • API String ID: 3384756699-0
                                                                                          • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                          • Instruction ID: c2955a6504cb8402d07743475edb34d35bdb2ccddd2ef43ec0a65a5bc085aebc
                                                                                          • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                          • Instruction Fuzzy Hash: 9E71277190021DEFDF10DFA4CC80AEEBBB9FB08314F14496AE555B6190D731AEA6DB60
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wsprintf
                                                                                          • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                          • API String ID: 2111968516-120809033
                                                                                          • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                          • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                          • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                          • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                          APIs
                                                                                          • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 040A41AB
                                                                                          • GetLastError.KERNEL32 ref: 040A41B5
                                                                                          • WaitForSingleObject.KERNEL32(?,?), ref: 040A41C6
                                                                                          • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 040A41D9
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3373104450-0
                                                                                          • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                          • Instruction ID: b4cbe5d4cdd7a0e240fce87b1d455d306e5c884dc9e3f739684ec471d90fbdbb
                                                                                          • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                          • Instruction Fuzzy Hash: 2A010C7A51111AAFDF01DF90ED89BEF7BACEB18755F004461F901E2050D7B0EA648BB6
                                                                                          APIs
                                                                                          • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 040A421F
                                                                                          • GetLastError.KERNEL32 ref: 040A4229
                                                                                          • WaitForSingleObject.KERNEL32(?,?), ref: 040A423A
                                                                                          • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 040A424D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                          • String ID:
                                                                                          • API String ID: 888215731-0
                                                                                          • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                          • Instruction ID: 954f3f7586916be3257eb09dc1e46a685ca2dcb373508e56c463b56d4d3ae456
                                                                                          • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                          • Instruction Fuzzy Hash: F701C872511109AFDF11DF90EE84BEF7BACEB08259F518461F901F2050D7B0EA649BB6
                                                                                          APIs
                                                                                          • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                          • GetLastError.KERNEL32 ref: 00403F4E
                                                                                          • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                          • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3373104450-0
                                                                                          • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                          • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                          • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                          • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                          APIs
                                                                                          • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                          • GetLastError.KERNEL32 ref: 00403FC2
                                                                                          • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                          • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                          • String ID:
                                                                                          • API String ID: 888215731-0
                                                                                          • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                          • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                          • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                          • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                          APIs
                                                                                          • lstrcmp.KERNEL32(?,80000009), ref: 040AE066
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcmp
                                                                                          • String ID: A$ A$ A
                                                                                          • API String ID: 1534048567-1846390581
                                                                                          • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                          • Instruction ID: f3626e637ed108290bdfcc5ee951d98a75e965393c4eb6b07461b4cb9b51ab3f
                                                                                          • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                          • Instruction Fuzzy Hash: 2BF062312007029BCB60CFA5D884E82B7E9FB05321B44862AE154E3860D374B4E8CB91
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                          • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                          • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 2207858713-0
                                                                                          • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                          • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                          • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                          • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                          • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                          • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 2207858713-0
                                                                                          • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                          • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                          • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                          • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                          • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                          • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                          • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 2207858713-0
                                                                                          • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                          • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                          • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                          • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 00403103
                                                                                          • GetTickCount.KERNEL32 ref: 0040310F
                                                                                          • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 2207858713-0
                                                                                          • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                          • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                          • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                          • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                          APIs
                                                                                          • WriteFile.KERNEL32(00000001,040A44E2,00000000,00000000,00000000), ref: 040AE470
                                                                                          • CloseHandle.KERNEL32(00000001,00000003), ref: 040AE484
                                                                                            • Part of subcall function 040AE2FC: RegCreateKeyExA.ADVAPI32(80000001,040AE50A,00000000,00000000,00000000,00020106,00000000,040AE50A,00000000,000000E4), ref: 040AE319
                                                                                            • Part of subcall function 040AE2FC: RegSetValueExA.ADVAPI32(040AE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 040AE38E
                                                                                            • Part of subcall function 040AE2FC: RegDeleteValueA.ADVAPI32(040AE50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 040AE3BF
                                                                                            • Part of subcall function 040AE2FC: RegCloseKey.ADVAPI32(040AE50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,040AE50A), ref: 040AE3C8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 4151426672-2980165447
                                                                                          • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                          • Instruction ID: 159c207be06ff07ffbed82691deae00b1e909b9e2cd6a75f4333ab649c787895
                                                                                          • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                          • Instruction Fuzzy Hash: B541C772940204BAEB206EE1DC45FEF3BACDB04768F148065FA09B4191E6B5A670D6F4
                                                                                          APIs
                                                                                          • WriteFile.KERNEL32(00000001,0040DAE0,00000000,00000000,00000000), ref: 0040E209
                                                                                          • CloseHandle.KERNEL32(00000001,00000003), ref: 0040E21D
                                                                                            • Part of subcall function 0040E095: RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                            • Part of subcall function 0040E095: RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                            • Part of subcall function 0040E095: RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                            • Part of subcall function 0040E095: RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 4151426672-2980165447
                                                                                          • Opcode ID: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                          • Instruction ID: b34283ca0245a4d5345772c7626065eb71a791ff6ac24fd5689ebe733b27dfc9
                                                                                          • Opcode Fuzzy Hash: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                          • Instruction Fuzzy Hash: 5D41DB71940214BADB205E938C06FDB3F6CEB44754F1084BEFA09B41D2E6B99A60D6BD
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 040A83C6
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 040A8477
                                                                                            • Part of subcall function 040A69C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 040A69E5
                                                                                            • Part of subcall function 040A69C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 040A6A26
                                                                                            • Part of subcall function 040A69C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 040A6A3A
                                                                                            • Part of subcall function 040AEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,040A1DCF,?), ref: 040AEEA8
                                                                                            • Part of subcall function 040AEE95: HeapFree.KERNEL32(00000000), ref: 040AEEAF
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 359188348-2980165447
                                                                                          • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                          • Instruction ID: b304a4c4f16bf6b5aca4bb10703753b00fef9bb37b9ed191c7c96f074b7f256a
                                                                                          • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                          • Instruction Fuzzy Hash: 8E413DB2900109BFEB50FBE49D84DEF77ACEB04248F1484AAE504F6150F6B16AA48B65
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,040AE859,00000000,00020119,040AE859,PromptOnSecureDesktop), ref: 040AE64D
                                                                                          • RegCloseKey.ADVAPI32(040AE859,?,?,?,?,000000C8,000000E4), ref: 040AE787
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseOpen
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 47109696-2980165447
                                                                                          • Opcode ID: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                          • Instruction ID: 6a390d84c41392bf60bae2abe6917886596a24523d310b36879f1a5c21c9cd5b
                                                                                          • Opcode Fuzzy Hash: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                          • Instruction Fuzzy Hash: 364109B2D4011DBFEF11EFE4DC84DEEBBB9EB14348F144466E900B6150E371AA658BA0
                                                                                          APIs
                                                                                          • GetLocalTime.KERNEL32(?), ref: 040AAFFF
                                                                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 040AB00D
                                                                                            • Part of subcall function 040AAF6F: gethostname.WS2_32(?,00000080), ref: 040AAF83
                                                                                            • Part of subcall function 040AAF6F: lstrcpy.KERNEL32(?,00410B90), ref: 040AAFE6
                                                                                            • Part of subcall function 040A331C: gethostname.WS2_32(?,00000080), ref: 040A333F
                                                                                            • Part of subcall function 040A331C: gethostbyname.WS2_32(?), ref: 040A3349
                                                                                            • Part of subcall function 040AAA0A: inet_ntoa.WS2_32(00000000), ref: 040AAA10
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                          • String ID: %OUTLOOK_BND_
                                                                                          • API String ID: 1981676241-3684217054
                                                                                          • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                          • Instruction ID: 8844035f7948f801a01856d64a2a992b219c6896c1a24bcdb69d94c053c66d5b
                                                                                          • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                          • Instruction Fuzzy Hash: 6C41317290024CABDF25EFE0DC45EEE3BACFF08308F144426FA25A2151EA75E6648F54
                                                                                          APIs
                                                                                          • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 040A9536
                                                                                          • Sleep.KERNEL32(000001F4), ref: 040A955D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExecuteShellSleep
                                                                                          • String ID:
                                                                                          • API String ID: 4194306370-3916222277
                                                                                          • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                          • Instruction ID: d9d9cebbb805b9edfd2787b980038f0d66f87e5a3bbf00326511d96c36aacd04
                                                                                          • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                          • Instruction Fuzzy Hash: 17412BF1B043846FFB75ABF4D88EBE63FE49B02314F140995D08277192D67469908711
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 040AB9D9
                                                                                          • InterlockedIncrement.KERNEL32(00413648), ref: 040ABA3A
                                                                                          • InterlockedIncrement.KERNEL32(?), ref: 040ABA94
                                                                                          • GetTickCount.KERNEL32 ref: 040ABB79
                                                                                          • GetTickCount.KERNEL32 ref: 040ABB99
                                                                                          • InterlockedIncrement.KERNEL32(?), ref: 040ABE15
                                                                                          • closesocket.WS2_32(00000000), ref: 040ABEB4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountIncrementInterlockedTick$closesocket
                                                                                          • String ID: %FROM_EMAIL
                                                                                          • API String ID: 1869671989-2903620461
                                                                                          • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                          • Instruction ID: 625a16bcd7f0af52c3727eb67e786facfc50669d3b86894ceb95e1c472f71d58
                                                                                          • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                          • Instruction Fuzzy Hash: 6B316871500248AFDF65DFE4DC84AEA77F8EB48704F20405AFA25A61A0EB75B6A5CF10
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 536389180-1857712256
                                                                                          • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                          • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                                          • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                          • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                                          APIs
                                                                                          Strings
                                                                                          • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTickwsprintf
                                                                                          • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                          • API String ID: 2424974917-1012700906
                                                                                          • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                          • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                          • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                          • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                          APIs
                                                                                            • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                            • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                          • String ID: %FROM_EMAIL
                                                                                          • API String ID: 3716169038-2903620461
                                                                                          • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                          • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                          • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                          • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                          APIs
                                                                                          • GetUserNameW.ADVAPI32(?,?), ref: 040A70BC
                                                                                          • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 040A70F4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Name$AccountLookupUser
                                                                                          • String ID: |
                                                                                          • API String ID: 2370142434-2343686810
                                                                                          • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                          • Instruction ID: af036d0a4d0605139d8a1275b1fea65d9c7dee3d68c007062b73a4065dea8b97
                                                                                          • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                          • Instruction Fuzzy Hash: 6B112A72900118EBDB51CFD8DC88ADEB7FCAB44301F1481B6E501F7090D674EB888BA4
                                                                                          APIs
                                                                                            • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                            • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                          • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                          • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 2777991786-1857712256
                                                                                          • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                          • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                          • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                          • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                          APIs
                                                                                          • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                          • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: IncrementInterlockedlstrcpyn
                                                                                          • String ID: %FROM_EMAIL
                                                                                          • API String ID: 224340156-2903620461
                                                                                          • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                          • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                          • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                          • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                          APIs
                                                                                          • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                          • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: gethostbyaddrinet_ntoa
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 2112563974-1857712256
                                                                                          • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                          • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                          • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                          • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: gethostbynameinet_addr
                                                                                          • String ID: time_cfg
                                                                                          • API String ID: 1594361348-2401304539
                                                                                          • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                          • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                          • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                          • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,75B4EA50,80000001,00000000), ref: 0040EAF2
                                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 0040EB07
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressLibraryLoadProc
                                                                                          • String ID: ntdll.dll
                                                                                          • API String ID: 2574300362-2227199552
                                                                                          • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                          • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                          • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                          • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                          APIs
                                                                                            • Part of subcall function 040A2F88: GetModuleHandleA.KERNEL32(?), ref: 040A2FA1
                                                                                            • Part of subcall function 040A2F88: LoadLibraryA.KERNEL32(?), ref: 040A2FB1
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 040A31DA
                                                                                          • HeapFree.KERNEL32(00000000), ref: 040A31E1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2174714113.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40a0000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                          • String ID:
                                                                                          • API String ID: 1017166417-0
                                                                                          • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                          • Instruction ID: e6111182279623e1196ef97e0ac03961d79048c6ebb9c4503ed8be18c1565013
                                                                                          • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                          • Instruction Fuzzy Hash: 0B519071900246AFDF01DFA4D8889FAB7B5FF05308F144569EC96E7210E772EA29CB90
                                                                                          APIs
                                                                                            • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,762323A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                            • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                          • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2173368482.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2173368482.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_rXTqHar5Ud.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                          • String ID:
                                                                                          • API String ID: 1017166417-0
                                                                                          • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                          • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                          • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                          • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88

                                                                                          Execution Graph

                                                                                          Execution Coverage:3%
                                                                                          Dynamic/Decrypted Code Coverage:2.1%
                                                                                          Signature Coverage:0%
                                                                                          Total number of Nodes:1572
                                                                                          Total number of Limit Nodes:13
                                                                                          execution_graph 14524 409961 RegisterServiceCtrlHandlerA 14525 40997d 14524->14525 14526 4099cb 14524->14526 14534 409892 14525->14534 14528 40999a 14529 4099ba 14528->14529 14530 409892 SetServiceStatus 14528->14530 14529->14526 14532 409892 SetServiceStatus 14529->14532 14531 4099aa 14530->14531 14531->14529 14537 4098f2 14531->14537 14532->14526 14535 4098c2 SetServiceStatus 14534->14535 14535->14528 14539 4098f6 14537->14539 14540 409904 Sleep 14539->14540 14542 409917 14539->14542 14545 404280 CreateEventA 14539->14545 14540->14539 14541 409915 14540->14541 14541->14542 14544 409947 14542->14544 14572 40977c 14542->14572 14544->14529 14546 4042a5 14545->14546 14547 40429d 14545->14547 14586 403ecd 14546->14586 14547->14539 14549 4042b0 14590 404000 14549->14590 14552 4043c1 CloseHandle 14552->14547 14553 4042ce 14596 403f18 WriteFile 14553->14596 14558 4043ba CloseHandle 14558->14552 14559 404318 14560 403f18 4 API calls 14559->14560 14561 404331 14560->14561 14562 403f18 4 API calls 14561->14562 14563 40434a 14562->14563 14604 40ebcc GetProcessHeap HeapAlloc 14563->14604 14566 403f18 4 API calls 14567 404389 14566->14567 14607 40ec2e 14567->14607 14570 403f8c 4 API calls 14571 40439f CloseHandle CloseHandle 14570->14571 14571->14547 14636 40ee2a 14572->14636 14575 4097c2 14577 4097d4 Wow64GetThreadContext 14575->14577 14576 4097bb 14576->14544 14578 409801 14577->14578 14579 4097f5 14577->14579 14638 40637c 14578->14638 14580 4097f6 TerminateProcess 14579->14580 14580->14576 14582 409816 14582->14580 14583 40981e WriteProcessMemory 14582->14583 14583->14579 14584 40983b Wow64SetThreadContext 14583->14584 14584->14579 14585 409858 ResumeThread 14584->14585 14585->14576 14587 403edc 14586->14587 14589 403ee2 14586->14589 14612 406dc2 14587->14612 14589->14549 14591 40400b CreateFileA 14590->14591 14592 40402c GetLastError 14591->14592 14593 404052 14591->14593 14592->14593 14594 404037 14592->14594 14593->14547 14593->14552 14593->14553 14594->14593 14595 404041 Sleep 14594->14595 14595->14591 14595->14593 14597 403f7c 14596->14597 14598 403f4e GetLastError 14596->14598 14600 403f8c ReadFile 14597->14600 14598->14597 14599 403f5b WaitForSingleObject GetOverlappedResult 14598->14599 14599->14597 14601 403ff0 14600->14601 14602 403fc2 GetLastError 14600->14602 14601->14558 14601->14559 14602->14601 14603 403fcf WaitForSingleObject GetOverlappedResult 14602->14603 14603->14601 14630 40eb74 14604->14630 14608 40ec37 14607->14608 14609 40438f 14607->14609 14633 40eba0 14608->14633 14609->14570 14613 406e24 14612->14613 14614 406dd7 14612->14614 14613->14589 14618 406cc9 14614->14618 14616 406ddc 14616->14613 14616->14616 14617 406e02 GetVolumeInformationA 14616->14617 14617->14613 14619 406cdc GetModuleHandleA GetProcAddress 14618->14619 14620 406dbe 14618->14620 14621 406d12 GetSystemDirectoryA 14619->14621 14622 406cfd 14619->14622 14620->14616 14623 406d27 GetWindowsDirectoryA 14621->14623 14624 406d1e 14621->14624 14622->14621 14626 406d8b 14622->14626 14625 406d42 14623->14625 14624->14623 14624->14626 14628 40ef1e lstrlenA 14625->14628 14626->14620 14629 40ef32 14628->14629 14629->14626 14631 40eb7b GetProcessHeap HeapSize 14630->14631 14632 404350 14630->14632 14631->14632 14632->14566 14634 40eba7 GetProcessHeap HeapSize 14633->14634 14635 40ebbf GetProcessHeap HeapFree 14633->14635 14634->14635 14635->14609 14637 409794 CreateProcessA 14636->14637 14637->14575 14637->14576 14639 406386 14638->14639 14640 40638a GetModuleHandleA VirtualAlloc 14638->14640 14639->14582 14641 4063f5 14640->14641 14642 4063b6 14640->14642 14641->14582 14643 4063be VirtualAllocEx 14642->14643 14643->14641 14644 4063d6 14643->14644 14645 4063df WriteProcessMemory 14644->14645 14645->14641 14664 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 14781 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14664->14781 14666 409a95 14667 409aa3 GetModuleHandleA GetModuleFileNameA 14666->14667 14672 40a3c7 14666->14672 14679 409ac4 14667->14679 14668 40a41c CreateThread WSAStartup 14892 40e52e 14668->14892 15720 40405e CreateEventA 14668->15720 14669 409afd GetCommandLineA 14680 409b22 14669->14680 14670 40a406 DeleteFileA 14670->14672 14673 40a40d 14670->14673 14672->14668 14672->14670 14672->14673 14675 40a3ed GetLastError 14672->14675 14673->14668 14674 40a445 14911 40eaaf 14674->14911 14675->14673 14677 40a3f8 Sleep 14675->14677 14677->14670 14678 40a44d 14915 401d96 14678->14915 14679->14669 14685 409c0c 14680->14685 14691 409b47 14680->14691 14682 40a457 14963 4080c9 14682->14963 14782 4096aa 14685->14782 14695 409b96 lstrlenA 14691->14695 14697 409b58 14691->14697 14692 40a1d2 14698 40a1e3 GetCommandLineA 14692->14698 14693 409c39 14696 40a167 GetModuleHandleA GetModuleFileNameA 14693->14696 14702 409c4b 14693->14702 14695->14697 14700 409c05 ExitProcess 14696->14700 14701 40a189 14696->14701 14697->14700 14705 409bd2 14697->14705 14726 40a205 14698->14726 14701->14700 14710 40a1b2 GetDriveTypeA 14701->14710 14702->14696 14704 404280 30 API calls 14702->14704 14707 409c5b 14704->14707 14794 40675c 14705->14794 14707->14696 14711 40675c 21 API calls 14707->14711 14710->14700 14713 40a1c5 14710->14713 14714 409c79 14711->14714 14884 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 14713->14884 14714->14696 14721 409ca0 GetTempPathA 14714->14721 14722 409e3e 14714->14722 14716 409bff 14716->14700 14718 40a491 14719 40a49f GetTickCount 14718->14719 14723 40a4be Sleep 14718->14723 14725 40a4b7 GetTickCount 14718->14725 15009 40c913 14718->15009 14719->14718 14719->14723 14721->14722 14724 409cba 14721->14724 14732 409e6b GetEnvironmentVariableA 14722->14732 14733 409e04 14722->14733 14723->14718 14832 4099d2 lstrcpyA 14724->14832 14725->14723 14729 40a285 lstrlenA 14726->14729 14742 40a239 14726->14742 14728 40ec2e codecvt 4 API calls 14731 40a15d 14728->14731 14729->14742 14731->14696 14731->14700 14732->14733 14734 409e7d 14732->14734 14733->14728 14735 4099d2 16 API calls 14734->14735 14736 409e9d 14735->14736 14736->14733 14741 409eb0 lstrcpyA lstrlenA 14736->14741 14737 406dc2 6 API calls 14739 409d5f 14737->14739 14744 406cc9 5 API calls 14739->14744 14740 40a3c2 14745 4098f2 41 API calls 14740->14745 14743 409ef4 14741->14743 14790 406ec3 14742->14790 14746 406dc2 6 API calls 14743->14746 14749 409f03 14743->14749 14748 409d72 lstrcpyA lstrcatA lstrcatA 14744->14748 14745->14672 14746->14749 14747 40a39d StartServiceCtrlDispatcherA 14747->14740 14751 409cf6 14748->14751 14750 409f32 RegOpenKeyExA 14749->14750 14753 409f48 RegSetValueExA RegCloseKey 14750->14753 14756 409f70 14750->14756 14839 409326 14751->14839 14752 40a35f 14752->14740 14752->14747 14753->14756 14761 409f9d GetModuleHandleA GetModuleFileNameA 14756->14761 14757 409e0c DeleteFileA 14757->14722 14758 409dde GetFileAttributesExA 14758->14757 14759 409df7 14758->14759 14759->14733 14876 4096ff 14759->14876 14763 409fc2 14761->14763 14764 40a093 14761->14764 14763->14764 14770 409ff1 GetDriveTypeA 14763->14770 14765 40a103 CreateProcessA 14764->14765 14766 40a0a4 wsprintfA 14764->14766 14767 40a13a 14765->14767 14768 40a12a DeleteFileA 14765->14768 14882 402544 14766->14882 14767->14733 14773 4096ff 3 API calls 14767->14773 14768->14767 14770->14764 14772 40a00d 14770->14772 14776 40a02d lstrcatA 14772->14776 14773->14733 14774 40ee2a 14775 40a0ec lstrcatA 14774->14775 14775->14765 14777 40a046 14776->14777 14778 40a052 lstrcatA 14777->14778 14779 40a064 lstrcatA 14777->14779 14778->14779 14779->14764 14780 40a081 lstrcatA 14779->14780 14780->14764 14781->14666 14783 4096b9 14782->14783 15112 4073ff 14783->15112 14785 4096e2 14786 4096e9 14785->14786 14787 4096fa 14785->14787 15132 40704c 14786->15132 14787->14692 14787->14693 14789 4096f7 14789->14787 14791 406ed5 14790->14791 14792 406ecc 14790->14792 14791->14752 15157 406e36 GetUserNameW 14792->15157 14795 406784 CreateFileA 14794->14795 14796 40677a SetFileAttributesA 14794->14796 14797 4067a4 CreateFileA 14795->14797 14798 4067b5 14795->14798 14796->14795 14797->14798 14799 4067c5 14798->14799 14800 4067ba SetFileAttributesA 14798->14800 14801 406977 14799->14801 14802 4067cf GetFileSize 14799->14802 14800->14799 14801->14700 14819 406a60 CreateFileA 14801->14819 14803 4067e5 14802->14803 14817 406922 14802->14817 14805 4067ed ReadFile 14803->14805 14803->14817 14804 40696e CloseHandle 14804->14801 14806 406811 SetFilePointer 14805->14806 14805->14817 14807 40682a ReadFile 14806->14807 14806->14817 14808 406848 SetFilePointer 14807->14808 14807->14817 14809 406867 14808->14809 14808->14817 14810 406878 ReadFile 14809->14810 14811 4068d0 14809->14811 14810->14809 14810->14811 14811->14804 14812 40ebcc 4 API calls 14811->14812 14813 4068f8 14812->14813 14814 406900 SetFilePointer 14813->14814 14813->14817 14815 40695a 14814->14815 14816 40690d ReadFile 14814->14816 14818 40ec2e codecvt 4 API calls 14815->14818 14816->14815 14816->14817 14817->14804 14818->14817 14820 406b8c GetLastError 14819->14820 14821 406a8f GetDiskFreeSpaceA 14819->14821 14823 406b86 14820->14823 14822 406ac5 14821->14822 14831 406ad7 14821->14831 15160 40eb0e 14822->15160 14823->14716 14827 406b56 CloseHandle 14827->14823 14830 406b65 GetLastError CloseHandle 14827->14830 14828 406b36 GetLastError CloseHandle 14829 406b7f DeleteFileA 14828->14829 14829->14823 14830->14829 15164 406987 14831->15164 14833 4099eb 14832->14833 14834 409a2f lstrcatA 14833->14834 14835 40ee2a 14834->14835 14836 409a4b lstrcatA 14835->14836 14837 406a60 13 API calls 14836->14837 14838 409a60 14837->14838 14838->14722 14838->14737 14838->14751 15174 401910 14839->15174 14842 40934a GetModuleHandleA GetModuleFileNameA 14844 40937f 14842->14844 14845 4093a4 14844->14845 14846 4093d9 14844->14846 14847 4093c3 wsprintfA 14845->14847 14848 409401 wsprintfA 14846->14848 14850 409415 14847->14850 14848->14850 14849 4094a0 15176 406edd 14849->15176 14850->14849 14853 406cc9 5 API calls 14850->14853 14852 4094ac 14854 40962f 14852->14854 14855 4094e8 RegOpenKeyExA 14852->14855 14856 409439 14853->14856 14861 409646 14854->14861 15197 401820 14854->15197 14858 409502 14855->14858 14859 4094fb 14855->14859 14863 40ef1e lstrlenA 14856->14863 14862 40951f RegQueryValueExA 14858->14862 14859->14854 14864 40958a 14859->14864 14870 4095d6 14861->14870 15203 4091eb 14861->15203 14865 409530 14862->14865 14866 409539 14862->14866 14867 409462 14863->14867 14864->14861 14868 409593 14864->14868 14869 40956e RegCloseKey 14865->14869 14871 409556 RegQueryValueExA 14866->14871 14872 40947e wsprintfA 14867->14872 14868->14870 15184 40f0e4 14868->15184 14869->14859 14870->14757 14870->14758 14871->14865 14871->14869 14872->14849 14874 4095bb 14874->14870 15191 4018e0 14874->15191 14877 402544 14876->14877 14878 40972d RegOpenKeyExA 14877->14878 14879 409740 14878->14879 14880 409765 14878->14880 14881 40974f RegDeleteValueA RegCloseKey 14879->14881 14880->14733 14881->14880 14883 402554 lstrcatA 14882->14883 14883->14774 14885 402544 14884->14885 14886 40919e wsprintfA 14885->14886 14887 4091bb 14886->14887 15242 409064 GetTempPathA 14887->15242 14890 4091d5 ShellExecuteA 14891 4091e7 14890->14891 14891->14716 15249 40dd05 GetTickCount 14892->15249 14894 40e538 15256 40dbcf 14894->15256 14896 40e544 14897 40e555 GetFileSize 14896->14897 14901 40e5b8 14896->14901 14898 40e5b1 CloseHandle 14897->14898 14899 40e566 14897->14899 14898->14901 15266 40db2e 14899->15266 15275 40e3ca RegOpenKeyExA 14901->15275 14903 40e576 ReadFile 14903->14898 14905 40e58d 14903->14905 15270 40e332 14905->15270 14907 40e5f2 14909 40e3ca 19 API calls 14907->14909 14910 40e629 14907->14910 14909->14910 14910->14674 14912 40eabe 14911->14912 14914 40eaba 14911->14914 14913 40dd05 6 API calls 14912->14913 14912->14914 14913->14914 14914->14678 14916 40ee2a 14915->14916 14917 401db4 GetVersionExA 14916->14917 14918 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 14917->14918 14920 401e24 14918->14920 14921 401e16 GetCurrentProcess 14918->14921 15328 40e819 14920->15328 14921->14920 14923 401e3d 14924 40e819 11 API calls 14923->14924 14925 401e4e 14924->14925 14932 401e77 14925->14932 15335 40df70 14925->15335 14928 401e6c 14930 40df70 12 API calls 14928->14930 14930->14932 14931 40e819 11 API calls 14933 401e93 14931->14933 15344 40ea84 14932->15344 15348 40199c inet_addr LoadLibraryA 14933->15348 14936 40e819 11 API calls 14937 401eb9 14936->14937 14938 401ed8 14937->14938 14939 40f04e 4 API calls 14937->14939 14940 40e819 11 API calls 14938->14940 14941 401ec9 14939->14941 14942 401eee 14940->14942 14943 40ea84 30 API calls 14941->14943 14944 401f0a 14942->14944 15361 401b71 14942->15361 14943->14938 14945 40e819 11 API calls 14944->14945 14947 401f23 14945->14947 14949 401f3f 14947->14949 15365 401bdf 14947->15365 14948 401efd 14950 40ea84 30 API calls 14948->14950 14952 40e819 11 API calls 14949->14952 14950->14944 14954 401f5e 14952->14954 14956 401f77 14954->14956 14958 40ea84 30 API calls 14954->14958 14955 40ea84 30 API calls 14955->14949 15372 4030b5 14956->15372 14958->14956 14960 406ec3 2 API calls 14962 401f8e GetTickCount 14960->14962 14962->14682 14964 406ec3 2 API calls 14963->14964 14965 4080eb 14964->14965 14966 4080f9 14965->14966 14967 4080ef 14965->14967 14969 40704c 16 API calls 14966->14969 15420 407ee6 14967->15420 14972 408110 14969->14972 14970 408269 CreateThread 14988 405e6c 14970->14988 15749 40877e 14970->15749 14971 40675c 21 API calls 14978 408244 14971->14978 14973 408156 RegOpenKeyExA 14972->14973 14974 4080f4 14972->14974 14973->14974 14975 40816d RegQueryValueExA 14973->14975 14974->14970 14974->14971 14976 4081f7 14975->14976 14977 40818d 14975->14977 14979 40820d RegCloseKey 14976->14979 14981 40ec2e codecvt 4 API calls 14976->14981 14977->14976 14982 40ebcc 4 API calls 14977->14982 14978->14970 14980 40ec2e codecvt 4 API calls 14978->14980 14979->14974 14980->14970 14987 4081dd 14981->14987 14983 4081a0 14982->14983 14983->14979 14984 4081aa RegQueryValueExA 14983->14984 14984->14976 14985 4081c4 14984->14985 14986 40ebcc 4 API calls 14985->14986 14986->14987 14987->14979 15488 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14988->15488 14990 405e71 15489 40e654 14990->15489 14992 405ec1 14993 403132 14992->14993 14994 40df70 12 API calls 14993->14994 14995 40313b 14994->14995 14996 40c125 14995->14996 15500 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14996->15500 14998 40c12d 14999 40e654 13 API calls 14998->14999 15000 40c2bd 14999->15000 15001 40e654 13 API calls 15000->15001 15002 40c2c9 15001->15002 15003 40e654 13 API calls 15002->15003 15004 40a47a 15003->15004 15005 408db1 15004->15005 15006 408dbc 15005->15006 15007 40e654 13 API calls 15006->15007 15008 408dec Sleep 15007->15008 15008->14718 15010 40c92f 15009->15010 15011 40c93c 15010->15011 15501 40c517 15010->15501 15013 40ca2b 15011->15013 15014 40e819 11 API calls 15011->15014 15013->14718 15015 40c96a 15014->15015 15016 40e819 11 API calls 15015->15016 15017 40c97d 15016->15017 15018 40e819 11 API calls 15017->15018 15019 40c990 15018->15019 15020 40c9aa 15019->15020 15021 40ebcc 4 API calls 15019->15021 15020->15013 15518 402684 15020->15518 15021->15020 15026 40ca26 15525 40c8aa 15026->15525 15029 40ca44 15030 40ca4b closesocket 15029->15030 15031 40ca83 15029->15031 15030->15026 15032 40ea84 30 API calls 15031->15032 15033 40caac 15032->15033 15034 40f04e 4 API calls 15033->15034 15035 40cab2 15034->15035 15036 40ea84 30 API calls 15035->15036 15037 40caca 15036->15037 15038 40ea84 30 API calls 15037->15038 15039 40cad9 15038->15039 15533 40c65c 15039->15533 15042 40cb60 closesocket 15042->15013 15044 40dad2 closesocket 15045 40e318 23 API calls 15044->15045 15045->15013 15046 40df4c 20 API calls 15072 40cb70 15046->15072 15051 40e654 13 API calls 15051->15072 15057 40d569 closesocket Sleep 15580 40e318 15057->15580 15058 40d815 wsprintfA 15058->15072 15059 40cc1c GetTempPathA 15059->15072 15060 40ea84 30 API calls 15060->15072 15062 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15062->15072 15063 40c517 23 API calls 15063->15072 15064 40d582 ExitProcess 15065 40e8a1 30 API calls 15065->15072 15066 40cfe3 GetSystemDirectoryA 15066->15072 15067 40675c 21 API calls 15067->15072 15068 40d027 GetSystemDirectoryA 15068->15072 15069 40c65c send GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15069->15072 15070 40cfad GetEnvironmentVariableA 15070->15072 15071 40d105 lstrcatA 15071->15072 15072->15044 15072->15046 15072->15051 15072->15057 15072->15058 15072->15059 15072->15060 15072->15062 15072->15063 15072->15065 15072->15066 15072->15067 15072->15068 15072->15069 15072->15070 15072->15071 15073 40ef1e lstrlenA 15072->15073 15074 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15072->15074 15075 40cc9f CreateFileA 15072->15075 15077 40d15b CreateFileA 15072->15077 15082 40d149 SetFileAttributesA 15072->15082 15083 40d36e GetEnvironmentVariableA 15072->15083 15084 40d1bf SetFileAttributesA 15072->15084 15085 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15072->15085 15087 407ead 6 API calls 15072->15087 15088 40d22d GetEnvironmentVariableA 15072->15088 15090 40d3af lstrcatA 15072->15090 15092 407fcf 64 API calls 15072->15092 15093 40d3f2 CreateFileA 15072->15093 15099 40d3e0 SetFileAttributesA 15072->15099 15100 40d26e lstrcatA 15072->15100 15102 40d4b1 CreateProcessA 15072->15102 15103 40d2b1 CreateFileA 15072->15103 15105 40d452 SetFileAttributesA 15072->15105 15107 407ee6 64 API calls 15072->15107 15108 40d29f SetFileAttributesA 15072->15108 15111 40d31d SetFileAttributesA 15072->15111 15541 40c75d 15072->15541 15553 407e2f 15072->15553 15575 407ead 15072->15575 15585 4031d0 15072->15585 15602 403c09 15072->15602 15612 403a00 15072->15612 15616 40e7b4 15072->15616 15619 40c06c 15072->15619 15625 406f5f GetUserNameA 15072->15625 15636 40e854 15072->15636 15646 407dd6 15072->15646 15073->15072 15074->15072 15075->15072 15076 40ccc6 WriteFile 15075->15076 15078 40cdcc CloseHandle 15076->15078 15079 40cced CloseHandle 15076->15079 15077->15072 15080 40d182 WriteFile CloseHandle 15077->15080 15078->15072 15086 40cd2f 15079->15086 15080->15072 15081 40cd16 wsprintfA 15081->15086 15082->15077 15083->15072 15084->15072 15085->15072 15086->15081 15562 407fcf 15086->15562 15087->15072 15088->15072 15090->15072 15090->15093 15092->15072 15093->15072 15094 40d415 WriteFile CloseHandle 15093->15094 15094->15072 15095 40cd81 WaitForSingleObject CloseHandle CloseHandle 15097 40f04e 4 API calls 15095->15097 15096 40cda5 15098 407ee6 64 API calls 15096->15098 15097->15096 15101 40cdbd DeleteFileA 15098->15101 15099->15093 15100->15072 15100->15103 15101->15072 15102->15072 15104 40d4e8 CloseHandle CloseHandle 15102->15104 15103->15072 15106 40d2d8 WriteFile CloseHandle 15103->15106 15104->15072 15105->15072 15106->15072 15107->15072 15108->15103 15111->15072 15113 40741b 15112->15113 15114 406dc2 6 API calls 15113->15114 15115 40743f 15114->15115 15116 407469 RegOpenKeyExA 15115->15116 15117 4077f9 15116->15117 15128 407487 ___ascii_stricmp 15116->15128 15117->14785 15118 407703 RegEnumKeyA 15119 407714 RegCloseKey 15118->15119 15118->15128 15119->15117 15120 40f1a5 lstrlenA 15120->15128 15121 4074d2 RegOpenKeyExA 15121->15128 15122 40772c 15124 407742 RegCloseKey 15122->15124 15125 40774b 15122->15125 15123 407521 RegQueryValueExA 15123->15128 15124->15125 15126 4077ec RegCloseKey 15125->15126 15126->15117 15127 4076e4 RegCloseKey 15127->15128 15128->15118 15128->15120 15128->15121 15128->15122 15128->15123 15128->15127 15130 40777e GetFileAttributesExA 15128->15130 15131 407769 15128->15131 15129 4077e3 RegCloseKey 15129->15126 15130->15131 15131->15129 15133 407073 15132->15133 15134 4070b9 RegOpenKeyExA 15133->15134 15135 4070d0 15134->15135 15136 4071b8 15134->15136 15137 406dc2 6 API calls 15135->15137 15136->14789 15140 4070d5 15137->15140 15138 40719b RegEnumValueA 15139 4071af RegCloseKey 15138->15139 15138->15140 15139->15136 15140->15138 15141 4071d0 15140->15141 15155 40f1a5 lstrlenA 15140->15155 15143 407205 RegCloseKey 15141->15143 15144 407227 15141->15144 15143->15136 15145 4072b8 ___ascii_stricmp 15144->15145 15146 40728e RegCloseKey 15144->15146 15147 4072cd RegCloseKey 15145->15147 15148 4072dd 15145->15148 15146->15136 15147->15136 15149 407311 RegCloseKey 15148->15149 15151 407335 15148->15151 15149->15136 15150 4073d5 RegCloseKey 15152 4073e4 15150->15152 15151->15150 15153 40737e GetFileAttributesExA 15151->15153 15154 407397 15151->15154 15153->15154 15154->15150 15156 40f1c3 15155->15156 15156->15140 15158 406e97 15157->15158 15159 406e5f LookupAccountNameW 15157->15159 15158->14791 15159->15158 15161 40eb17 15160->15161 15162 40eb21 15160->15162 15170 40eae4 15161->15170 15162->14831 15166 4069b9 WriteFile 15164->15166 15167 406a3c 15166->15167 15169 4069ff 15166->15169 15167->14827 15167->14828 15168 406a10 WriteFile 15168->15167 15168->15169 15169->15167 15169->15168 15171 40eb02 GetProcAddress 15170->15171 15172 40eaed LoadLibraryA 15170->15172 15171->15162 15172->15171 15173 40eb01 15172->15173 15173->15162 15175 401924 GetVersionExA 15174->15175 15175->14842 15177 406f55 15176->15177 15178 406eef AllocateAndInitializeSid 15176->15178 15177->14852 15179 406f44 15178->15179 15180 406f1c CheckTokenMembership 15178->15180 15179->15177 15183 406e36 2 API calls 15179->15183 15181 406f3b FreeSid 15180->15181 15182 406f2e 15180->15182 15181->15179 15182->15181 15183->15177 15185 40f0f1 15184->15185 15186 40f0ed 15184->15186 15187 40f119 15185->15187 15188 40f0fa lstrlenA SysAllocStringByteLen 15185->15188 15186->14874 15190 40f11c MultiByteToWideChar 15187->15190 15189 40f117 15188->15189 15188->15190 15189->14874 15190->15189 15192 401820 17 API calls 15191->15192 15193 4018f2 15192->15193 15194 4018f9 15193->15194 15208 401280 15193->15208 15194->14870 15196 401908 15196->14870 15221 401000 15197->15221 15199 401839 15200 401851 GetCurrentProcess 15199->15200 15201 40183d 15199->15201 15202 401864 15200->15202 15201->14861 15202->14861 15204 409308 15203->15204 15206 40920e 15203->15206 15204->14870 15205 4092f1 Sleep 15205->15206 15206->15204 15206->15205 15206->15206 15207 4092bf ShellExecuteA 15206->15207 15207->15204 15207->15206 15211 4012e1 ShellExecuteExW 15208->15211 15210 4016f9 GetLastError 15213 401699 15210->15213 15211->15210 15212 4013a8 15211->15212 15212->15213 15214 401570 lstrlenW 15212->15214 15215 4015be GetStartupInfoW 15212->15215 15216 4015ff CreateProcessWithLogonW 15212->15216 15220 401668 CloseHandle 15212->15220 15213->15196 15214->15212 15215->15212 15217 4016bf GetLastError 15216->15217 15218 40163f WaitForSingleObject 15216->15218 15217->15213 15218->15212 15219 401659 CloseHandle 15218->15219 15219->15212 15220->15212 15222 40100d LoadLibraryA 15221->15222 15227 401023 15221->15227 15224 401021 15222->15224 15222->15227 15223 4010b5 GetProcAddress 15225 4010d1 GetProcAddress 15223->15225 15226 40127b 15223->15226 15224->15199 15225->15226 15228 4010f0 GetProcAddress 15225->15228 15226->15199 15227->15223 15241 4010ae 15227->15241 15228->15226 15229 401110 GetProcAddress 15228->15229 15229->15226 15230 401130 GetProcAddress 15229->15230 15230->15226 15231 40114f GetProcAddress 15230->15231 15231->15226 15232 40116f GetProcAddress 15231->15232 15232->15226 15233 40118f GetProcAddress 15232->15233 15233->15226 15234 4011ae GetProcAddress 15233->15234 15234->15226 15235 4011ce GetProcAddress 15234->15235 15235->15226 15236 4011ee GetProcAddress 15235->15236 15236->15226 15237 401209 GetProcAddress 15236->15237 15237->15226 15238 401225 GetProcAddress 15237->15238 15238->15226 15239 401241 GetProcAddress 15238->15239 15239->15226 15240 40125c GetProcAddress 15239->15240 15240->15226 15241->15199 15243 40908d 15242->15243 15244 4090e2 wsprintfA 15243->15244 15245 40ee2a 15244->15245 15246 4090fd CreateFileA 15245->15246 15247 40911a lstrlenA WriteFile CloseHandle 15246->15247 15248 40913f 15246->15248 15247->15248 15248->14890 15248->14891 15250 40dd41 InterlockedExchange 15249->15250 15251 40dd20 GetCurrentThreadId 15250->15251 15252 40dd4a 15250->15252 15253 40dd53 GetCurrentThreadId 15251->15253 15254 40dd2e GetTickCount 15251->15254 15252->15253 15253->14894 15254->15252 15255 40dd39 Sleep 15254->15255 15255->15250 15257 40dbf0 15256->15257 15289 40db67 GetEnvironmentVariableA 15257->15289 15259 40dc19 15260 40dcda 15259->15260 15261 40db67 3 API calls 15259->15261 15260->14896 15262 40dc5c 15261->15262 15262->15260 15263 40db67 3 API calls 15262->15263 15264 40dc9b 15263->15264 15264->15260 15265 40db67 3 API calls 15264->15265 15265->15260 15267 40db55 15266->15267 15268 40db3a 15266->15268 15267->14898 15267->14903 15293 40ebed 15268->15293 15302 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15270->15302 15272 40e3be 15272->14898 15273 40e342 15273->15272 15305 40de24 15273->15305 15276 40e528 15275->15276 15277 40e3f4 15275->15277 15276->14907 15278 40e434 RegQueryValueExA 15277->15278 15279 40e51d RegCloseKey 15278->15279 15280 40e458 15278->15280 15279->15276 15281 40e46e RegQueryValueExA 15280->15281 15281->15280 15282 40e488 15281->15282 15282->15279 15283 40db2e 8 API calls 15282->15283 15284 40e499 15283->15284 15284->15279 15285 40e4b9 RegQueryValueExA 15284->15285 15286 40e4e8 15284->15286 15285->15284 15285->15286 15286->15279 15287 40e332 14 API calls 15286->15287 15288 40e513 15287->15288 15288->15279 15290 40dbca 15289->15290 15292 40db89 lstrcpyA CreateFileA 15289->15292 15290->15259 15292->15259 15294 40ec01 15293->15294 15295 40ebf6 15293->15295 15296 40eba0 codecvt 2 API calls 15294->15296 15297 40ebcc 4 API calls 15295->15297 15298 40ec0a GetProcessHeap HeapReAlloc 15296->15298 15299 40ebfe 15297->15299 15300 40eb74 2 API calls 15298->15300 15299->15267 15301 40ec28 15300->15301 15301->15267 15316 40eb41 15302->15316 15306 40de3a 15305->15306 15313 40de4e 15306->15313 15320 40dd84 15306->15320 15309 40de9e 15310 40ebed 8 API calls 15309->15310 15309->15313 15314 40def6 15310->15314 15311 40de76 15324 40ddcf 15311->15324 15313->15273 15314->15313 15315 40ddcf lstrcmpA 15314->15315 15315->15313 15317 40eb54 15316->15317 15318 40eb4a 15316->15318 15317->15273 15319 40eae4 2 API calls 15318->15319 15319->15317 15321 40ddc5 15320->15321 15322 40dd96 15320->15322 15321->15309 15321->15311 15322->15321 15323 40ddad lstrcmpiA 15322->15323 15323->15321 15323->15322 15325 40de20 15324->15325 15326 40dddd 15324->15326 15325->15313 15326->15325 15327 40ddfa lstrcmpA 15326->15327 15327->15326 15329 40dd05 6 API calls 15328->15329 15330 40e821 15329->15330 15331 40dd84 lstrcmpiA 15330->15331 15332 40e82c 15331->15332 15333 40e844 15332->15333 15376 402480 15332->15376 15333->14923 15336 40dd05 6 API calls 15335->15336 15337 40df7c 15336->15337 15338 40dd84 lstrcmpiA 15337->15338 15342 40df89 15338->15342 15339 40dfc4 15339->14928 15340 40ddcf lstrcmpA 15340->15342 15341 40ec2e codecvt 4 API calls 15341->15342 15342->15339 15342->15340 15342->15341 15343 40dd84 lstrcmpiA 15342->15343 15343->15342 15345 40ea98 15344->15345 15385 40e8a1 15345->15385 15347 401e84 15347->14931 15349 4019d5 GetProcAddress GetProcAddress GetProcAddress 15348->15349 15353 4019ce 15348->15353 15350 401ab3 FreeLibrary 15349->15350 15351 401a04 15349->15351 15350->15353 15351->15350 15352 401a14 GetProcessHeap 15351->15352 15352->15353 15355 401a2e HeapAlloc 15352->15355 15353->14936 15355->15353 15356 401a42 15355->15356 15357 401a52 HeapReAlloc 15356->15357 15359 401a62 15356->15359 15357->15359 15358 401aa1 FreeLibrary 15358->15353 15359->15358 15360 401a96 HeapFree 15359->15360 15360->15358 15413 401ac3 LoadLibraryA 15361->15413 15364 401bcf 15364->14948 15366 401ac3 12 API calls 15365->15366 15367 401c09 15366->15367 15368 401c41 15367->15368 15369 401c0d GetComputerNameA 15367->15369 15368->14955 15370 401c45 GetVolumeInformationA 15369->15370 15371 401c1f 15369->15371 15370->15368 15371->15368 15371->15370 15373 40ee2a 15372->15373 15374 4030d0 gethostname gethostbyname 15373->15374 15375 401f82 15374->15375 15375->14960 15375->14962 15379 402419 lstrlenA 15376->15379 15378 402491 15378->15333 15380 402474 15379->15380 15381 40243d lstrlenA 15379->15381 15380->15378 15382 402464 lstrlenA 15381->15382 15383 40244e lstrcmpiA 15381->15383 15382->15380 15382->15381 15383->15382 15384 40245c 15383->15384 15384->15380 15384->15382 15386 40dd05 6 API calls 15385->15386 15387 40e8b4 15386->15387 15388 40dd84 lstrcmpiA 15387->15388 15389 40e8c0 15388->15389 15390 40e90a 15389->15390 15391 40e8c8 lstrcpynA 15389->15391 15393 402419 4 API calls 15390->15393 15401 40ea27 15390->15401 15392 40e8f5 15391->15392 15406 40df4c 15392->15406 15394 40e926 lstrlenA lstrlenA 15393->15394 15396 40e96a 15394->15396 15397 40e94c lstrlenA 15394->15397 15400 40ebcc 4 API calls 15396->15400 15396->15401 15397->15396 15398 40e901 15399 40dd84 lstrcmpiA 15398->15399 15399->15390 15402 40e98f 15400->15402 15401->15347 15402->15401 15403 40df4c 20 API calls 15402->15403 15404 40ea1e 15403->15404 15405 40ec2e codecvt 4 API calls 15404->15405 15405->15401 15407 40dd05 6 API calls 15406->15407 15408 40df51 15407->15408 15409 40f04e 4 API calls 15408->15409 15410 40df58 15409->15410 15411 40de24 10 API calls 15410->15411 15412 40df63 15411->15412 15412->15398 15414 401ae2 GetProcAddress 15413->15414 15418 401b68 GetComputerNameA GetVolumeInformationA 15413->15418 15415 401af5 15414->15415 15414->15418 15416 401b29 15415->15416 15417 40ebed 8 API calls 15415->15417 15416->15418 15419 40ec2e codecvt 4 API calls 15416->15419 15417->15415 15418->15364 15419->15418 15421 406ec3 2 API calls 15420->15421 15422 407ef4 15421->15422 15423 4073ff 17 API calls 15422->15423 15424 407fc9 15422->15424 15425 407f16 15423->15425 15424->14974 15425->15424 15433 407809 GetUserNameA 15425->15433 15427 407f63 15427->15424 15428 40ef1e lstrlenA 15427->15428 15429 407fa6 15428->15429 15430 40ef1e lstrlenA 15429->15430 15431 407fb7 15430->15431 15457 407a95 RegOpenKeyExA 15431->15457 15434 40783d LookupAccountNameA 15433->15434 15440 407a8d 15433->15440 15435 407874 GetLengthSid GetFileSecurityA 15434->15435 15434->15440 15436 4078a8 GetSecurityDescriptorOwner 15435->15436 15435->15440 15437 4078c5 EqualSid 15436->15437 15438 40791d GetSecurityDescriptorDacl 15436->15438 15437->15438 15439 4078dc LocalAlloc 15437->15439 15438->15440 15449 407941 15438->15449 15439->15438 15441 4078ef InitializeSecurityDescriptor 15439->15441 15440->15427 15442 407916 LocalFree 15441->15442 15443 4078fb SetSecurityDescriptorOwner 15441->15443 15442->15438 15443->15442 15445 40790b SetFileSecurityA 15443->15445 15444 40795b GetAce 15444->15449 15445->15442 15446 407980 EqualSid 15446->15449 15447 407a3d 15447->15440 15451 407a43 LocalAlloc 15447->15451 15448 4079be EqualSid 15448->15449 15449->15440 15449->15444 15449->15446 15449->15447 15449->15448 15450 40799d DeleteAce 15449->15450 15450->15449 15451->15440 15452 407a56 InitializeSecurityDescriptor 15451->15452 15453 407a62 SetSecurityDescriptorDacl 15452->15453 15454 407a86 LocalFree 15452->15454 15453->15454 15455 407a73 SetFileSecurityA 15453->15455 15454->15440 15455->15454 15456 407a83 15455->15456 15456->15454 15458 407ac4 15457->15458 15459 407acb GetUserNameA 15457->15459 15458->15424 15460 407da7 RegCloseKey 15459->15460 15461 407aed LookupAccountNameA 15459->15461 15460->15458 15461->15460 15462 407b24 RegGetKeySecurity 15461->15462 15462->15460 15463 407b49 GetSecurityDescriptorOwner 15462->15463 15464 407b63 EqualSid 15463->15464 15465 407bb8 GetSecurityDescriptorDacl 15463->15465 15464->15465 15467 407b74 LocalAlloc 15464->15467 15466 407da6 15465->15466 15474 407bdc 15465->15474 15466->15460 15467->15465 15468 407b8a InitializeSecurityDescriptor 15467->15468 15470 407bb1 LocalFree 15468->15470 15471 407b96 SetSecurityDescriptorOwner 15468->15471 15469 407bf8 GetAce 15469->15474 15470->15465 15471->15470 15472 407ba6 RegSetKeySecurity 15471->15472 15472->15470 15473 407c1d EqualSid 15473->15474 15474->15466 15474->15469 15474->15473 15475 407cd9 15474->15475 15476 407c5f EqualSid 15474->15476 15477 407c3a DeleteAce 15474->15477 15475->15466 15478 407d5a LocalAlloc 15475->15478 15479 407cf2 RegOpenKeyExA 15475->15479 15476->15474 15477->15474 15478->15466 15480 407d70 InitializeSecurityDescriptor 15478->15480 15479->15478 15485 407d0f 15479->15485 15481 407d7c SetSecurityDescriptorDacl 15480->15481 15482 407d9f LocalFree 15480->15482 15481->15482 15483 407d8c RegSetKeySecurity 15481->15483 15482->15466 15483->15482 15484 407d9c 15483->15484 15484->15482 15486 407d43 RegSetValueExA 15485->15486 15486->15478 15487 407d54 15486->15487 15487->15478 15488->14990 15490 40dd05 6 API calls 15489->15490 15493 40e65f 15490->15493 15491 40e6a5 15492 40ebcc 4 API calls 15491->15492 15498 40e6f5 15491->15498 15495 40e6b0 15492->15495 15493->15491 15494 40e68c lstrcmpA 15493->15494 15494->15493 15496 40e6b7 15495->15496 15497 40e6e0 lstrcpynA 15495->15497 15495->15498 15496->14992 15497->15498 15498->15496 15499 40e71d lstrcmpA 15498->15499 15499->15498 15500->14998 15502 40c525 15501->15502 15503 40c532 15501->15503 15502->15503 15507 40ec2e codecvt 4 API calls 15502->15507 15504 40c548 15503->15504 15653 40e7ff 15503->15653 15505 40c54f 15504->15505 15508 40e7ff lstrcmpiA 15504->15508 15505->15011 15507->15503 15509 40c615 15508->15509 15509->15505 15510 40ebcc 4 API calls 15509->15510 15510->15505 15511 40c5d1 15513 40ebcc 4 API calls 15511->15513 15513->15505 15514 40e819 11 API calls 15515 40c5b7 15514->15515 15516 40f04e 4 API calls 15515->15516 15517 40c5bf 15516->15517 15517->15504 15517->15511 15519 402692 inet_addr 15518->15519 15520 40268e 15518->15520 15519->15520 15521 40269e gethostbyname 15519->15521 15522 40f428 15520->15522 15521->15520 15656 40f315 15522->15656 15527 40c8d2 15525->15527 15526 40c907 15526->15013 15527->15526 15528 40c517 23 API calls 15527->15528 15528->15526 15529 40f43e 15530 40f473 recv 15529->15530 15531 40f47c 15530->15531 15532 40f458 15530->15532 15531->15029 15532->15530 15532->15531 15534 40c670 15533->15534 15535 40c67d 15533->15535 15536 40ebcc 4 API calls 15534->15536 15537 40ebcc 4 API calls 15535->15537 15539 40c699 15535->15539 15536->15535 15537->15539 15538 40c6f3 15538->15042 15538->15072 15539->15538 15540 40c73c send 15539->15540 15540->15538 15542 40c770 15541->15542 15543 40c77d 15541->15543 15544 40ebcc 4 API calls 15542->15544 15545 40c799 15543->15545 15546 40ebcc 4 API calls 15543->15546 15544->15543 15547 40c7b5 15545->15547 15548 40ebcc 4 API calls 15545->15548 15546->15545 15549 40f43e recv 15547->15549 15548->15547 15550 40c7cb 15549->15550 15551 40f43e recv 15550->15551 15552 40c7d3 15550->15552 15551->15552 15552->15072 15669 407db7 15553->15669 15556 407e96 15556->15072 15557 407e70 15557->15556 15559 40f04e 4 API calls 15557->15559 15558 40f04e 4 API calls 15560 407e4c 15558->15560 15559->15556 15560->15557 15561 40f04e 4 API calls 15560->15561 15561->15557 15563 406ec3 2 API calls 15562->15563 15564 407fdd 15563->15564 15565 4073ff 17 API calls 15564->15565 15574 4080c2 CreateProcessA 15564->15574 15566 407fff 15565->15566 15567 407809 21 API calls 15566->15567 15566->15574 15568 40804d 15567->15568 15569 40ef1e lstrlenA 15568->15569 15568->15574 15570 40809e 15569->15570 15571 40ef1e lstrlenA 15570->15571 15572 4080af 15571->15572 15573 407a95 24 API calls 15572->15573 15573->15574 15574->15095 15574->15096 15576 407db7 2 API calls 15575->15576 15577 407eb8 15576->15577 15578 40f04e 4 API calls 15577->15578 15579 407ece DeleteFileA 15578->15579 15579->15072 15581 40dd05 6 API calls 15580->15581 15582 40e31d 15581->15582 15673 40e177 15582->15673 15584 40e326 15584->15064 15586 4031f3 15585->15586 15596 4031ec 15585->15596 15587 40ebcc 4 API calls 15586->15587 15601 4031fc 15587->15601 15588 40344b 15589 403459 15588->15589 15590 40349d 15588->15590 15591 40f04e 4 API calls 15589->15591 15592 40ec2e codecvt 4 API calls 15590->15592 15593 40345f 15591->15593 15592->15596 15594 4030fa 4 API calls 15593->15594 15594->15596 15595 40ebcc GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15595->15601 15596->15072 15597 40344d 15598 40ec2e codecvt 4 API calls 15597->15598 15598->15588 15600 403141 lstrcmpiA 15600->15601 15601->15588 15601->15595 15601->15596 15601->15597 15601->15600 15699 4030fa GetTickCount 15601->15699 15603 4030fa 4 API calls 15602->15603 15604 403c1a 15603->15604 15605 403ce6 15604->15605 15704 403a72 15604->15704 15605->15072 15608 403a72 9 API calls 15609 403c5e 15608->15609 15609->15605 15610 403a72 9 API calls 15609->15610 15611 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15609->15611 15610->15609 15611->15609 15613 403a10 15612->15613 15614 4030fa 4 API calls 15613->15614 15615 403a1a 15614->15615 15615->15072 15617 40dd05 6 API calls 15616->15617 15618 40e7be 15617->15618 15618->15072 15620 40c07e wsprintfA 15619->15620 15624 40c105 15619->15624 15713 40bfce GetTickCount wsprintfA 15620->15713 15622 40c0ef 15714 40bfce GetTickCount wsprintfA 15622->15714 15624->15072 15626 407047 15625->15626 15627 406f88 LookupAccountNameA 15625->15627 15626->15072 15629 407025 15627->15629 15630 406fcb 15627->15630 15631 406edd 5 API calls 15629->15631 15633 406fdb ConvertSidToStringSidA 15630->15633 15632 40702a wsprintfA 15631->15632 15632->15626 15633->15629 15634 406ff1 15633->15634 15635 407013 LocalFree 15634->15635 15635->15629 15637 40dd05 6 API calls 15636->15637 15638 40e85c 15637->15638 15639 40dd84 lstrcmpiA 15638->15639 15640 40e867 15639->15640 15641 40e885 lstrcpyA 15640->15641 15715 4024a5 15640->15715 15718 40dd69 15641->15718 15647 407db7 2 API calls 15646->15647 15648 407de1 15647->15648 15649 40f04e 4 API calls 15648->15649 15652 407e16 15648->15652 15650 407df2 15649->15650 15651 40f04e 4 API calls 15650->15651 15650->15652 15651->15652 15652->15072 15654 40dd84 lstrcmpiA 15653->15654 15655 40c58e 15654->15655 15655->15504 15655->15511 15655->15514 15657 40ca1d 15656->15657 15658 40f33b 15656->15658 15657->15026 15657->15529 15659 40f347 htons socket 15658->15659 15660 40f382 ioctlsocket 15659->15660 15661 40f374 closesocket 15659->15661 15662 40f3aa connect select 15660->15662 15663 40f39d 15660->15663 15661->15657 15662->15657 15665 40f3f2 __WSAFDIsSet 15662->15665 15664 40f39f closesocket 15663->15664 15664->15657 15665->15664 15666 40f403 ioctlsocket 15665->15666 15668 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 15666->15668 15668->15657 15670 407dc8 InterlockedExchange 15669->15670 15671 407dc0 Sleep 15670->15671 15672 407dd4 15670->15672 15671->15670 15672->15557 15672->15558 15674 40e184 15673->15674 15675 40e2e4 15674->15675 15676 40e223 15674->15676 15689 40dfe2 15674->15689 15675->15584 15676->15675 15678 40dfe2 8 API calls 15676->15678 15683 40e23c 15678->15683 15679 40e1be 15679->15676 15680 40dbcf 3 API calls 15679->15680 15682 40e1d6 15680->15682 15681 40e21a CloseHandle 15681->15676 15682->15676 15682->15681 15684 40e1f9 WriteFile 15682->15684 15683->15675 15693 40e095 RegCreateKeyExA 15683->15693 15684->15681 15686 40e213 15684->15686 15686->15681 15687 40e2a3 15687->15675 15688 40e095 4 API calls 15687->15688 15688->15675 15690 40dffc 15689->15690 15692 40e024 15689->15692 15691 40db2e 8 API calls 15690->15691 15690->15692 15691->15692 15692->15679 15694 40e172 15693->15694 15696 40e0c0 15693->15696 15694->15687 15695 40e13d 15697 40e14e RegDeleteValueA RegCloseKey 15695->15697 15696->15695 15698 40e115 RegSetValueExA 15696->15698 15697->15694 15698->15695 15698->15696 15700 403122 InterlockedExchange 15699->15700 15701 40312e 15700->15701 15702 40310f GetTickCount 15700->15702 15701->15601 15702->15701 15703 40311a Sleep 15702->15703 15703->15700 15705 40f04e 4 API calls 15704->15705 15712 403a83 15705->15712 15706 403be6 15710 40ec2e codecvt 4 API calls 15706->15710 15707 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15709 403bc0 15707->15709 15708 403ac1 15708->15605 15708->15608 15709->15706 15709->15707 15710->15708 15711 403b66 lstrlenA 15711->15708 15711->15712 15712->15708 15712->15709 15712->15711 15713->15622 15714->15624 15716 402419 4 API calls 15715->15716 15717 4024b6 15716->15717 15717->15641 15719 40dd79 lstrlenA 15718->15719 15719->15072 15721 404084 15720->15721 15722 40407d 15720->15722 15723 403ecd 6 API calls 15721->15723 15724 40408f 15723->15724 15725 404000 3 API calls 15724->15725 15727 404095 15725->15727 15726 404130 15728 403ecd 6 API calls 15726->15728 15727->15726 15730 403f18 4 API calls 15727->15730 15729 404159 CreateNamedPipeA 15728->15729 15731 404167 Sleep 15729->15731 15732 404188 ConnectNamedPipe 15729->15732 15734 4040da 15730->15734 15731->15726 15733 404176 CloseHandle 15731->15733 15735 404195 GetLastError 15732->15735 15744 4041ab 15732->15744 15733->15732 15736 403f8c 4 API calls 15734->15736 15737 40425e DisconnectNamedPipe 15735->15737 15735->15744 15738 4040ec 15736->15738 15737->15732 15739 404127 CloseHandle 15738->15739 15740 404101 15738->15740 15739->15726 15741 403f18 4 API calls 15740->15741 15742 40411c ExitProcess 15741->15742 15743 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 15743->15744 15744->15732 15744->15737 15744->15743 15745 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 15744->15745 15746 40426a CloseHandle CloseHandle 15744->15746 15745->15744 15747 40e318 23 API calls 15746->15747 15748 40427b 15747->15748 15748->15748 15750 408791 15749->15750 15751 40879f 15749->15751 15753 40f04e 4 API calls 15750->15753 15752 4087bc 15751->15752 15754 40f04e 4 API calls 15751->15754 15755 40e819 11 API calls 15752->15755 15753->15751 15754->15752 15756 4087d7 15755->15756 15769 408803 15756->15769 15771 4026b2 gethostbyaddr 15756->15771 15759 4087eb 15761 40e8a1 30 API calls 15759->15761 15759->15769 15761->15769 15764 40e819 11 API calls 15764->15769 15765 4088a0 Sleep 15765->15769 15766 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15766->15769 15768 4026b2 2 API calls 15768->15769 15769->15764 15769->15765 15769->15766 15769->15768 15770 40e8a1 30 API calls 15769->15770 15776 408cee 15769->15776 15784 40c4d6 15769->15784 15787 40c4e2 15769->15787 15790 402011 15769->15790 15825 408328 15769->15825 15770->15769 15772 4026fb 15771->15772 15773 4026cd 15771->15773 15772->15759 15774 4026e1 inet_ntoa 15773->15774 15775 4026de 15773->15775 15774->15775 15775->15759 15777 408d02 GetTickCount 15776->15777 15778 408dae 15776->15778 15777->15778 15781 408d19 15777->15781 15778->15769 15779 408da1 GetTickCount 15779->15778 15781->15779 15783 408d89 15781->15783 15877 40a677 15781->15877 15880 40a688 15781->15880 15783->15779 15888 40c2dc 15784->15888 15788 40c2dc 140 API calls 15787->15788 15789 40c4ec 15788->15789 15789->15769 15791 402020 15790->15791 15792 40202e 15790->15792 15793 40f04e 4 API calls 15791->15793 15794 40204b 15792->15794 15795 40f04e 4 API calls 15792->15795 15793->15792 15796 40206e GetTickCount 15794->15796 15797 40f04e 4 API calls 15794->15797 15795->15794 15798 402090 15796->15798 15799 4020db GetTickCount 15796->15799 15801 402068 15797->15801 15802 4020d4 GetTickCount 15798->15802 15806 402684 2 API calls 15798->15806 15811 4020ce 15798->15811 16214 401978 15798->16214 15800 402132 GetTickCount GetTickCount 15799->15800 15813 4020e7 15799->15813 15803 40f04e 4 API calls 15800->15803 15801->15796 15802->15799 15805 402159 15803->15805 15804 40212b GetTickCount 15804->15800 15809 40e854 13 API calls 15805->15809 15822 4021b4 15805->15822 15806->15798 15808 40f04e 4 API calls 15816 4021d1 15808->15816 15812 40218e 15809->15812 15811->15802 15817 40e819 11 API calls 15812->15817 15813->15804 15814 402125 15813->15814 15818 401978 15 API calls 15813->15818 16219 402ef8 15813->16219 15814->15804 15815 4021f2 15815->15769 15816->15815 15819 40ea84 30 API calls 15816->15819 15820 40219c 15817->15820 15818->15813 15821 4021ec 15819->15821 15820->15822 16227 401c5f 15820->16227 15823 40f04e 4 API calls 15821->15823 15822->15808 15823->15815 15826 407dd6 6 API calls 15825->15826 15827 40833c 15826->15827 15828 408340 15827->15828 15829 406ec3 2 API calls 15827->15829 15828->15769 15830 40834f 15829->15830 15831 40835c 15830->15831 15835 40846b 15830->15835 15832 4073ff 17 API calls 15831->15832 15833 408373 15832->15833 15833->15828 15857 4083ea RegOpenKeyExA 15833->15857 15862 408450 15833->15862 15834 40675c 21 API calls 15837 4085df 15834->15837 15838 4084a7 RegOpenKeyExA 15835->15838 15835->15862 15836 408626 GetTempPathA 15864 408638 15836->15864 15837->15836 15847 408762 15837->15847 15837->15864 15841 4084c0 RegQueryValueExA 15838->15841 15842 40852f 15838->15842 15840 4086ad 15844 407e2f 6 API calls 15840->15844 15840->15847 15843 408521 RegCloseKey 15841->15843 15846 4084dd 15841->15846 15845 408564 RegOpenKeyExA 15842->15845 15855 4085a5 15842->15855 15843->15842 15856 4086bb 15844->15856 15848 408573 RegSetValueExA RegCloseKey 15845->15848 15845->15855 15846->15843 15851 40ebcc 4 API calls 15846->15851 15847->15828 15850 40ec2e codecvt 4 API calls 15847->15850 15848->15855 15849 40875b DeleteFileA 15849->15847 15850->15828 15852 4084f0 15851->15852 15852->15843 15854 4084f8 RegQueryValueExA 15852->15854 15854->15843 15858 408515 15854->15858 15859 40ec2e codecvt 4 API calls 15855->15859 15855->15862 15856->15849 15863 4086e0 lstrcpyA lstrlenA 15856->15863 15860 4083fd RegQueryValueExA 15857->15860 15857->15862 15861 40ec2e codecvt 4 API calls 15858->15861 15859->15862 15865 40842d RegSetValueExA 15860->15865 15866 40841e 15860->15866 15868 40851d 15861->15868 15862->15834 15862->15837 15869 407fcf 64 API calls 15863->15869 16299 406ba7 IsBadCodePtr 15864->16299 15867 408447 RegCloseKey 15865->15867 15866->15865 15866->15867 15867->15862 15868->15843 15870 408719 CreateProcessA 15869->15870 15871 40873d CloseHandle CloseHandle 15870->15871 15872 40874f 15870->15872 15871->15847 15873 407ee6 64 API calls 15872->15873 15874 408754 15873->15874 15875 407ead 6 API calls 15874->15875 15876 40875a 15875->15876 15876->15849 15883 40a63d 15877->15883 15879 40a685 15879->15781 15881 40a63d GetTickCount 15880->15881 15882 40a696 15881->15882 15882->15781 15884 40a645 15883->15884 15885 40a64d 15883->15885 15884->15879 15886 40a66e 15885->15886 15887 40a65e GetTickCount 15885->15887 15886->15879 15887->15886 15904 40a4c7 GetTickCount 15888->15904 15891 40c300 GetTickCount 15893 40c337 15891->15893 15892 40c326 15892->15893 15894 40c32b GetTickCount 15892->15894 15898 40c363 GetTickCount 15893->15898 15903 40c45e 15893->15903 15894->15893 15895 40c4d2 15895->15769 15896 40c4ab InterlockedIncrement CreateThread 15896->15895 15897 40c4cb CloseHandle 15896->15897 15909 40b535 15896->15909 15897->15895 15899 40c373 15898->15899 15898->15903 15900 40c378 GetTickCount 15899->15900 15901 40c37f 15899->15901 15900->15901 15902 40c43b GetTickCount 15901->15902 15902->15903 15903->15895 15903->15896 15905 40a4f7 InterlockedExchange 15904->15905 15906 40a500 15905->15906 15907 40a4e4 GetTickCount 15905->15907 15906->15891 15906->15892 15906->15903 15907->15906 15908 40a4ef Sleep 15907->15908 15908->15905 15910 40b566 15909->15910 15911 40ebcc 4 API calls 15910->15911 15912 40b587 15911->15912 15913 40ebcc 4 API calls 15912->15913 15964 40b590 15913->15964 15914 40bdcd InterlockedDecrement 15915 40bde2 15914->15915 15917 40ec2e codecvt 4 API calls 15915->15917 15918 40bdea 15917->15918 15920 40ec2e codecvt 4 API calls 15918->15920 15919 40bdb7 Sleep 15919->15964 15921 40bdf2 15920->15921 15922 40be05 15921->15922 15924 40ec2e codecvt 4 API calls 15921->15924 15923 40bdcc 15923->15914 15924->15922 15925 40ebed 8 API calls 15925->15964 15928 40b6b6 lstrlenA 15928->15964 15929 4030b5 2 API calls 15929->15964 15930 40e819 11 API calls 15930->15964 15931 40b6ed lstrcpyA 15984 405ce1 15931->15984 15934 40b731 lstrlenA 15934->15964 15935 40b71f lstrcmpA 15935->15934 15935->15964 15936 40b772 GetTickCount 15936->15964 15937 40bd49 InterlockedIncrement 16078 40a628 15937->16078 15940 40b7ce InterlockedIncrement 15994 40acd7 15940->15994 15941 4038f0 6 API calls 15941->15964 15942 40bc5b InterlockedIncrement 15942->15964 15945 40b912 GetTickCount 15945->15964 15946 40b826 InterlockedIncrement 15946->15936 15947 40b932 GetTickCount 15949 40bc6d InterlockedIncrement 15947->15949 15947->15964 15948 40bcdc closesocket 15948->15964 15949->15964 15950 405ce1 21 API calls 15950->15964 15953 40bba6 InterlockedIncrement 15953->15964 15956 40bc4c closesocket 15956->15964 15958 40ba71 wsprintfA 16012 40a7c1 15958->16012 15959 405ded 12 API calls 15959->15964 15961 40a7c1 22 API calls 15961->15964 15962 40ab81 lstrcpynA InterlockedIncrement 15962->15964 15963 40ef1e lstrlenA 15963->15964 15964->15914 15964->15919 15964->15923 15964->15925 15964->15928 15964->15929 15964->15930 15964->15931 15964->15934 15964->15935 15964->15936 15964->15937 15964->15940 15964->15941 15964->15942 15964->15945 15964->15946 15964->15947 15964->15948 15964->15950 15964->15953 15964->15956 15964->15958 15964->15959 15964->15961 15964->15962 15964->15963 15965 40a688 GetTickCount 15964->15965 15966 403e10 15964->15966 15969 403e4f 15964->15969 15972 40384f 15964->15972 15992 40a7a3 inet_ntoa 15964->15992 15999 40abee 15964->15999 16011 401feb GetTickCount 15964->16011 16032 403cfb 15964->16032 16035 40b3c5 15964->16035 16066 40ab81 15964->16066 15965->15964 15967 4030fa 4 API calls 15966->15967 15968 403e1d 15967->15968 15968->15964 15970 4030fa 4 API calls 15969->15970 15971 403e5c 15970->15971 15971->15964 15973 4030fa 4 API calls 15972->15973 15975 403863 15973->15975 15974 4038b2 15974->15964 15975->15974 15976 4038b9 15975->15976 15977 403889 15975->15977 16087 4035f9 15976->16087 16081 403718 15977->16081 15982 4035f9 6 API calls 15982->15974 15983 403718 6 API calls 15983->15974 15985 405cf4 15984->15985 15986 405cec 15984->15986 15988 404bd1 4 API calls 15985->15988 16093 404bd1 GetTickCount 15986->16093 15989 405d02 15988->15989 16098 405472 15989->16098 15993 40a7b9 15992->15993 15993->15964 15995 40f315 14 API calls 15994->15995 15996 40aceb 15995->15996 15997 40acff 15996->15997 15998 40f315 14 API calls 15996->15998 15997->15964 15998->15997 16000 40abfb 15999->16000 16003 40ac65 16000->16003 16160 402f22 16000->16160 16002 40f315 14 API calls 16002->16003 16003->16002 16004 40ac8a 16003->16004 16005 40ac6f 16003->16005 16004->15964 16007 40ab81 2 API calls 16005->16007 16006 40ac23 16006->16003 16009 402684 2 API calls 16006->16009 16008 40ac81 16007->16008 16168 4038f0 16008->16168 16009->16006 16011->15964 16013 40a87d lstrlenA send 16012->16013 16014 40a7df 16012->16014 16015 40a899 16013->16015 16016 40a8bf 16013->16016 16014->16013 16021 40a7fa wsprintfA 16014->16021 16022 40a80a 16014->16022 16025 40a8f2 16014->16025 16017 40a8a5 wsprintfA 16015->16017 16026 40a89e 16015->16026 16018 40a8c4 send 16016->16018 16016->16025 16017->16026 16020 40a8d8 wsprintfA 16018->16020 16018->16025 16019 40a978 recv 16024 40a982 16019->16024 16019->16025 16020->16026 16021->16022 16022->16013 16023 40a9b0 wsprintfA 16023->16026 16024->16026 16027 4030b5 2 API calls 16024->16027 16025->16019 16025->16023 16025->16024 16026->15964 16028 40ab05 16027->16028 16029 40e819 11 API calls 16028->16029 16030 40ab17 16029->16030 16031 40a7a3 inet_ntoa 16030->16031 16031->16026 16033 4030fa 4 API calls 16032->16033 16034 403d0b 16033->16034 16034->15964 16036 405ce1 21 API calls 16035->16036 16037 40b3e6 16036->16037 16038 405ce1 21 API calls 16037->16038 16040 40b404 16038->16040 16039 40b440 16041 40ef7c 3 API calls 16039->16041 16040->16039 16042 40ef7c 3 API calls 16040->16042 16043 40b458 wsprintfA 16041->16043 16044 40b42b 16042->16044 16045 40ef7c 3 API calls 16043->16045 16046 40ef7c 3 API calls 16044->16046 16047 40b480 16045->16047 16046->16039 16048 40ef7c 3 API calls 16047->16048 16049 40b493 16048->16049 16050 40ef7c 3 API calls 16049->16050 16051 40b4bb 16050->16051 16182 40ad89 GetLocalTime SystemTimeToFileTime 16051->16182 16055 40b4cc 16056 40ef7c 3 API calls 16055->16056 16057 40b4dd 16056->16057 16058 40b211 7 API calls 16057->16058 16059 40b4ec 16058->16059 16060 40ef7c 3 API calls 16059->16060 16061 40b4fd 16060->16061 16062 40b211 7 API calls 16061->16062 16063 40b509 16062->16063 16064 40ef7c 3 API calls 16063->16064 16065 40b51a 16064->16065 16065->15964 16067 40abe9 GetTickCount 16066->16067 16069 40ab8c 16066->16069 16071 40a51d 16067->16071 16068 40aba8 lstrcpynA 16068->16069 16069->16067 16069->16068 16070 40abe1 InterlockedIncrement 16069->16070 16070->16069 16072 40a4c7 4 API calls 16071->16072 16073 40a52c 16072->16073 16074 40a542 GetTickCount 16073->16074 16075 40a539 GetTickCount 16073->16075 16074->16075 16077 40a56c 16075->16077 16077->15964 16079 40a4c7 4 API calls 16078->16079 16080 40a633 16079->16080 16080->15964 16082 40f04e 4 API calls 16081->16082 16084 40372a 16082->16084 16083 403847 16083->15974 16083->15983 16084->16083 16085 4037b3 GetCurrentThreadId 16084->16085 16085->16084 16086 4037c8 GetCurrentThreadId 16085->16086 16086->16084 16088 40f04e 4 API calls 16087->16088 16089 40360c 16088->16089 16090 4036da GetCurrentThreadId 16089->16090 16092 4036f1 16089->16092 16091 4036e5 GetCurrentThreadId 16090->16091 16090->16092 16091->16092 16092->15974 16092->15982 16094 404bff InterlockedExchange 16093->16094 16095 404c08 16094->16095 16096 404bec GetTickCount 16094->16096 16095->15985 16096->16095 16097 404bf7 Sleep 16096->16097 16097->16094 16116 404763 16098->16116 16100 405b58 16126 404699 16100->16126 16103 404763 lstrlenA 16104 405b6e 16103->16104 16147 404f9f 16104->16147 16106 405b79 16106->15964 16108 405549 lstrlenA 16114 40548a 16108->16114 16110 40558d lstrcpynA 16110->16114 16111 405a9f lstrcpyA 16111->16114 16112 405472 13 API calls 16112->16114 16113 405935 lstrcpynA 16113->16114 16114->16100 16114->16110 16114->16111 16114->16112 16114->16113 16115 404ae6 8 API calls 16114->16115 16120 404ae6 16114->16120 16124 40ef7c lstrlenA lstrlenA lstrlenA 16114->16124 16115->16114 16118 40477a 16116->16118 16117 404859 16117->16114 16118->16117 16119 40480d lstrlenA 16118->16119 16119->16118 16121 404af3 16120->16121 16123 404b03 16120->16123 16122 40ebed 8 API calls 16121->16122 16122->16123 16123->16108 16125 40efb4 16124->16125 16125->16114 16152 4045b3 16126->16152 16129 4045b3 7 API calls 16130 4046c6 16129->16130 16131 4045b3 7 API calls 16130->16131 16132 4046d8 16131->16132 16133 4045b3 7 API calls 16132->16133 16134 4046ea 16133->16134 16135 4045b3 7 API calls 16134->16135 16136 4046ff 16135->16136 16137 4045b3 7 API calls 16136->16137 16138 404711 16137->16138 16139 4045b3 7 API calls 16138->16139 16140 404723 16139->16140 16141 40ef7c 3 API calls 16140->16141 16142 404735 16141->16142 16143 40ef7c 3 API calls 16142->16143 16144 40474a 16143->16144 16145 40ef7c 3 API calls 16144->16145 16146 40475c 16145->16146 16146->16103 16148 404fac 16147->16148 16151 404fb0 16147->16151 16148->16106 16149 404ffd 16149->16106 16150 404fd5 IsBadCodePtr 16150->16151 16151->16149 16151->16150 16153 4045c1 16152->16153 16155 4045c8 16152->16155 16154 40ebcc 4 API calls 16153->16154 16154->16155 16156 40ebcc 4 API calls 16155->16156 16158 4045e1 16155->16158 16156->16158 16157 404691 16157->16129 16158->16157 16159 40ef7c 3 API calls 16158->16159 16159->16158 16175 402d21 GetModuleHandleA 16160->16175 16163 402fcf GetProcessHeap HeapFree 16167 402f44 16163->16167 16164 402f4f 16166 402f6b GetProcessHeap HeapFree 16164->16166 16165 402f85 16165->16163 16165->16165 16166->16167 16167->16006 16167->16167 16169 403900 16168->16169 16170 403980 16168->16170 16171 4030fa 4 API calls 16169->16171 16170->16004 16173 40390a 16171->16173 16172 40391b GetCurrentThreadId 16172->16173 16173->16170 16173->16172 16174 403939 GetCurrentThreadId 16173->16174 16174->16173 16176 402d46 LoadLibraryA 16175->16176 16177 402d5b GetProcAddress 16175->16177 16176->16177 16179 402d54 16176->16179 16178 402d6b 16177->16178 16177->16179 16178->16179 16180 402d97 GetProcessHeap HeapAlloc 16178->16180 16181 402db5 lstrcpynA 16178->16181 16179->16164 16179->16165 16179->16167 16180->16178 16180->16179 16181->16178 16183 40adbf 16182->16183 16207 40ad08 gethostname 16183->16207 16186 4030b5 2 API calls 16187 40add3 16186->16187 16188 40a7a3 inet_ntoa 16187->16188 16196 40ade4 16187->16196 16188->16196 16189 40ae85 wsprintfA 16190 40ef7c 3 API calls 16189->16190 16191 40aebb 16190->16191 16193 40ef7c 3 API calls 16191->16193 16192 40ae36 wsprintfA wsprintfA 16194 40ef7c 3 API calls 16192->16194 16195 40aed2 16193->16195 16194->16196 16197 40b211 16195->16197 16196->16189 16196->16192 16198 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16197->16198 16199 40b2af GetLocalTime 16197->16199 16200 40b2d2 16198->16200 16199->16200 16201 40b2d9 SystemTimeToFileTime 16200->16201 16202 40b31c GetTimeZoneInformation 16200->16202 16203 40b2ec 16201->16203 16204 40b33a wsprintfA 16202->16204 16205 40b312 FileTimeToSystemTime 16203->16205 16204->16055 16205->16202 16208 40ad71 16207->16208 16209 40ad26 lstrlenA 16207->16209 16211 40ad85 16208->16211 16212 40ad79 lstrcpyA 16208->16212 16209->16208 16213 40ad68 lstrlenA 16209->16213 16211->16186 16212->16211 16213->16208 16215 40f428 14 API calls 16214->16215 16216 40198a 16215->16216 16217 401990 closesocket 16216->16217 16218 401998 16216->16218 16217->16218 16218->15798 16220 402d21 6 API calls 16219->16220 16221 402f01 16220->16221 16222 402f0f 16221->16222 16235 402df2 GetModuleHandleA 16221->16235 16223 402684 2 API calls 16222->16223 16226 402f1f 16222->16226 16225 402f1d 16223->16225 16225->15813 16226->15813 16229 401c80 16227->16229 16228 401d1c 16232 401d47 wsprintfA 16228->16232 16229->16228 16230 401cc2 wsprintfA 16229->16230 16234 401d79 16229->16234 16231 402684 2 API calls 16230->16231 16231->16229 16233 402684 2 API calls 16232->16233 16233->16234 16234->15822 16236 402e10 LoadLibraryA 16235->16236 16237 402e0b 16235->16237 16238 402e17 16236->16238 16237->16236 16237->16238 16239 402ef1 16238->16239 16240 402e28 GetProcAddress 16238->16240 16239->16222 16240->16239 16241 402e3e GetProcessHeap HeapAlloc 16240->16241 16243 402e62 16241->16243 16242 402ede GetProcessHeap HeapFree 16242->16239 16243->16239 16243->16242 16244 402e7f htons inet_addr 16243->16244 16245 402ea5 gethostbyname 16243->16245 16247 402ceb 16243->16247 16244->16243 16244->16245 16245->16243 16248 402cf2 16247->16248 16250 402d1c 16248->16250 16251 402d0e Sleep 16248->16251 16252 402a62 GetProcessHeap HeapAlloc 16248->16252 16250->16243 16251->16248 16251->16250 16253 402a92 16252->16253 16254 402a99 socket 16252->16254 16253->16248 16255 402cd3 GetProcessHeap HeapFree 16254->16255 16256 402ab4 16254->16256 16255->16253 16256->16255 16270 402abd 16256->16270 16257 402adb htons 16272 4026ff 16257->16272 16259 402b04 select 16259->16270 16260 402cb3 GetProcessHeap HeapFree closesocket 16260->16253 16261 402b3f recv 16261->16270 16262 402b66 htons 16263 402ca4 16262->16263 16262->16270 16263->16260 16264 402b87 htons 16264->16263 16264->16270 16267 402bf3 GetProcessHeap HeapAlloc 16267->16270 16268 402c17 htons 16287 402871 16268->16287 16270->16257 16270->16259 16270->16260 16270->16261 16270->16262 16270->16263 16270->16264 16270->16267 16270->16268 16271 402c4d GetProcessHeap HeapFree 16270->16271 16279 402923 16270->16279 16291 402904 16270->16291 16271->16270 16273 40271d 16272->16273 16274 402717 16272->16274 16276 40272b GetTickCount htons 16273->16276 16275 40ebcc 4 API calls 16274->16275 16275->16273 16277 4027cc htons htons sendto 16276->16277 16278 40278a 16276->16278 16277->16270 16278->16277 16280 402944 16279->16280 16282 40293d 16279->16282 16295 402816 htons 16280->16295 16282->16270 16283 402871 htons 16286 402950 16283->16286 16284 4029bd htons htons htons 16284->16282 16285 4029f6 GetProcessHeap HeapAlloc 16284->16285 16285->16282 16285->16286 16286->16282 16286->16283 16286->16284 16288 4028e3 16287->16288 16290 402889 16287->16290 16288->16270 16289 4028c3 htons 16289->16288 16289->16290 16290->16288 16290->16289 16292 402921 16291->16292 16293 402908 16291->16293 16292->16270 16294 402909 GetProcessHeap HeapFree 16293->16294 16294->16292 16294->16294 16296 40286b 16295->16296 16297 402836 16295->16297 16296->16286 16297->16296 16298 40285c htons 16297->16298 16298->16296 16298->16297 16300 406bc0 16299->16300 16301 406bbc 16299->16301 16302 40ebcc 4 API calls 16300->16302 16312 406bd4 16300->16312 16301->15840 16303 406be4 16302->16303 16304 406c07 CreateFileA 16303->16304 16305 406bfc 16303->16305 16303->16312 16307 406c34 WriteFile 16304->16307 16308 406c2a 16304->16308 16306 40ec2e codecvt 4 API calls 16305->16306 16306->16312 16310 406c49 CloseHandle DeleteFileA 16307->16310 16311 406c5a CloseHandle 16307->16311 16309 40ec2e codecvt 4 API calls 16308->16309 16309->16312 16310->16308 16313 40ec2e codecvt 4 API calls 16311->16313 16312->15840 16313->16312 14646 2578295 14649 25782a1 14646->14649 14650 25782b0 14649->14650 14653 2578a41 14650->14653 14655 2578a5c 14653->14655 14654 2578a65 CreateToolhelp32Snapshot 14654->14655 14656 2578a81 Module32First 14654->14656 14655->14654 14655->14656 14657 25782a0 14656->14657 14658 2578a90 14656->14658 14660 2578700 14658->14660 14661 257872b 14660->14661 14662 257873c VirtualAlloc 14661->14662 14663 2578774 14661->14663 14662->14663 14663->14663 16314 2c80005 16319 2c8092b GetPEB 16314->16319 16316 2c80030 16321 2c8003c 16316->16321 16320 2c80972 16319->16320 16320->16316 16322 2c80049 16321->16322 16336 2c80e0f SetErrorMode SetErrorMode 16322->16336 16327 2c80265 16328 2c802ce VirtualProtect 16327->16328 16330 2c8030b 16328->16330 16329 2c80439 VirtualFree 16334 2c804be 16329->16334 16335 2c805f4 LoadLibraryA 16329->16335 16330->16329 16331 2c804e3 LoadLibraryA 16331->16334 16333 2c808c7 16334->16331 16334->16335 16335->16333 16337 2c80223 16336->16337 16338 2c80d90 16337->16338 16339 2c80dad 16338->16339 16340 2c80dbb GetPEB 16339->16340 16341 2c80238 VirtualAlloc 16339->16341 16340->16341 16341->16327
                                                                                          APIs
                                                                                          • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                          • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                            • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                            • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                            • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                          • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                          • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                          • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                          • ExitProcess.KERNEL32 ref: 00409C06
                                                                                          • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                          • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                          • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                          • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                          • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                          • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                          • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                          • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                          • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                          • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                          • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                          • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                          • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                          • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                          • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                          • wsprintfA.USER32 ref: 0040A0B6
                                                                                          • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                          • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                          • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                          • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                          • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                          • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                          • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                          • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                            • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,004122F8,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                            • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                            • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                          • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                          • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                          • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                          • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                          • DeleteFileA.KERNEL32(C:\Users\user\Desktop\rXTqHar5Ud.exe), ref: 0040A407
                                                                                          • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                          • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                          • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                          • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                          • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                          • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                          • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                          • String ID: "$"$"$%X%08X$C:\Users\user\Desktop\rXTqHar5Ud.exe$C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exe$D$P$\$dkajlqvv
                                                                                          • API String ID: 2089075347-1506434891
                                                                                          • Opcode ID: 69071e7f72711d21cff6056459b1329949a0fa875525a2a87badba31d3a6a59d
                                                                                          • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                          • Opcode Fuzzy Hash: 69071e7f72711d21cff6056459b1329949a0fa875525a2a87badba31d3a6a59d
                                                                                          • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 522 40637c-406384 523 406386-406389 522->523 524 40638a-4063b4 GetModuleHandleA VirtualAlloc 522->524 525 4063f5-4063f7 524->525 526 4063b6-4063d4 call 40ee08 VirtualAllocEx 524->526 527 40640b-40640f 525->527 526->525 530 4063d6-4063f3 call 4062b7 WriteProcessMemory 526->530 530->525 533 4063f9-40640a 530->533 533->527
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                          • VirtualAllocEx.KERNELBASE(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                          • WriteProcessMemory.KERNELBASE(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                          • String ID:
                                                                                          • API String ID: 1965334864-0
                                                                                          • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                          • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                          • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                          • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 264 4073ff-407419 265 40741b 264->265 266 40741d-407422 264->266 265->266 267 407424 266->267 268 407426-40742b 266->268 267->268 269 407430-407435 268->269 270 40742d 268->270 271 407437 269->271 272 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 269->272 270->269 271->272 277 407487-40749d call 40ee2a 272->277 278 4077f9-4077fe call 40ee2a 272->278 284 407703-40770e RegEnumKeyA 277->284 283 407801 278->283 287 407804-407808 283->287 285 4074a2-4074b1 call 406cad 284->285 286 407714-40771d RegCloseKey 284->286 290 4074b7-4074cc call 40f1a5 285->290 291 4076ed-407700 285->291 286->283 290->291 294 4074d2-4074f8 RegOpenKeyExA 290->294 291->284 295 407727-40772a 294->295 296 4074fe-407530 call 402544 RegQueryValueExA 294->296 297 407755-407764 call 40ee2a 295->297 298 40772c-407740 call 40ef00 295->298 296->295 304 407536-40753c 296->304 309 4076df-4076e2 297->309 306 407742-407745 RegCloseKey 298->306 307 40774b-40774e 298->307 308 40753f-407544 304->308 306->307 311 4077ec-4077f7 RegCloseKey 307->311 308->308 310 407546-40754b 308->310 309->291 312 4076e4-4076e7 RegCloseKey 309->312 310->297 313 407551-40756b call 40ee95 310->313 311->287 312->291 313->297 316 407571-407593 call 402544 call 40ee95 313->316 321 407753 316->321 322 407599-4075a0 316->322 321->297 323 4075a2-4075c6 call 40ef00 call 40ed03 322->323 324 4075c8-4075d7 call 40ed03 322->324 330 4075d8-4075da 323->330 324->330 332 4075dc 330->332 333 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 330->333 332->333 342 407626-40762b 333->342 342->342 343 40762d-407634 342->343 344 407637-40763c 343->344 344->344 345 40763e-407642 344->345 346 407644-407656 call 40ed77 345->346 347 40765c-407673 call 40ed23 345->347 346->347 352 407769-40777c call 40ef00 346->352 353 407680 347->353 354 407675-40767e 347->354 359 4077e3-4077e6 RegCloseKey 352->359 355 407683-40768e call 406cad 353->355 354->355 361 407722-407725 355->361 362 407694-4076bf call 40f1a5 call 406c96 355->362 359->311 363 4076dd 361->363 368 4076c1-4076c7 362->368 369 4076d8 362->369 363->309 368->369 370 4076c9-4076d2 368->370 369->363 370->369 371 40777e-407797 GetFileAttributesExA 370->371 372 407799 371->372 373 40779a-40779f 371->373 372->373 374 4077a1 373->374 375 4077a3-4077a8 373->375 374->375 376 4077c4-4077c8 375->376 377 4077aa-4077c0 call 40ee08 375->377 379 4077d7-4077dc 376->379 380 4077ca-4077d6 call 40ef00 376->380 377->376 383 4077e0-4077e2 379->383 384 4077de 379->384 380->379 383->359 384->383
                                                                                          APIs
                                                                                          • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,76230F10,00000000), ref: 00407472
                                                                                          • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,76230F10,00000000), ref: 004074F0
                                                                                          • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,76230F10,00000000), ref: 00407528
                                                                                          • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,76230F10,00000000), ref: 004076E7
                                                                                          • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                          • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,76230F10,00000000), ref: 00407717
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,76230F10,00000000), ref: 00407745
                                                                                          • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,76230F10,00000000), ref: 004077EF
                                                                                            • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                          • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                          • RegCloseKey.KERNELBASE(?), ref: 004077E6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                          • String ID: "
                                                                                          • API String ID: 3433985886-123907689
                                                                                          • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                          • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                          • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                          • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 386 2c8003c-2c80047 387 2c80049 386->387 388 2c8004c-2c80263 call 2c80a3f call 2c80e0f call 2c80d90 VirtualAlloc 386->388 387->388 403 2c8028b-2c80292 388->403 404 2c80265-2c80289 call 2c80a69 388->404 405 2c802a1-2c802b0 403->405 408 2c802ce-2c803c2 VirtualProtect call 2c80cce call 2c80ce7 404->408 405->408 409 2c802b2-2c802cc 405->409 415 2c803d1-2c803e0 408->415 409->405 416 2c80439-2c804b8 VirtualFree 415->416 417 2c803e2-2c80437 call 2c80ce7 415->417 418 2c804be-2c804cd 416->418 419 2c805f4-2c805fe 416->419 417->415 421 2c804d3-2c804dd 418->421 422 2c8077f-2c80789 419->422 423 2c80604-2c8060d 419->423 421->419 427 2c804e3-2c80505 LoadLibraryA 421->427 425 2c8078b-2c807a3 422->425 426 2c807a6-2c807b0 422->426 423->422 428 2c80613-2c80637 423->428 425->426 430 2c8086e-2c808be LoadLibraryA 426->430 431 2c807b6-2c807cb 426->431 432 2c80517-2c80520 427->432 433 2c80507-2c80515 427->433 434 2c8063e-2c80648 428->434 438 2c808c7-2c808f9 430->438 435 2c807d2-2c807d5 431->435 436 2c80526-2c80547 432->436 433->436 434->422 437 2c8064e-2c8065a 434->437 439 2c80824-2c80833 435->439 440 2c807d7-2c807e0 435->440 441 2c8054d-2c80550 436->441 437->422 442 2c80660-2c8066a 437->442 443 2c808fb-2c80901 438->443 444 2c80902-2c8091d 438->444 450 2c80839-2c8083c 439->450 445 2c807e2 440->445 446 2c807e4-2c80822 440->446 447 2c805e0-2c805ef 441->447 448 2c80556-2c8056b 441->448 449 2c8067a-2c80689 442->449 443->444 445->439 446->435 447->421 451 2c8056d 448->451 452 2c8056f-2c8057a 448->452 453 2c8068f-2c806b2 449->453 454 2c80750-2c8077a 449->454 450->430 455 2c8083e-2c80847 450->455 451->447 457 2c8059b-2c805bb 452->457 458 2c8057c-2c80599 452->458 459 2c806ef-2c806fc 453->459 460 2c806b4-2c806ed 453->460 454->434 461 2c80849 455->461 462 2c8084b-2c8086c 455->462 469 2c805bd-2c805db 457->469 458->469 463 2c8074b 459->463 464 2c806fe-2c80748 459->464 460->459 461->430 462->450 463->449 464->463 469->441
                                                                                          APIs
                                                                                          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02C8024D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_2c80000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID: cess$kernel32.dll
                                                                                          • API String ID: 4275171209-1230238691
                                                                                          • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                          • Instruction ID: acd8429db98b17632d335476261fc33c41f825b06f7640636538905718581767
                                                                                          • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                          • Instruction Fuzzy Hash: 62526B75A01229DFDB64CF58C984BACBBB1BF09308F1480D9E54DAB351DB30AA89DF15

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 470 40977c-4097b9 call 40ee2a CreateProcessA 473 4097c2-4097f3 call 40ee2a Wow64GetThreadContext 470->473 474 4097bb-4097bd 470->474 478 409801-40981c call 40637c 473->478 479 4097f5 473->479 475 409864-409866 474->475 480 4097f6-4097ff TerminateProcess 478->480 483 40981e-409839 WriteProcessMemory 478->483 479->480 480->474 483->479 484 40983b-409856 Wow64SetThreadContext 483->484 484->479 485 409858-409863 ResumeThread 484->485 485->475
                                                                                          APIs
                                                                                          • CreateProcessA.KERNELBASE(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,004122F8), ref: 004097B1
                                                                                          • Wow64GetThreadContext.KERNEL32(?,?,?,?,?,?,?,004122F8), ref: 004097EB
                                                                                          • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 004097F9
                                                                                          • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 00409831
                                                                                          • Wow64SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040984E
                                                                                          • ResumeThread.KERNELBASE(?,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040985B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ProcessThread$ContextWow64$CreateMemoryResumeTerminateWrite
                                                                                          • String ID: D
                                                                                          • API String ID: 2098669666-2746444292
                                                                                          • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                          • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                          • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                          • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                          • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                          • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseHandle$CreateEvent
                                                                                          • String ID:
                                                                                          • API String ID: 1371578007-0
                                                                                          • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                          • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                          • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                          • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 534 404000-404008 535 40400b-40402a CreateFileA 534->535 536 404057 535->536 537 40402c-404035 GetLastError 535->537 540 404059-40405c 536->540 538 404052 537->538 539 404037-40403a 537->539 542 404054-404056 538->542 539->538 541 40403c-40403f 539->541 540->542 541->540 543 404041-404050 Sleep 541->543 543->535 543->538
                                                                                          APIs
                                                                                          • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,004122F8,004042B6,00000000,00000001,004122F8,00000000,?,004098FD), ref: 00404021
                                                                                          • GetLastError.KERNEL32(?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 0040402C
                                                                                          • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404046
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateErrorFileLastSleep
                                                                                          • String ID:
                                                                                          • API String ID: 408151869-0
                                                                                          • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                          • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                          • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                          • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                          • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                          • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Time$CountFileInformationSystemTickVolume
                                                                                          • String ID:
                                                                                          • API String ID: 1209300637-0
                                                                                          • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                          • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                          • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                          • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 545 406e36-406e5d GetUserNameW 546 406ebe-406ec2 545->546 547 406e5f-406e95 LookupAccountNameW 545->547 547->546 548 406e97-406e9b 547->548 549 406ebb-406ebd 548->549 550 406e9d-406ea3 548->550 549->546 550->549 551 406ea5-406eaa 550->551 552 406eb7-406eb9 551->552 553 406eac-406eb0 551->553 552->546 553->549 554 406eb2-406eb5 553->554 554->549 554->552
                                                                                          APIs
                                                                                          • GetUserNameW.ADVAPI32(?,00401FA1), ref: 00406E55
                                                                                          • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,00000000,00000012), ref: 00406E8D
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Name$AccountLookupUser
                                                                                          • String ID:
                                                                                          • API String ID: 2370142434-0
                                                                                          • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                          • Instruction ID: d69833bf2c7126fc9b7bd4b1d5117f4fe90a033eeaed535c4400ab00b2689cfd
                                                                                          • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                          • Instruction Fuzzy Hash: 0211F776900218EBDF21CFD4C884ADFB7BCAB04741F1542B6E502F6290DB749B989BE4

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 555 2578a41-2578a5a 556 2578a5c-2578a5e 555->556 557 2578a65-2578a71 CreateToolhelp32Snapshot 556->557 558 2578a60 556->558 559 2578a73-2578a79 557->559 560 2578a81-2578a8e Module32First 557->560 558->557 559->560 566 2578a7b-2578a7f 559->566 561 2578a97-2578a9f 560->561 562 2578a90-2578a91 call 2578700 560->562 567 2578a96 562->567 566->556 566->560 567->561
                                                                                          APIs
                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02578A69
                                                                                          • Module32First.KERNEL32(00000000,00000224), ref: 02578A89
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2174342309.0000000002568000.00000040.00000020.00020000.00000000.sdmp, Offset: 02568000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_2568000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                          • String ID:
                                                                                          • API String ID: 3833638111-0
                                                                                          • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                          • Instruction ID: 3f83d9c07bf1a8397d54138170f447548537a72075ebc34fd8301782eec96196
                                                                                          • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                          • Instruction Fuzzy Hash: C8F090326407116FD7203BF9B88CBAE7AECBF49635F140528E646D10C0DBB0E8459A69

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 568 2c80e0f-2c80e24 SetErrorMode * 2 569 2c80e2b-2c80e2c 568->569 570 2c80e26 568->570 570->569
                                                                                          APIs
                                                                                          • SetErrorMode.KERNELBASE(00000400,?,?,02C80223,?,?), ref: 02C80E19
                                                                                          • SetErrorMode.KERNELBASE(00000000,?,?,02C80223,?,?), ref: 02C80E1E
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_2c80000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorMode
                                                                                          • String ID:
                                                                                          • API String ID: 2340568224-0
                                                                                          • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                          • Instruction ID: ac362fad639c5c9b64cd8f07aeb9a6a6ad7bb22d7ae53432970dca695a8b64fe
                                                                                          • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                          • Instruction Fuzzy Hash: 8ED0123214512877D7003A94DC09BCE7B1CDF05B66F008011FB0DD9080C770964046E5

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 571 406dc2-406dd5 572 406e33-406e35 571->572 573 406dd7-406df1 call 406cc9 call 40ef00 571->573 578 406df4-406df9 573->578 578->578 579 406dfb-406e00 578->579 580 406e02-406e22 GetVolumeInformationA 579->580 581 406e24 579->581 580->581 582 406e2e 580->582 581->582 582->572
                                                                                          APIs
                                                                                            • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                            • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                            • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                            • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                          • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                          • String ID:
                                                                                          • API String ID: 1823874839-0
                                                                                          • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                          • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                          • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                          • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 583 409892-4098c0 584 4098c2-4098c5 583->584 585 4098d9 583->585 584->585 586 4098c7-4098d7 584->586 587 4098e0-4098f1 SetServiceStatus 585->587 586->587
                                                                                          APIs
                                                                                          • SetServiceStatus.SECHOST(00413394), ref: 004098EB
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ServiceStatus
                                                                                          • String ID:
                                                                                          • API String ID: 3969395364-0
                                                                                          • Opcode ID: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                          • Instruction ID: dd676a4af3dd8f9e000b524091363a81fd6157f1888c947a943bd607f736cbf1
                                                                                          • Opcode Fuzzy Hash: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                          • Instruction Fuzzy Hash: 02F0F271514208EFCB18CF14E89869A7BA0F348706B20C83EE82AD2371CB749A80DF0D

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 588 2578700-257873a call 2578a13 591 257873c-257876f VirtualAlloc call 257878d 588->591 592 2578788 588->592 594 2578774-2578786 591->594 592->592 594->592
                                                                                          APIs
                                                                                          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02578751
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2174342309.0000000002568000.00000040.00000020.00020000.00000000.sdmp, Offset: 02568000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_2568000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 4275171209-0
                                                                                          • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                          • Instruction ID: 5d485d6457236d43a1f5b9b84c02e605323f5655ba65feb86170f047a16532cb
                                                                                          • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                          • Instruction Fuzzy Hash: 1D113C79A40208EFDB01DF98C989E98BFF5AF08351F098094F9489B361D371EA50EF84

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 595 4098f2-4098f4 596 4098f6-409902 call 404280 595->596 599 409904-409913 Sleep 596->599 600 409917 596->600 599->596 601 409915 599->601 602 409919-409942 call 402544 call 40977c 600->602 603 40995e-409960 600->603 601->600 607 409947-409957 call 40ee2a 602->607 607->603
                                                                                          APIs
                                                                                            • Part of subcall function 00404280: CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                          • Sleep.KERNEL32(000003E8,00000100,004122F8,0040A3C7), ref: 00409909
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateEventSleep
                                                                                          • String ID:
                                                                                          • API String ID: 3100162736-0
                                                                                          • Opcode ID: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                          • Instruction ID: e56085e6bf9507d1b9c0d1fa6774ae3e34a200a1ca8b69066151cd7271dcc025
                                                                                          • Opcode Fuzzy Hash: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                          • Instruction Fuzzy Hash: 58F05472A81360A6E62226566C07F8F19040B95B24F05417EF744BA2C395E8495141ED
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00000000), ref: 02C865F6
                                                                                          • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 02C86610
                                                                                          • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 02C86631
                                                                                          • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 02C86652
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_2c80000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                          • String ID:
                                                                                          • API String ID: 1965334864-0
                                                                                          • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                          • Instruction ID: 5ace20f99ba8f2db7caea61916507c4219cd29ea59a461dcad7799e9da0c77a7
                                                                                          • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                          • Instruction Fuzzy Hash: 6A117371600258BFDB21AF65DC4AF9B3FACEB457A9F108025FA08E7250D7B1DD008AA4
                                                                                          APIs
                                                                                          • ExitProcess.KERNEL32 ref: 02C89E6D
                                                                                          • lstrcpy.KERNEL32(?,00000000), ref: 02C89FE1
                                                                                          • lstrcat.KERNEL32(?,?), ref: 02C89FF2
                                                                                          • lstrcat.KERNEL32(?,0041070C), ref: 02C8A004
                                                                                          • GetFileAttributesExA.KERNEL32(?,?,?), ref: 02C8A054
                                                                                          • DeleteFileA.KERNEL32(?), ref: 02C8A09F
                                                                                          • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 02C8A0D6
                                                                                          • lstrcpy.KERNEL32 ref: 02C8A12F
                                                                                          • lstrlen.KERNEL32(00000022), ref: 02C8A13C
                                                                                          • GetTempPathA.KERNEL32(000001F4,?), ref: 02C89F13
                                                                                            • Part of subcall function 02C87029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 02C87081
                                                                                            • Part of subcall function 02C86F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\mtjsuzee,02C87043), ref: 02C86F4E
                                                                                            • Part of subcall function 02C86F30: GetProcAddress.KERNEL32(00000000), ref: 02C86F55
                                                                                            • Part of subcall function 02C86F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02C86F7B
                                                                                            • Part of subcall function 02C86F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02C86F92
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 02C8A1A2
                                                                                          • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 02C8A1C5
                                                                                          • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 02C8A214
                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 02C8A21B
                                                                                          • GetDriveTypeA.KERNEL32(?), ref: 02C8A265
                                                                                          • lstrcat.KERNEL32(?,00000000), ref: 02C8A29F
                                                                                          • lstrcat.KERNEL32(?,00410A34), ref: 02C8A2C5
                                                                                          • lstrcat.KERNEL32(?,00000022), ref: 02C8A2D9
                                                                                          • lstrcat.KERNEL32(?,00410A34), ref: 02C8A2F4
                                                                                          • wsprintfA.USER32 ref: 02C8A31D
                                                                                          • lstrcat.KERNEL32(?,00000000), ref: 02C8A345
                                                                                          • lstrcat.KERNEL32(?,?), ref: 02C8A364
                                                                                          • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 02C8A387
                                                                                          • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 02C8A398
                                                                                          • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 02C8A1D1
                                                                                            • Part of subcall function 02C89966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 02C8999D
                                                                                            • Part of subcall function 02C89966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 02C899BD
                                                                                            • Part of subcall function 02C89966: RegCloseKey.ADVAPI32(?), ref: 02C899C6
                                                                                          • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 02C8A3DB
                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 02C8A3E2
                                                                                          • GetDriveTypeA.KERNEL32(00000022), ref: 02C8A41D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_2c80000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                          • String ID: "$"$"$D$P$\
                                                                                          • API String ID: 1653845638-2605685093
                                                                                          • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                          • Instruction ID: 06925756f76ea49a9ebfaddbe7ad873e1a15d2e2f46d50b998fc6c8871e95f5a
                                                                                          • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                          • Instruction Fuzzy Hash: C0F145B1D40259AFDF11EBA08C48FEF7BBCAB48308F1484A6E609E2141E7759B85CF55
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                          • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                          • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 004010E1
                                                                                          • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 00401101
                                                                                          • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 00401121
                                                                                          • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00401140
                                                                                          • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 00401160
                                                                                          • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 00401180
                                                                                          • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040119F
                                                                                          • GetProcAddress.KERNEL32(00000000,NtClose), ref: 004011BF
                                                                                          • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 004011DF
                                                                                          • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 004011FE
                                                                                          • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressProc$LibraryLoad
                                                                                          • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                          • API String ID: 2238633743-3228201535
                                                                                          • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                          • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                          • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                          • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                          APIs
                                                                                          • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                          • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                          • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                          • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                          • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                          • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                          • wsprintfA.USER32 ref: 0040B3B7
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                          • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                          • API String ID: 766114626-2976066047
                                                                                          • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                          • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                          • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                          • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 02C87D21
                                                                                          • GetUserNameA.ADVAPI32(?,?), ref: 02C87D46
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02C87D7D
                                                                                          • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 02C87DA2
                                                                                          • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 02C87DC0
                                                                                          • EqualSid.ADVAPI32(?,?), ref: 02C87DD1
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 02C87DE5
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02C87DF3
                                                                                          • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02C87E03
                                                                                          • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 02C87E12
                                                                                          • LocalFree.KERNEL32(00000000), ref: 02C87E19
                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02C87E35
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_2c80000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                          • String ID: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exe$D
                                                                                          • API String ID: 2976863881-2164713515
                                                                                          • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                          • Instruction ID: 5fe214083e80b7babc90f2a528c7564bd6d17684722f76de7d70a28a50edb843
                                                                                          • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                          • Instruction Fuzzy Hash: 9DA16C76900219AFDB11DFA1DC88FEEBBB9FB48308F14816AF505E6150E7758A84CB64
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                          • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,?,?), ref: 00407B16
                                                                                          • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                          • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                          • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                          • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                          • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                          • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                          • String ID: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exe$D
                                                                                          • API String ID: 2976863881-2164713515
                                                                                          • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                          • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                          • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                          • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                          • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                          • API String ID: 2400214276-165278494
                                                                                          • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                          • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                          • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                          • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                          APIs
                                                                                          • wsprintfA.USER32 ref: 0040A7FB
                                                                                          • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                          • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                          • wsprintfA.USER32 ref: 0040A8AF
                                                                                          • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                          • wsprintfA.USER32 ref: 0040A8E2
                                                                                          • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                          • wsprintfA.USER32 ref: 0040A9B9
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wsprintf$send$lstrlenrecv
                                                                                          • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                          • API String ID: 3650048968-2394369944
                                                                                          • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                          • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                          • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                          • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                          APIs
                                                                                          • GetUserNameA.ADVAPI32(?,?), ref: 02C87A96
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02C87ACD
                                                                                          • GetLengthSid.ADVAPI32(?), ref: 02C87ADF
                                                                                          • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 02C87B01
                                                                                          • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 02C87B1F
                                                                                          • EqualSid.ADVAPI32(?,?), ref: 02C87B39
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 02C87B4A
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02C87B58
                                                                                          • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02C87B68
                                                                                          • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 02C87B77
                                                                                          • LocalFree.KERNEL32(00000000), ref: 02C87B7E
                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02C87B9A
                                                                                          • GetAce.ADVAPI32(?,?,?), ref: 02C87BCA
                                                                                          • EqualSid.ADVAPI32(?,?), ref: 02C87BF1
                                                                                          • DeleteAce.ADVAPI32(?,?), ref: 02C87C0A
                                                                                          • EqualSid.ADVAPI32(?,?), ref: 02C87C2C
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 02C87CB1
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02C87CBF
                                                                                          • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 02C87CD0
                                                                                          • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 02C87CE0
                                                                                          • LocalFree.KERNEL32(00000000), ref: 02C87CEE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_2c80000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                          • String ID: D
                                                                                          • API String ID: 3722657555-2746444292
                                                                                          • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                          • Instruction ID: 340fbd2f38c23651733362cb3c37a812b58fd687eca066892bbc4b16ad3965e5
                                                                                          • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                          • Instruction Fuzzy Hash: 34818C75900619AFDB11DFA0DD84FEEBBB8BF48308F24806AE605E7150E7748A45CBA4
                                                                                          APIs
                                                                                          • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                          • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                          • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                          • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                          • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                          • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                          • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                          • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                          • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                          • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                          • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                          • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                          • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                          • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                          • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                          • String ID: D
                                                                                          • API String ID: 3722657555-2746444292
                                                                                          • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                          • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                          • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                          • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                          • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                          • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                          • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Value$CloseOpenQuery
                                                                                          • String ID: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exe$localcfg
                                                                                          • API String ID: 237177642-3593170167
                                                                                          • Opcode ID: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                          • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                          • Opcode Fuzzy Hash: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                          • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                          APIs
                                                                                          • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                          • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExecuteShelllstrlen
                                                                                          • String ID: $%systemroot%\system32\cmd.exe$<$@$D$uac$useless$wusa.exe
                                                                                          • API String ID: 1628651668-1839596206
                                                                                          • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                          • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                          • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                          • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                          APIs
                                                                                          • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                          • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                          • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                          • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                          • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                            • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                          • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                          • API String ID: 4207808166-1381319158
                                                                                          • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                          • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                          • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                          • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                          APIs
                                                                                          • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                          • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                          • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                          • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                          • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                          • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                          • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                          • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                          • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                          • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                          • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                          • API String ID: 835516345-270533642
                                                                                          • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                          • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                          • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                          • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 02C8865A
                                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 02C8867B
                                                                                          • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 02C886A8
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 02C886B1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_2c80000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Value$CloseOpenQuery
                                                                                          • String ID: "$C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exe
                                                                                          • API String ID: 237177642-2128151195
                                                                                          • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                          • Instruction ID: f452aa50ee9aa8271692acfae4e5233ba85cc5bf78e61ca5fe37c4cda03ae216
                                                                                          • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                          • Instruction Fuzzy Hash: F4C1AFB294024CBEEB11BBA4DD84EEE7BBDEB44308F548169F605E2050E7B04B949B65
                                                                                          APIs
                                                                                          • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7622F380), ref: 00402A83
                                                                                          • HeapAlloc.KERNEL32(00000000,?,7622F380), ref: 00402A86
                                                                                          • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                          • htons.WS2_32(00000000), ref: 00402ADB
                                                                                          • select.WS2_32 ref: 00402B28
                                                                                          • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                          • htons.WS2_32(?), ref: 00402B71
                                                                                          • htons.WS2_32(?), ref: 00402B8C
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                          • String ID:
                                                                                          • API String ID: 1639031587-0
                                                                                          • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                          • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                          • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                          • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                          APIs
                                                                                          • ShellExecuteExW.SHELL32(?), ref: 02C81601
                                                                                          • lstrlenW.KERNEL32(-00000003), ref: 02C817D8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_2c80000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExecuteShelllstrlen
                                                                                          • String ID: $<$@$D
                                                                                          • API String ID: 1628651668-1974347203
                                                                                          • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                          • Instruction ID: 631e827b4205eb8789068eccf58d9a93ffdbe26318d97be9da8246b970050cdd
                                                                                          • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                          • Instruction Fuzzy Hash: 83F19EB15083419FD720EF64C888BABB7E5FBC8309F04892DF59A97290D7B4DA45CB52
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 02C876D9
                                                                                          • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 02C87757
                                                                                          • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 02C8778F
                                                                                          • ___ascii_stricmp.LIBCMT ref: 02C878B4
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 02C8794E
                                                                                          • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 02C8796D
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 02C8797E
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 02C879AC
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 02C87A56
                                                                                            • Part of subcall function 02C8F40C: lstrlen.KERNEL32(000000E4,00000000,004122F8,000000E4,02C8772A,?), ref: 02C8F414
                                                                                          • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 02C879F6
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 02C87A4D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_2c80000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                          • String ID: "
                                                                                          • API String ID: 3433985886-123907689
                                                                                          • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                          • Instruction ID: 0382227fd81933e942abecf4db7ce388976e77698a953b047deb4f753ac43bf9
                                                                                          • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                          • Instruction Fuzzy Hash: 07C19575900119AFDB11EBA4DC44FEEBBB9EF49318F2480A5E504E6190FB71DB88DB60
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,76230F10,?,76230F10,00000000), ref: 004070C2
                                                                                          • RegEnumValueA.ADVAPI32(76230F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,76230F10,00000000), ref: 0040719E
                                                                                          • RegCloseKey.ADVAPI32(76230F10,?,76230F10,00000000), ref: 004071B2
                                                                                          • RegCloseKey.ADVAPI32(76230F10), ref: 00407208
                                                                                          • RegCloseKey.ADVAPI32(76230F10), ref: 00407291
                                                                                          • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                          • RegCloseKey.ADVAPI32(76230F10), ref: 004072D0
                                                                                          • RegCloseKey.ADVAPI32(76230F10), ref: 00407314
                                                                                          • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                          • RegCloseKey.ADVAPI32(76230F10), ref: 004073D8
                                                                                            • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                          • String ID: $"
                                                                                          • API String ID: 4293430545-3817095088
                                                                                          • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                          • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                          • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                          • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69
                                                                                          APIs
                                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 02C82CED
                                                                                          • socket.WS2_32(00000002,00000002,00000011), ref: 02C82D07
                                                                                          • htons.WS2_32(00000000), ref: 02C82D42
                                                                                          • select.WS2_32 ref: 02C82D8F
                                                                                          • recv.WS2_32(?,00000000,00001000,00000000), ref: 02C82DB1
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02C82E62
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_2c80000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                          • String ID:
                                                                                          • API String ID: 127016686-0
                                                                                          • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                          • Instruction ID: 249177d7af9c27568dd357e427be1bbb221bb894fa81e2bb8883bc283b238d35
                                                                                          • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                          • Instruction Fuzzy Hash: 6C61D372504385AFC320AF65DC4CB6BBBE8EB8474AF008819FD4597150D7B5D980CBAB
                                                                                          APIs
                                                                                          • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                            • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                            • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                            • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                            • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                            • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                            • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                          • wsprintfA.USER32 ref: 0040AEA5
                                                                                            • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                          • wsprintfA.USER32 ref: 0040AE4F
                                                                                          • wsprintfA.USER32 ref: 0040AE5E
                                                                                            • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                            • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                            • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                          • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                          • API String ID: 3631595830-1816598006
                                                                                          • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                          • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                          • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                          • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(iphlpapi.dll,762323A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                          • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                          • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                          • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                          • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                          • htons.WS2_32(00000035), ref: 00402E88
                                                                                          • inet_addr.WS2_32(?), ref: 00402E93
                                                                                          • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                          • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                          • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                          • String ID: GetNetworkParams$iphlpapi.dll
                                                                                          • API String ID: 929413710-2099955842
                                                                                          • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                          • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                          • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                          • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                          APIs
                                                                                          • SetFileAttributesA.KERNEL32(?,00000080,?,76230F10,00000000), ref: 0040677E
                                                                                          • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,76230F10,00000000), ref: 0040679A
                                                                                          • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,76230F10,00000000), ref: 004067B0
                                                                                          • SetFileAttributesA.KERNEL32(?,00000002,?,76230F10,00000000), ref: 004067BF
                                                                                          • GetFileSize.KERNEL32(000000FF,00000000,?,76230F10,00000000), ref: 004067D3
                                                                                          • ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,76230F10,00000000), ref: 00406807
                                                                                          • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0040681F
                                                                                          • ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,76230F10,00000000), ref: 0040683E
                                                                                          • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0040685C
                                                                                          • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,76230F10,00000000), ref: 0040688B
                                                                                          • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000,?,76230F10,00000000), ref: 00406906
                                                                                          • ReadFile.KERNEL32(000000FF,?,00000000,00408244,00000000,?,76230F10,00000000), ref: 0040691C
                                                                                          • CloseHandle.KERNEL32(000000FF,?,76230F10,00000000), ref: 00406971
                                                                                            • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                            • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                                          • String ID:
                                                                                          • API String ID: 2622201749-0
                                                                                          • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                          • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                          • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                          • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54
                                                                                          APIs
                                                                                          • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                          • wsprintfA.USER32 ref: 004093CE
                                                                                          • wsprintfA.USER32 ref: 0040940C
                                                                                          • wsprintfA.USER32 ref: 0040948D
                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                          • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                          • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                          • String ID: runas
                                                                                          • API String ID: 3696105349-4000483414
                                                                                          • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                          • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                          • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                          • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9
                                                                                          APIs
                                                                                          • wsprintfA.USER32 ref: 0040B467
                                                                                            • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                            • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                            • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$wsprintf
                                                                                          • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                          • API String ID: 1220175532-2340906255
                                                                                          • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                          • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                          • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                          • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                          APIs
                                                                                          • GetVersionExA.KERNEL32 ref: 02C8202D
                                                                                          • GetSystemInfo.KERNEL32(?), ref: 02C8204F
                                                                                          • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 02C8206A
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 02C82071
                                                                                          • GetCurrentProcess.KERNEL32(?), ref: 02C82082
                                                                                          • GetTickCount.KERNEL32 ref: 02C82230
                                                                                            • Part of subcall function 02C81E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 02C81E7C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_2c80000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                          • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                                          • API String ID: 4207808166-1391650218
                                                                                          • Opcode ID: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                          • Instruction ID: 18819f8b4a410923343c914f2cf0c7281e7052aae025f84de9d76e2842614793
                                                                                          • Opcode Fuzzy Hash: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                          • Instruction Fuzzy Hash: 5F51A4B09007846FE330BF658C89F67BEECEB8570CF04891DF99682142D7B5A944CB66
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 00402078
                                                                                          • GetTickCount.KERNEL32 ref: 004020D4
                                                                                          • GetTickCount.KERNEL32 ref: 004020DB
                                                                                          • GetTickCount.KERNEL32 ref: 0040212B
                                                                                          • GetTickCount.KERNEL32 ref: 00402132
                                                                                          • GetTickCount.KERNEL32 ref: 00402142
                                                                                            • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,75B4EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4), ref: 0040F089
                                                                                            • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,75B4EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0040F093
                                                                                            • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                            • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                            • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                          • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                          • API String ID: 3976553417-1522128867
                                                                                          • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                          • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                          • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                          • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                          APIs
                                                                                          • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                          • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                          • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: closesockethtonssocket
                                                                                          • String ID: time_cfg
                                                                                          • API String ID: 311057483-2401304539
                                                                                          • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                          • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                          • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                          • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                          APIs
                                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                          • ExitProcess.KERNEL32 ref: 00404121
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateEventExitProcess
                                                                                          • String ID:
                                                                                          • API String ID: 2404124870-0
                                                                                          • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                          • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                          • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                          • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                          APIs
                                                                                            • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                            • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                          • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                          • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                          • GetTickCount.KERNEL32 ref: 0040C363
                                                                                          • GetTickCount.KERNEL32 ref: 0040C378
                                                                                          • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                          • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                          • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                          • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 1553760989-1857712256
                                                                                          • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                          • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                          • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                          • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 02C83068
                                                                                          • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 02C83078
                                                                                          • GetProcAddress.KERNEL32(00000000,00410408), ref: 02C83095
                                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 02C830B6
                                                                                          • htons.WS2_32(00000035), ref: 02C830EF
                                                                                          • inet_addr.WS2_32(?), ref: 02C830FA
                                                                                          • gethostbyname.WS2_32(?), ref: 02C8310D
                                                                                          • HeapFree.KERNEL32(00000000), ref: 02C8314D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_2c80000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                          • String ID: iphlpapi.dll
                                                                                          • API String ID: 2869546040-3565520932
                                                                                          • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                          • Instruction ID: 23ed52635f96fc37c1e0ea75784fb2ae9d293356d75d8ae466113d227053a1c7
                                                                                          • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                          • Instruction Fuzzy Hash: 4831F831A00246ABDB11ABB4DC48BBE7B78EF44F28F14D1A5E518E7290DB74D641CB68
                                                                                          APIs
                                                                                          • GetVersionExA.KERNEL32(?), ref: 02C895A7
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 02C895D5
                                                                                          • GetModuleFileNameA.KERNEL32(00000000), ref: 02C895DC
                                                                                          • wsprintfA.USER32 ref: 02C89635
                                                                                          • wsprintfA.USER32 ref: 02C89673
                                                                                          • wsprintfA.USER32 ref: 02C896F4
                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 02C89758
                                                                                          • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 02C8978D
                                                                                          • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 02C897D8
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_2c80000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                          • String ID:
                                                                                          • API String ID: 3696105349-0
                                                                                          • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                          • Instruction ID: d9ddbfe5f4b249a1347349c149b441fa1bbd5fa5dd8a19a4ee1cff734a104611
                                                                                          • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                          • Instruction Fuzzy Hash: 05A181B1900248AFEB21EFA1CC44FEA3BADEF44749F108026FA05D6251E775D684CFA5
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00000000,762323A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                          • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                          • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                          • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                          • String ID: DnsQuery_A$dnsapi.dll
                                                                                          • API String ID: 3560063639-3847274415
                                                                                          • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                          • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                          • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                          • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                          APIs
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcmpi
                                                                                          • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                          • API String ID: 1586166983-1625972887
                                                                                          • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                          • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                          • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                          • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                          APIs
                                                                                          • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,76228A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                          • GetDiskFreeSpaceA.KERNEL32(00409E9D,00409A60,?,?,?,004122F8,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                          • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                          • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                          • String ID:
                                                                                          • API String ID: 3188212458-0
                                                                                          • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                          • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                          • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                          • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69
                                                                                          APIs
                                                                                          • IsBadReadPtr.KERNEL32(?,00000008), ref: 02C867C3
                                                                                          • htonl.WS2_32(?), ref: 02C867DF
                                                                                          • htonl.WS2_32(?), ref: 02C867EE
                                                                                          • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 02C868F1
                                                                                          • ExitProcess.KERNEL32 ref: 02C869BC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_2c80000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Processhtonl$CurrentExitRead
                                                                                          • String ID: except_info$localcfg
                                                                                          • API String ID: 1430491713-3605449297
                                                                                          • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                          • Instruction ID: 823552e9ab29e4a1421c0d8aa3332845868a04edd48a7ff706db2e6d322accc6
                                                                                          • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                          • Instruction Fuzzy Hash: 6A617D71A40208AFDB60AFA4DC45FEA77E9FB48304F248066FA6CD2161EB759990CF14
                                                                                          APIs
                                                                                          • htons.WS2_32(02C8CC84), ref: 02C8F5B4
                                                                                          • socket.WS2_32(00000002,00000001,00000000), ref: 02C8F5CE
                                                                                          • closesocket.WS2_32(00000000), ref: 02C8F5DC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_2c80000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: closesockethtonssocket
                                                                                          • String ID: time_cfg
                                                                                          • API String ID: 311057483-2401304539
                                                                                          • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                          • Instruction ID: 79f65c41262c3ef7c6d2ba7deaae124942775ab470a41c3a77b0f89d66c25dae
                                                                                          • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                          • Instruction Fuzzy Hash: 13316E7290011CABDB10EFA5DC88DEE7BBCEF88314F50856AF915E3150E7709A818BA4
                                                                                          APIs
                                                                                          • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                          • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                          • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                          • wsprintfA.USER32 ref: 00407036
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                          • String ID: /%d$|
                                                                                          • API String ID: 676856371-4124749705
                                                                                          • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                          • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                          • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                          • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(?), ref: 02C82FA1
                                                                                          • LoadLibraryA.KERNEL32(?), ref: 02C82FB1
                                                                                          • GetProcAddress.KERNEL32(00000000,004103F0), ref: 02C82FC8
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02C83000
                                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 02C83007
                                                                                          • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 02C83032
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_2c80000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                          • String ID: dnsapi.dll
                                                                                          • API String ID: 1242400761-3175542204
                                                                                          • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                          • Instruction ID: e282a9ae13010c98a5f018feb87e476c3ed3637619c3936ef8b41bef03e75bc7
                                                                                          • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                          • Instruction Fuzzy Hash: 6B219071D00629BBCB21AB95DC48AAEBBB8EF48B58F008461F901E7140D7B59A81C7E4
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                          • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                          • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                          • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                          • API String ID: 1082366364-3395550214
                                                                                          • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                          • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                          • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                          • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                          APIs
                                                                                          • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 02C89A18
                                                                                          • GetThreadContext.KERNEL32(?,?), ref: 02C89A52
                                                                                          • TerminateProcess.KERNEL32(?,00000000), ref: 02C89A60
                                                                                          • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 02C89A98
                                                                                          • SetThreadContext.KERNEL32(?,00010002), ref: 02C89AB5
                                                                                          • ResumeThread.KERNEL32(?), ref: 02C89AC2
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_2c80000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                          • String ID: D
                                                                                          • API String ID: 2981417381-2746444292
                                                                                          • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                          • Instruction ID: d0f35fd031db94807b48b85be03c4a54c7c6ba6619d086b0d553143e1b78654c
                                                                                          • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                          • Instruction Fuzzy Hash: DF213BB1A41219BBDB11ABA1DC09EEF7BBCEF04758F408061FA19E1150E7759A44CBA4
                                                                                          APIs
                                                                                          • inet_addr.WS2_32(004102D8), ref: 02C81C18
                                                                                          • LoadLibraryA.KERNEL32(004102C8), ref: 02C81C26
                                                                                          • GetProcessHeap.KERNEL32 ref: 02C81C84
                                                                                          • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 02C81C9D
                                                                                          • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 02C81CC1
                                                                                          • HeapFree.KERNEL32(?,00000000,00000000), ref: 02C81D02
                                                                                          • FreeLibrary.KERNEL32(?), ref: 02C81D0B
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_2c80000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                          • String ID:
                                                                                          • API String ID: 2324436984-0
                                                                                          • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                          • Instruction ID: 44efeac4bca20bc10389a0dfe5bfc2594f608a0593ca17063aef30775bd7362b
                                                                                          • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                          • Instruction Fuzzy Hash: 47313032D00219BFCB11AFA4DC889AEBBF9EB85719B28847AE505A2110D7F54E81DB54
                                                                                          APIs
                                                                                          • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 02C86CE4
                                                                                          • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02C86D22
                                                                                          • GetLastError.KERNEL32 ref: 02C86DA7
                                                                                          • CloseHandle.KERNEL32(?), ref: 02C86DB5
                                                                                          • GetLastError.KERNEL32 ref: 02C86DD6
                                                                                          • DeleteFileA.KERNEL32(?), ref: 02C86DE7
                                                                                          • GetLastError.KERNEL32 ref: 02C86DFD
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_2c80000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                          • String ID:
                                                                                          • API String ID: 3873183294-0
                                                                                          • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                          • Instruction ID: 48601d3c7b235b3e46c05e7a2e946c19cfaf12774895b92c53acb70e7b5f3f50
                                                                                          • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                          • Instruction Fuzzy Hash: D5310372900249BFCB01EFA5DD44ADE7F7DEB88308F24C466E251E3211E7708A858B61
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\mtjsuzee,02C87043), ref: 02C86F4E
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 02C86F55
                                                                                          • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02C86F7B
                                                                                          • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02C86F92
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_2c80000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                          • String ID: C:\Windows\SysWOW64\$\\.\pipe\mtjsuzee
                                                                                          • API String ID: 1082366364-3446391654
                                                                                          • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                          • Instruction ID: 826c8ff7ed0c29d1e1a2bf41e00887625c64b2882bc3be6d1b60f4ae590f9dd3
                                                                                          • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                          • Instruction Fuzzy Hash: 0121047174034039F72273319C8CFFB6E4C8B92718F28C0A9F944D5580EBD985DA82AD
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_2c80000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen
                                                                                          • String ID: $localcfg
                                                                                          • API String ID: 1659193697-2018645984
                                                                                          • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                          • Instruction ID: 198fc12ca57c382b94515c7ce4782ac1fe01528965ca73b70db3281ee807ea80
                                                                                          • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                          • Instruction Fuzzy Hash: 19712972A40304BADF21BB54DC85FFE3769AB4070DF24C067FA05E6090EF669A84CB59
                                                                                          APIs
                                                                                            • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                            • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                            • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                            • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                          • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                          • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                          • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                          • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                          • String ID: flags_upd$localcfg
                                                                                          • API String ID: 204374128-3505511081
                                                                                          • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                          • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                          • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                          • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                          APIs
                                                                                            • Part of subcall function 02C8DF6C: GetCurrentThreadId.KERNEL32 ref: 02C8DFBA
                                                                                          • lstrcmp.KERNEL32(00410178,00000000), ref: 02C8E8FA
                                                                                          • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,02C86128), ref: 02C8E950
                                                                                          • lstrcmp.KERNEL32(?,00000008), ref: 02C8E989
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_2c80000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                          • String ID: A$ A$ A
                                                                                          • API String ID: 2920362961-1846390581
                                                                                          • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                          • Instruction ID: af845370f9e80aaf235c90eae09c4caea98e69083ff458b6f5b28b1fdbb4674f
                                                                                          • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                          • Instruction Fuzzy Hash: 87319E31A00715ABDB71AF25D884BEA7BE4EF85729F00C92AF55687550D3B1EA80CB81
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_2c80000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Code
                                                                                          • String ID:
                                                                                          • API String ID: 3609698214-0
                                                                                          • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                          • Instruction ID: 76a61343ecfdcb3f2cf02aa400dad8b7656c824c6736c8415248888590881279
                                                                                          • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                          • Instruction Fuzzy Hash: 71211A73204259BFDB10BBA5FC49EDF7FAEEB49669B20C425F502D1090EB70DA409A74
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Code
                                                                                          • String ID:
                                                                                          • API String ID: 3609698214-0
                                                                                          • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                          • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                          • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                          • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                          APIs
                                                                                          • GetTempPathA.KERNEL32(00000400,?), ref: 02C892E2
                                                                                          • wsprintfA.USER32 ref: 02C89350
                                                                                          • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02C89375
                                                                                          • lstrlen.KERNEL32(?,?,00000000), ref: 02C89389
                                                                                          • WriteFile.KERNEL32(00000000,?,00000000), ref: 02C89394
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 02C8939B
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_2c80000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                          • String ID:
                                                                                          • API String ID: 2439722600-0
                                                                                          • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                          • Instruction ID: 2616191b9bdd3717e8f83d4c5f13155ef8fcca9bbcb5c5f6e60a5c33be55d5f8
                                                                                          • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                          • Instruction Fuzzy Hash: 45116DB26401147AE7207B22EC0DFEF3A6EDBC8B15F00C065BB09A5190EBB54A459AA4
                                                                                          APIs
                                                                                          • GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                          • wsprintfA.USER32 ref: 004090E9
                                                                                          • CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                          • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                          • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                          • String ID:
                                                                                          • API String ID: 2439722600-0
                                                                                          • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                          • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                          • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                          • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                          • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                          • Sleep.KERNEL32(00000000,?,76230F10,?,00000000,0040E538,?,76230F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                          • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 3819781495-0
                                                                                          • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                          • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                          • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                          • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 02C8C6B4
                                                                                          • InterlockedIncrement.KERNEL32(02C8C74B), ref: 02C8C715
                                                                                          • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,02C8C747), ref: 02C8C728
                                                                                          • CloseHandle.KERNEL32(00000000,?,02C8C747,00413588,02C88A77), ref: 02C8C733
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_2c80000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 1026198776-1857712256
                                                                                          • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                          • Instruction ID: 7f6050f0a05cbfa234495dde7b5dd99d4abb8b9492da1a453c169de0050e3cfa
                                                                                          • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                          • Instruction Fuzzy Hash: 505141B1A01B418FD7689F69C5D4626BBE9FB48308B50993FE18BC7A90D774F644CB20
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 0040815F
                                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 00408187
                                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 004081BE
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 00408210
                                                                                            • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,76230F10,00000000), ref: 0040677E
                                                                                            • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,76230F10,00000000), ref: 0040679A
                                                                                            • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,76230F10,00000000), ref: 004067B0
                                                                                            • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,76230F10,00000000), ref: 004067BF
                                                                                            • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,76230F10,00000000), ref: 004067D3
                                                                                            • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,76230F10,00000000), ref: 00406807
                                                                                            • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0040681F
                                                                                            • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,76230F10,00000000), ref: 0040683E
                                                                                            • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0040685C
                                                                                            • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                            • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                          • String ID: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exe
                                                                                          • API String ID: 124786226-648084860
                                                                                          • Opcode ID: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                          • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                          • Opcode Fuzzy Hash: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                          • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                          APIs
                                                                                          • GetUserNameA.ADVAPI32(?,?), ref: 02C871E1
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02C87228
                                                                                          • LocalFree.KERNEL32(?,?,?), ref: 02C87286
                                                                                          • wsprintfA.USER32 ref: 02C8729D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_2c80000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                          • String ID: |
                                                                                          • API String ID: 2539190677-2343686810
                                                                                          • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                          • Instruction ID: 81a18a0e15fb76d01e3c36b3121a12fe58a94f13f51dad91c0431902ac02f246
                                                                                          • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                          • Instruction Fuzzy Hash: FD310776A00209BBDB01EFA8DC45ADA7BACEF04318F14C066F959DB200EB75D7488B94
                                                                                          APIs
                                                                                          • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                          • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                          • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                          • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$gethostnamelstrcpy
                                                                                          • String ID: LocalHost
                                                                                          • API String ID: 3695455745-3154191806
                                                                                          • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                          • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                          • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                          • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,004122F8), ref: 0040E3E6
                                                                                          • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                          • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                          • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                          • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: QueryValue$CloseOpen
                                                                                          • String ID:
                                                                                          • API String ID: 1586453840-0
                                                                                          • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                          • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                          • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                          • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                          APIs
                                                                                          • GetLocalTime.KERNEL32(?), ref: 02C8B51A
                                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 02C8B529
                                                                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 02C8B548
                                                                                          • GetTimeZoneInformation.KERNEL32(?), ref: 02C8B590
                                                                                          • wsprintfA.USER32 ref: 02C8B61E
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_2c80000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                          • String ID:
                                                                                          • API String ID: 4026320513-0
                                                                                          • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                          • Instruction ID: f099e3ebabbb4ed9e113e0d06d19df95073fdaa3bff98fcbe5920f1c96a695c5
                                                                                          • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                          • Instruction Fuzzy Hash: 42510FB1D0021DAACF14DFD5D8885EEBBB9BF49308F10816AF505A6150E7B94AC9CF98
                                                                                          APIs
                                                                                          • IsBadReadPtr.KERNEL32(?,00000014), ref: 02C86303
                                                                                          • LoadLibraryA.KERNEL32(?), ref: 02C8632A
                                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 02C863B1
                                                                                          • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 02C86405
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_2c80000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Read$AddressLibraryLoadProc
                                                                                          • String ID:
                                                                                          • API String ID: 2438460464-0
                                                                                          • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                          • Instruction ID: 9a53fd9dc0d323ba4f4a1b354d95966a189ef0b5a4327842c309b2add75eb231
                                                                                          • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                          • Instruction Fuzzy Hash: 4C415CB1A00205AFDB14EF59D884BADB7B8FF8435CF24C169E919D7290D771EA40DB50
                                                                                          APIs
                                                                                          • IsBadReadPtr.KERNEL32(?,00000014), ref: 0040609C
                                                                                          • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                          • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                          • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Read$AddressLibraryLoadProc
                                                                                          • String ID:
                                                                                          • API String ID: 2438460464-0
                                                                                          • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                          • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                          • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                          • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                          • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                          • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                          • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                          APIs
                                                                                            • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                            • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                            • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                          • lstrcmpA.KERNEL32(76230F18,00000000,?,76230F10,00000000,?,00405EC1), ref: 0040E693
                                                                                          • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,76230F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                          • lstrcmpA.KERNEL32(?,00000008,?,76230F10,00000000,?,00405EC1), ref: 0040E722
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                          • String ID: A$ A
                                                                                          • API String ID: 3343386518-686259309
                                                                                          • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                          • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                          • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                          • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 0040272E
                                                                                          • htons.WS2_32(00000001), ref: 00402752
                                                                                          • htons.WS2_32(0000000F), ref: 004027D5
                                                                                          • htons.WS2_32(00000001), ref: 004027E3
                                                                                          • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                            • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                            • Part of subcall function 0040EBCC: HeapAlloc.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: htons$Heap$AllocCountProcessTicksendto
                                                                                          • String ID:
                                                                                          • API String ID: 1802437671-0
                                                                                          • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                          • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                          • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                          • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                          APIs
                                                                                          • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                          • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                          • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                          • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                          • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: setsockopt
                                                                                          • String ID:
                                                                                          • API String ID: 3981526788-0
                                                                                          • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                          • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                          • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                          • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 02C893C6
                                                                                          • GetModuleFileNameA.KERNEL32(00000000), ref: 02C893CD
                                                                                          • CharToOemA.USER32(?,?), ref: 02C893DB
                                                                                          • wsprintfA.USER32 ref: 02C89410
                                                                                            • Part of subcall function 02C892CB: GetTempPathA.KERNEL32(00000400,?), ref: 02C892E2
                                                                                            • Part of subcall function 02C892CB: wsprintfA.USER32 ref: 02C89350
                                                                                            • Part of subcall function 02C892CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02C89375
                                                                                            • Part of subcall function 02C892CB: lstrlen.KERNEL32(?,?,00000000), ref: 02C89389
                                                                                            • Part of subcall function 02C892CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 02C89394
                                                                                            • Part of subcall function 02C892CB: CloseHandle.KERNEL32(00000000), ref: 02C8939B
                                                                                          • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 02C89448
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_2c80000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                          • String ID:
                                                                                          • API String ID: 3857584221-0
                                                                                          • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                          • Instruction ID: fddb519c22e16e4b15d4508507bd7562c410ad4695e0f6f4a0bf39df7266f22f
                                                                                          • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                          • Instruction Fuzzy Hash: F2015EF69001587BDB21A7619D8DEEF3B7CDB95705F0040A2BB49E2080EAB497C58F75
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,004122F8), ref: 0040915F
                                                                                          • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                          • CharToOemA.USER32(?,?), ref: 00409174
                                                                                          • wsprintfA.USER32 ref: 004091A9
                                                                                            • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                            • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                            • Part of subcall function 00409064: CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                            • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                            • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                            • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                          • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                          • String ID:
                                                                                          • API String ID: 3857584221-0
                                                                                          • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                          • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                          • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                          • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                          APIs
                                                                                          • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                          • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                          • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                          • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$lstrcmpi
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 1808961391-1857712256
                                                                                          • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                          • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                          • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                          • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                          • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressLibraryLoadProc
                                                                                          • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                          • API String ID: 2574300362-1087626847
                                                                                          • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                          • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                          • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                          • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                          APIs
                                                                                            • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                            • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                          • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                          • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                          • String ID: hi_id$localcfg
                                                                                          • API String ID: 2777991786-2393279970
                                                                                          • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                          • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                          • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                          • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                          APIs
                                                                                          • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                          • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                          • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                          • String ID: *p@
                                                                                          • API String ID: 3429775523-2474123842
                                                                                          • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                          • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                          • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                          • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_2c80000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: gethostbynameinet_addr
                                                                                          • String ID: time_cfg$u6A
                                                                                          • API String ID: 1594361348-1940331995
                                                                                          • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                          • Instruction ID: 7fcb5ed52628197f6c72468aaf24fbb5e5364ac2335c307873130d9e36e5dc76
                                                                                          • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                          • Instruction Fuzzy Hash: 17E08C316041519FCB10AB28F848AC537A4AF8A234F00C180F840C31A0C7349D809641
                                                                                          APIs
                                                                                          • SetFileAttributesA.KERNEL32(?,00000080), ref: 02C869E5
                                                                                          • SetFileAttributesA.KERNEL32(?,00000002), ref: 02C86A26
                                                                                          • GetFileSize.KERNEL32(000000FF,00000000), ref: 02C86A3A
                                                                                          • CloseHandle.KERNEL32(000000FF), ref: 02C86BD8
                                                                                            • Part of subcall function 02C8EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,02C81DCF,?), ref: 02C8EEA8
                                                                                            • Part of subcall function 02C8EE95: HeapFree.KERNEL32(00000000), ref: 02C8EEAF
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_2c80000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                          • String ID:
                                                                                          • API String ID: 3384756699-0
                                                                                          • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                          • Instruction ID: 125d5fcca4805bdd75530b6a136654f9debb88e579be9befe7e88eeabc92a98d
                                                                                          • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                          • Instruction Fuzzy Hash: F971177190021DEFDB11AFA4CC81AFEBBB9FB44318F2085AAE515A6190D7349F92DB50
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wsprintf
                                                                                          • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                          • API String ID: 2111968516-120809033
                                                                                          • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                          • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                          • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                          • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                          APIs
                                                                                          • RegCreateKeyExA.ADVAPI32(80000001,02C8E50A,00000000,00000000,00000000,00020106,00000000,02C8E50A,00000000,000000E4), ref: 02C8E319
                                                                                          • RegSetValueExA.ADVAPI32(02C8E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 02C8E38E
                                                                                          • RegDeleteValueA.ADVAPI32(02C8E50A,?,?,?,?,?,000000C8,004122F8), ref: 02C8E3BF
                                                                                          • RegCloseKey.ADVAPI32(02C8E50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,02C8E50A), ref: 02C8E3C8
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_2c80000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Value$CloseCreateDelete
                                                                                          • String ID:
                                                                                          • API String ID: 2667537340-0
                                                                                          • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                          • Instruction ID: 579a14bae885a279ed07f5bd8b3a246ca9cf5a69d4d0ca4c332267889095c64c
                                                                                          • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                          • Instruction Fuzzy Hash: 41216171A0021DBBDF21AFA5EC85EDE7F79EF48754F008025F908E6150E3718A54DB90
                                                                                          APIs
                                                                                          • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                          • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0040E127
                                                                                          • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,004122F8), ref: 0040E158
                                                                                          • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Value$CloseCreateDelete
                                                                                          • String ID:
                                                                                          • API String ID: 2667537340-0
                                                                                          • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                          • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                          • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                          • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                          APIs
                                                                                          • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 02C8421F
                                                                                          • GetLastError.KERNEL32 ref: 02C84229
                                                                                          • WaitForSingleObject.KERNEL32(?,?), ref: 02C8423A
                                                                                          • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 02C8424D
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_2c80000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                          • String ID:
                                                                                          • API String ID: 888215731-0
                                                                                          • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                          • Instruction ID: 008cc490e5796834bca3cb54b48ba33b662abfaa0165f1858493f44d926b2042
                                                                                          • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                          • Instruction Fuzzy Hash: E401C87251510AAFDF11EF90ED84BEF7BACEB48259F108461F901E2051D770DA548BB6
                                                                                          APIs
                                                                                          • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 02C841AB
                                                                                          • GetLastError.KERNEL32 ref: 02C841B5
                                                                                          • WaitForSingleObject.KERNEL32(?,?), ref: 02C841C6
                                                                                          • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 02C841D9
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_2c80000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3373104450-0
                                                                                          • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                          • Instruction ID: 3704069c28accda113b098631f7febc4a0ec154b33917e43c6d7a86522641d29
                                                                                          • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                          • Instruction Fuzzy Hash: 9C01A57691110AABDF11EF91ED84FEE7BACEB18259F108061F901E2050D7749B648BB6
                                                                                          APIs
                                                                                          • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                          • GetLastError.KERNEL32 ref: 00403F4E
                                                                                          • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                          • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3373104450-0
                                                                                          • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                          • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                          • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                          • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                          APIs
                                                                                          • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                          • GetLastError.KERNEL32 ref: 00403FC2
                                                                                          • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                          • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                          • String ID:
                                                                                          • API String ID: 888215731-0
                                                                                          • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                          • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                          • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                          • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                          APIs
                                                                                          • lstrcmp.KERNEL32(?,80000009), ref: 02C8E066
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_2c80000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcmp
                                                                                          • String ID: A$ A$ A
                                                                                          • API String ID: 1534048567-1846390581
                                                                                          • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                          • Instruction ID: 428d7b4c4eb0c0ecc7b51f99cde91d0b30b3bf7b1843dc0cd7873d487358c463
                                                                                          • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                          • Instruction Fuzzy Hash: 38F0C2312003169BCB20DF65DC84A82BBE8FB86329B04CA2AF514C3060D370E598CB91
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                          • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                          • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 2207858713-0
                                                                                          • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                          • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                          • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                          • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                          • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                          • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 2207858713-0
                                                                                          • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                          • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                          • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                          • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                          • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                          • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                          • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 2207858713-0
                                                                                          • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                          • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                          • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                          • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 00403103
                                                                                          • GetTickCount.KERNEL32 ref: 0040310F
                                                                                          • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 2207858713-0
                                                                                          • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                          • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                          • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                          • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 02C883C6
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 02C88477
                                                                                            • Part of subcall function 02C869C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 02C869E5
                                                                                            • Part of subcall function 02C869C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 02C86A26
                                                                                            • Part of subcall function 02C869C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 02C86A3A
                                                                                            • Part of subcall function 02C8EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,02C81DCF,?), ref: 02C8EEA8
                                                                                            • Part of subcall function 02C8EE95: HeapFree.KERNEL32(00000000), ref: 02C8EEAF
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_2c80000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                          • String ID: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exe
                                                                                          • API String ID: 359188348-648084860
                                                                                          • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                          • Instruction ID: 67f2ab0c6573f51c6006f52ad16408a8374ea800f63d410471672a961659ccdb
                                                                                          • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                          • Instruction Fuzzy Hash: 1B418DB290014DBEEB10FBA09D80EFF776DEB80308F5485AAE504E6550FBB05B949B61
                                                                                          APIs
                                                                                          • GetLocalTime.KERNEL32(?), ref: 02C8AFFF
                                                                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 02C8B00D
                                                                                            • Part of subcall function 02C8AF6F: gethostname.WS2_32(?,00000080), ref: 02C8AF83
                                                                                            • Part of subcall function 02C8AF6F: lstrcpy.KERNEL32(?,00410B90), ref: 02C8AFE6
                                                                                            • Part of subcall function 02C8331C: gethostname.WS2_32(?,00000080), ref: 02C8333F
                                                                                            • Part of subcall function 02C8331C: gethostbyname.WS2_32(?), ref: 02C83349
                                                                                            • Part of subcall function 02C8AA0A: inet_ntoa.WS2_32(00000000), ref: 02C8AA10
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_2c80000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                          • String ID: %OUTLOOK_BND_
                                                                                          • API String ID: 1981676241-3684217054
                                                                                          • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                          • Instruction ID: 9a1322edb87efb8682075cc25b9bcc32a37dbf82ba91a020eef93241dc0074fe
                                                                                          • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                          • Instruction Fuzzy Hash: 124101B290024CABDB25EFA0DC45EEE3B6DFF08308F14842AF925D2151EB75EA549F54
                                                                                          APIs
                                                                                          • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 02C89536
                                                                                          • Sleep.KERNEL32(000001F4), ref: 02C8955D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_2c80000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExecuteShellSleep
                                                                                          • String ID:
                                                                                          • API String ID: 4194306370-3916222277
                                                                                          • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                          • Instruction ID: 1c5c051a6164d2ec7a6696de8180a568d94deb1be952a54fea356a129712a94f
                                                                                          • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                          • Instruction Fuzzy Hash: 0341E7B19043856EEB36BB64D89C7B67BE49B8231CF14C2A5D483973A2D7B44A81C711
                                                                                          APIs
                                                                                          • WriteFile.KERNEL32(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                          • WriteFile.KERNEL32(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: FileWrite
                                                                                          • String ID: ,k@
                                                                                          • API String ID: 3934441357-1053005162
                                                                                          • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                          • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                          • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                          • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 02C8B9D9
                                                                                          • InterlockedIncrement.KERNEL32(00413648), ref: 02C8BA3A
                                                                                          • InterlockedIncrement.KERNEL32(?), ref: 02C8BA94
                                                                                          • GetTickCount.KERNEL32 ref: 02C8BB79
                                                                                          • GetTickCount.KERNEL32 ref: 02C8BB99
                                                                                          • InterlockedIncrement.KERNEL32(?), ref: 02C8BE15
                                                                                          • closesocket.WS2_32(00000000), ref: 02C8BEB4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_2c80000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountIncrementInterlockedTick$closesocket
                                                                                          • String ID: %FROM_EMAIL
                                                                                          • API String ID: 1869671989-2903620461
                                                                                          • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                          • Instruction ID: 447b385f76167fa8638b7555b18b0c414c58c14e9642dccd6e606c4a0afc0166
                                                                                          • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                          • Instruction Fuzzy Hash: 6A316F72500288EFDF25EFA4DC44AEEB7B9EB44708F20805AFA14D2160EB75DA85CF54
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 536389180-1857712256
                                                                                          • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                          • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                                          • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                          • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                                          APIs
                                                                                          Strings
                                                                                          • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTickwsprintf
                                                                                          • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                          • API String ID: 2424974917-1012700906
                                                                                          • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                          • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                          • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                          • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                          APIs
                                                                                            • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                            • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                          • String ID: %FROM_EMAIL
                                                                                          • API String ID: 3716169038-2903620461
                                                                                          • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                          • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                          • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                          • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                          APIs
                                                                                          • GetUserNameW.ADVAPI32(?,?), ref: 02C870BC
                                                                                          • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 02C870F4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_2c80000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Name$AccountLookupUser
                                                                                          • String ID: |
                                                                                          • API String ID: 2370142434-2343686810
                                                                                          • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                          • Instruction ID: 79668ab91de197739a6716bb6985622b0aa51dba881c1a3ca4e5ef4b6903432d
                                                                                          • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                          • Instruction Fuzzy Hash: 7D11617690011CEBDF51DFD4DC84AEEF7BCAB04309F2481AAE515E6094E7709B88CBA0
                                                                                          APIs
                                                                                            • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                            • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                          • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                          • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 2777991786-1857712256
                                                                                          • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                          • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                          • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                          • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                          APIs
                                                                                          • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                          • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: IncrementInterlockedlstrcpyn
                                                                                          • String ID: %FROM_EMAIL
                                                                                          • API String ID: 224340156-2903620461
                                                                                          • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                          • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                          • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                          • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                          APIs
                                                                                          • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                          • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: gethostbyaddrinet_ntoa
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 2112563974-1857712256
                                                                                          • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                          • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                          • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                          • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                          APIs
                                                                                          • inet_addr.WS2_32(00000001), ref: 00402693
                                                                                          • gethostbyname.WS2_32(00000001), ref: 0040269F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: gethostbynameinet_addr
                                                                                          • String ID: time_cfg
                                                                                          • API String ID: 1594361348-2401304539
                                                                                          • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                          • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                          • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                          • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,75B4EA50,80000001,00000000), ref: 0040EAF2
                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040EB07
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressLibraryLoadProc
                                                                                          • String ID: ntdll.dll
                                                                                          • API String ID: 2574300362-2227199552
                                                                                          • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                          • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                          • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                          • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                          APIs
                                                                                            • Part of subcall function 02C82F88: GetModuleHandleA.KERNEL32(?), ref: 02C82FA1
                                                                                            • Part of subcall function 02C82F88: LoadLibraryA.KERNEL32(?), ref: 02C82FB1
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02C831DA
                                                                                          • HeapFree.KERNEL32(00000000), ref: 02C831E1
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2174405281.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_2c80000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                          • String ID:
                                                                                          • API String ID: 1017166417-0
                                                                                          • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                          • Instruction ID: d9262e1c7266917226e61d2f04ccf54687f569a7fdafe70a092e0a998dcae3f4
                                                                                          • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                          • Instruction Fuzzy Hash: 51518E71900286AFCB01AF64DC889FAB775FF45708B1495A9EC96C7211E7329A19CB90
                                                                                          APIs
                                                                                            • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,762323A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                            • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                          • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2173205901.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_dpbgdjiw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                          • String ID:
                                                                                          • API String ID: 1017166417-0
                                                                                          • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                          • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                          • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                          • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88

                                                                                          Execution Graph

                                                                                          Execution Coverage:15%
                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                          Signature Coverage:0.7%
                                                                                          Total number of Nodes:1806
                                                                                          Total number of Limit Nodes:18
                                                                                          execution_graph 8092 3224960 8093 322496d 8092->8093 8095 322497d 8092->8095 8094 322ebed 8 API calls 8093->8094 8094->8095 7904 3225e21 7905 3225e36 7904->7905 7906 3225e29 7904->7906 7908 32250dc 7906->7908 7909 3224bd1 4 API calls 7908->7909 7910 32250f2 7909->7910 7911 3224ae6 8 API calls 7910->7911 7917 32250ff 7911->7917 7912 3225130 7914 3224ae6 8 API calls 7912->7914 7913 3224ae6 8 API calls 7915 3225110 lstrcmpA 7913->7915 7916 3225138 7914->7916 7915->7912 7915->7917 7919 322516e 7916->7919 7920 3224ae6 8 API calls 7916->7920 7950 322513e 7916->7950 7917->7912 7917->7913 7918 3224ae6 8 API calls 7917->7918 7918->7917 7921 3224ae6 8 API calls 7919->7921 7919->7950 7922 322515e 7920->7922 7923 32251b6 7921->7923 7922->7919 7924 3224ae6 8 API calls 7922->7924 7951 3224a3d 7923->7951 7924->7919 7927 3224ae6 8 API calls 7928 32251c7 7927->7928 7929 3224ae6 8 API calls 7928->7929 7930 32251d7 7929->7930 7931 3224ae6 8 API calls 7930->7931 7932 32251e7 7931->7932 7933 3224ae6 8 API calls 7932->7933 7932->7950 7934 3225219 7933->7934 7935 3224ae6 8 API calls 7934->7935 7936 3225227 7935->7936 7937 3224ae6 8 API calls 7936->7937 7938 322524f lstrcpyA 7937->7938 7939 3224ae6 8 API calls 7938->7939 7942 3225263 7939->7942 7940 3224ae6 8 API calls 7941 3225315 7940->7941 7943 3224ae6 8 API calls 7941->7943 7942->7940 7944 3225323 7943->7944 7945 3224ae6 8 API calls 7944->7945 7947 3225331 7945->7947 7946 3224ae6 8 API calls 7946->7947 7947->7946 7948 3224ae6 8 API calls 7947->7948 7947->7950 7949 3225351 lstrcmpA 7948->7949 7949->7947 7949->7950 7950->7905 7952 3224a4a 7951->7952 7957 3224a53 7951->7957 7953 322ebed 8 API calls 7952->7953 7953->7957 7954 322ebed 8 API calls 7958 3224a78 7954->7958 7955 3224aa3 7959 3224a9b 7955->7959 7961 322ebed 8 API calls 7955->7961 7956 3224a8e 7956->7959 7960 322ec2e codecvt 4 API calls 7956->7960 7957->7954 7957->7958 7958->7955 7958->7956 7959->7927 7960->7959 7961->7959 8096 3229961 RegisterServiceCtrlHandlerA 8097 32299cb 8096->8097 8098 322997d 8096->8098 8106 3229892 8098->8106 8100 322999a 8101 32299ba 8100->8101 8102 3229892 SetServiceStatus 8100->8102 8101->8097 8104 3229892 SetServiceStatus 8101->8104 8103 32299aa 8102->8103 8103->8101 8105 32298f2 41 API calls 8103->8105 8104->8097 8105->8101 8107 32298c2 SetServiceStatus 8106->8107 8107->8100 8109 3224861 IsBadWritePtr 8110 3224876 8109->8110 7962 32235a5 7963 32230fa 4 API calls 7962->7963 7964 32235b3 7963->7964 7968 32235ea 7964->7968 7969 322355d 7964->7969 7966 32235da 7967 322355d 4 API calls 7966->7967 7966->7968 7967->7968 7970 322f04e 4 API calls 7969->7970 7971 322356a 7970->7971 7971->7966 6131 3229a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 6247 322ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6131->6247 6133 3229a95 6134 3229aa3 GetModuleHandleA GetModuleFileNameA 6133->6134 6139 322a3cc 6133->6139 6148 3229ac4 6134->6148 6135 322a41c CreateThread WSAStartup 6248 322e52e 6135->6248 7323 322405e CreateEventA 6135->7323 6137 3229afd GetCommandLineA 6146 3229b22 6137->6146 6138 322a406 DeleteFileA 6138->6139 6140 322a40d 6138->6140 6139->6135 6139->6138 6139->6140 6143 322a3ed GetLastError 6139->6143 6140->6135 6141 322a445 6267 322eaaf 6141->6267 6143->6140 6145 322a3f8 Sleep 6143->6145 6144 322a44d 6271 3221d96 6144->6271 6145->6138 6151 3229c0c 6146->6151 6157 3229b47 6146->6157 6148->6137 6149 322a457 6319 32280c9 6149->6319 6511 32296aa 6151->6511 6162 3229b96 lstrlenA 6157->6162 6167 3229b58 6157->6167 6158 322a1d2 6168 322a1e3 GetCommandLineA 6158->6168 6159 3229c39 6163 322a167 GetModuleHandleA GetModuleFileNameA 6159->6163 6517 3224280 CreateEventA 6159->6517 6162->6167 6165 3229c05 ExitProcess 6163->6165 6166 322a189 6163->6166 6166->6165 6175 322a1b2 GetDriveTypeA 6166->6175 6167->6165 6470 322675c 6167->6470 6193 322a205 6168->6193 6175->6165 6177 322a1c5 6175->6177 6618 3229145 GetModuleHandleA GetModuleFileNameA CharToOemA 6177->6618 6178 322675c 21 API calls 6180 3229c79 6178->6180 6180->6163 6187 3229ca0 GetTempPathA 6180->6187 6188 3229e3e 6180->6188 6181 3229bff 6181->6165 6183 322a491 6184 322a49f GetTickCount 6183->6184 6185 322a4be Sleep 6183->6185 6192 322a4b7 GetTickCount 6183->6192 6366 322c913 6183->6366 6184->6183 6184->6185 6185->6183 6187->6188 6189 3229cba 6187->6189 6196 3229e6b GetEnvironmentVariableA 6188->6196 6198 3229e04 6188->6198 6543 32299d2 lstrcpyA 6189->6543 6192->6185 6197 322a285 lstrlenA 6193->6197 6205 322a239 6193->6205 6196->6198 6199 3229e7d 6196->6199 6197->6205 6613 322ec2e 6198->6613 6200 32299d2 16 API calls 6199->6200 6202 3229e9d 6200->6202 6202->6198 6207 3229eb0 lstrcpyA lstrlenA 6202->6207 6203 3229d5f 6557 3226cc9 6203->6557 6626 3226ec3 6205->6626 6206 322a3c2 6630 32298f2 6206->6630 6208 3229ef4 6207->6208 6211 3226dc2 6 API calls 6208->6211 6215 3229f03 6208->6215 6211->6215 6212 322a39d StartServiceCtrlDispatcherA 6212->6206 6213 3229d72 lstrcpyA lstrcatA lstrcatA 6216 3229cf6 6213->6216 6214 322a3c7 6214->6139 6217 3229f32 RegOpenKeyExA 6215->6217 6566 3229326 6216->6566 6219 3229f48 RegSetValueExA RegCloseKey 6217->6219 6222 3229f70 6217->6222 6218 322a35f 6218->6206 6218->6212 6219->6222 6227 3229f9d GetModuleHandleA GetModuleFileNameA 6222->6227 6223 3229e0c DeleteFileA 6223->6188 6224 3229dde GetFileAttributesExA 6224->6223 6226 3229df7 6224->6226 6226->6198 6603 32296ff 6226->6603 6229 3229fc2 6227->6229 6230 322a093 6227->6230 6229->6230 6236 3229ff1 GetDriveTypeA 6229->6236 6231 322a103 CreateProcessA 6230->6231 6232 322a0a4 wsprintfA 6230->6232 6233 322a13a 6231->6233 6234 322a12a DeleteFileA 6231->6234 6609 3222544 6232->6609 6233->6198 6240 32296ff 3 API calls 6233->6240 6234->6233 6236->6230 6238 322a00d 6236->6238 6242 322a02d lstrcatA 6238->6242 6240->6198 6243 322a046 6242->6243 6244 322a052 lstrcatA 6243->6244 6245 322a064 lstrcatA 6243->6245 6244->6245 6245->6230 6246 322a081 lstrcatA 6245->6246 6246->6230 6247->6133 6637 322dd05 GetTickCount 6248->6637 6250 322e538 6645 322dbcf 6250->6645 6252 322e544 6253 322e555 GetFileSize 6252->6253 6254 322e5b8 6252->6254 6255 322e5b1 CloseHandle 6253->6255 6256 322e566 6253->6256 6655 322e3ca RegOpenKeyExA 6254->6655 6255->6254 6669 322db2e 6256->6669 6259 322e576 ReadFile 6259->6255 6261 322e58d 6259->6261 6673 322e332 6261->6673 6264 322e5f2 6265 322e3ca 19 API calls 6264->6265 6266 322e629 6264->6266 6265->6266 6266->6141 6268 322eaba 6267->6268 6269 322eabe 6267->6269 6268->6144 6269->6268 6270 322dd05 6 API calls 6269->6270 6270->6268 6272 322ee2a 6271->6272 6273 3221db4 GetVersionExA 6272->6273 6274 3221dd0 GetSystemInfo GetModuleHandleA GetProcAddress 6273->6274 6276 3221e16 GetCurrentProcess 6274->6276 6277 3221e24 6274->6277 6276->6277 6731 322e819 6277->6731 6279 3221e3d 6280 322e819 11 API calls 6279->6280 6281 3221e4e 6280->6281 6282 3221e77 6281->6282 6772 322df70 6281->6772 6738 322ea84 6282->6738 6285 3221e6c 6287 322df70 12 API calls 6285->6287 6287->6282 6288 322e819 11 API calls 6289 3221e93 6288->6289 6742 322199c inet_addr LoadLibraryA 6289->6742 6292 322e819 11 API calls 6293 3221eb9 6292->6293 6294 322f04e 4 API calls 6293->6294 6300 3221ed8 6293->6300 6296 3221ec9 6294->6296 6295 322e819 11 API calls 6297 3221eee 6295->6297 6298 322ea84 30 API calls 6296->6298 6299 3221f0a 6297->6299 6756 3221b71 6297->6756 6298->6300 6302 322e819 11 API calls 6299->6302 6300->6295 6303 3221f23 6302->6303 6305 3221f3f 6303->6305 6760 3221bdf 6303->6760 6304 3221efd 6306 322ea84 30 API calls 6304->6306 6308 322e819 11 API calls 6305->6308 6306->6299 6310 3221f5e 6308->6310 6312 3221f77 6310->6312 6313 322ea84 30 API calls 6310->6313 6311 322ea84 30 API calls 6311->6305 6768 32230b5 6312->6768 6313->6312 6316 3226ec3 2 API calls 6318 3221f8e GetTickCount 6316->6318 6318->6149 6320 3226ec3 2 API calls 6319->6320 6321 32280eb 6320->6321 6322 32280f9 6321->6322 6323 32280ef 6321->6323 6839 322704c 6322->6839 6826 3227ee6 6323->6826 6326 3228269 CreateThread 6345 3225e6c 6326->6345 7301 322877e 6326->7301 6327 32280f4 6327->6326 6329 322675c 21 API calls 6327->6329 6328 3228110 6328->6327 6330 3228156 RegOpenKeyExA 6328->6330 6335 3228244 6329->6335 6331 3228216 6330->6331 6332 322816d RegQueryValueExA 6330->6332 6331->6327 6333 32281f7 6332->6333 6334 322818d 6332->6334 6336 322820d RegCloseKey 6333->6336 6338 322ec2e codecvt 4 API calls 6333->6338 6334->6333 6339 322ebcc 4 API calls 6334->6339 6335->6326 6337 322ec2e codecvt 4 API calls 6335->6337 6336->6331 6337->6326 6344 32281dd 6338->6344 6340 32281a0 6339->6340 6340->6336 6341 32281aa RegQueryValueExA 6340->6341 6341->6333 6342 32281c4 6341->6342 6343 322ebcc 4 API calls 6342->6343 6343->6344 6344->6336 6941 322ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6345->6941 6347 3225e71 6942 322e654 6347->6942 6349 3225ec1 6350 3223132 6349->6350 6351 322df70 12 API calls 6350->6351 6352 322313b 6351->6352 6353 322c125 6352->6353 6953 322ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6353->6953 6355 322c12d 6356 322e654 13 API calls 6355->6356 6357 322c2bd 6356->6357 6358 322e654 13 API calls 6357->6358 6359 322c2c9 6358->6359 6360 322e654 13 API calls 6359->6360 6361 322a47a 6360->6361 6362 3228db1 6361->6362 6363 3228dbc 6362->6363 6364 322e654 13 API calls 6363->6364 6365 3228dec Sleep 6364->6365 6365->6183 6367 322c92f 6366->6367 6368 322c93c 6367->6368 6965 322c517 6367->6965 6370 322ca2b 6368->6370 6371 322e819 11 API calls 6368->6371 6370->6183 6372 322c96a 6371->6372 6373 322e819 11 API calls 6372->6373 6374 322c97d 6373->6374 6375 322e819 11 API calls 6374->6375 6376 322c990 6375->6376 6377 322c9aa 6376->6377 6378 322ebcc 4 API calls 6376->6378 6377->6370 6954 3222684 6377->6954 6378->6377 6383 322ca26 6982 322c8aa 6383->6982 6386 322ca44 6387 322ca4b closesocket 6386->6387 6388 322ca83 6386->6388 6387->6383 6389 322ea84 30 API calls 6388->6389 6390 322caac 6389->6390 6391 322f04e 4 API calls 6390->6391 6392 322cab2 6391->6392 6393 322ea84 30 API calls 6392->6393 6394 322caca 6393->6394 6395 322ea84 30 API calls 6394->6395 6396 322cad9 6395->6396 6986 322c65c 6396->6986 6399 322cb60 closesocket 6399->6370 6401 322dad2 closesocket 6402 322e318 23 API calls 6401->6402 6403 322dae0 6402->6403 6403->6370 6404 322df4c 20 API calls 6431 322cb70 6404->6431 6409 322e654 13 API calls 6409->6431 6412 322f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 6412->6431 6416 322ea84 30 API calls 6416->6431 6417 322d815 wsprintfA 6417->6431 6418 322cc1c GetTempPathA 6418->6431 6419 322d569 closesocket Sleep 7033 322e318 6419->7033 6420 3227ead 6 API calls 6420->6431 6421 322c517 23 API calls 6421->6431 6423 322e8a1 30 API calls 6423->6431 6424 322d582 ExitProcess 6425 322cfe3 GetSystemDirectoryA 6425->6431 6426 322675c 21 API calls 6426->6431 6427 322d027 GetSystemDirectoryA 6427->6431 6428 322c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 6428->6431 6429 322cfad GetEnvironmentVariableA 6429->6431 6430 322d105 lstrcatA 6430->6431 6431->6401 6431->6404 6431->6409 6431->6412 6431->6416 6431->6417 6431->6418 6431->6419 6431->6420 6431->6421 6431->6423 6431->6425 6431->6426 6431->6427 6431->6428 6431->6429 6431->6430 6432 322ef1e lstrlenA 6431->6432 6433 322ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 6431->6433 6434 322cc9f CreateFileA 6431->6434 6435 322d15b CreateFileA 6431->6435 6440 322d149 SetFileAttributesA 6431->6440 6442 322d36e GetEnvironmentVariableA 6431->6442 6443 322d1bf SetFileAttributesA 6431->6443 6444 3228e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 6431->6444 6446 322d22d GetEnvironmentVariableA 6431->6446 6448 322d3af lstrcatA 6431->6448 6450 3227fcf 64 API calls 6431->6450 6451 322d3f2 CreateFileA 6431->6451 6457 322d26e lstrcatA 6431->6457 6459 322d4b1 CreateProcessA 6431->6459 6460 322d3e0 SetFileAttributesA 6431->6460 6461 322d2b1 CreateFileA 6431->6461 6463 322d452 SetFileAttributesA 6431->6463 6465 3227ee6 64 API calls 6431->6465 6466 322d29f SetFileAttributesA 6431->6466 6469 322d31d SetFileAttributesA 6431->6469 6994 322c75d 6431->6994 7006 3227e2f 6431->7006 7028 3227ead 6431->7028 7038 32231d0 6431->7038 7055 3223c09 6431->7055 7065 3223a00 6431->7065 7069 322e7b4 6431->7069 7072 322c06c 6431->7072 7078 3226f5f GetUserNameA 6431->7078 7089 322e854 6431->7089 7099 3227dd6 6431->7099 6432->6431 6433->6431 6434->6431 6436 322ccc6 WriteFile 6434->6436 6435->6431 6437 322d182 WriteFile CloseHandle 6435->6437 6438 322cdcc CloseHandle 6436->6438 6439 322cced CloseHandle 6436->6439 6437->6431 6438->6431 6445 322cd2f 6439->6445 6440->6435 6441 322cd16 wsprintfA 6441->6445 6442->6431 6443->6431 6444->6431 6445->6441 7015 3227fcf 6445->7015 6446->6431 6448->6431 6448->6451 6450->6431 6451->6431 6454 322d415 WriteFile CloseHandle 6451->6454 6452 322cd81 WaitForSingleObject CloseHandle CloseHandle 6455 322f04e 4 API calls 6452->6455 6453 322cda5 6456 3227ee6 64 API calls 6453->6456 6454->6431 6455->6453 6458 322cdbd DeleteFileA 6456->6458 6457->6431 6457->6461 6458->6431 6459->6431 6462 322d4e8 CloseHandle CloseHandle 6459->6462 6460->6451 6461->6431 6464 322d2d8 WriteFile CloseHandle 6461->6464 6462->6431 6463->6431 6464->6431 6465->6431 6466->6461 6469->6431 6471 3226784 CreateFileA 6470->6471 6472 322677a SetFileAttributesA 6470->6472 6473 32267a4 CreateFileA 6471->6473 6474 32267b5 6471->6474 6472->6471 6473->6474 6475 32267c5 6474->6475 6476 32267ba SetFileAttributesA 6474->6476 6477 3226977 6475->6477 6478 32267cf GetFileSize 6475->6478 6476->6475 6477->6165 6498 3226a60 CreateFileA 6477->6498 6479 32267e5 6478->6479 6480 3226965 6478->6480 6479->6480 6482 32267ed ReadFile 6479->6482 6481 322696e CloseHandle 6480->6481 6481->6477 6482->6480 6483 3226811 SetFilePointer 6482->6483 6483->6480 6484 322682a ReadFile 6483->6484 6484->6480 6485 3226848 SetFilePointer 6484->6485 6485->6480 6486 3226867 6485->6486 6487 32268d5 6486->6487 6488 3226878 ReadFile 6486->6488 6487->6481 6490 322ebcc 4 API calls 6487->6490 6489 32268d0 6488->6489 6492 3226891 6488->6492 6489->6487 6491 32268f8 6490->6491 6491->6480 6493 3226900 SetFilePointer 6491->6493 6492->6488 6492->6489 6494 322695a 6493->6494 6495 322690d ReadFile 6493->6495 6497 322ec2e codecvt 4 API calls 6494->6497 6495->6494 6496 3226922 6495->6496 6496->6481 6497->6480 6499 3226a8f GetDiskFreeSpaceA 6498->6499 6500 3226b8c GetLastError 6498->6500 6501 3226ac5 6499->6501 6510 3226ad7 6499->6510 6508 3226b86 6500->6508 7184 322eb0e 6501->7184 6505 3226b56 CloseHandle 6505->6508 6509 3226b65 GetLastError CloseHandle 6505->6509 6506 3226b36 GetLastError CloseHandle 6507 3226b7f DeleteFileA 6506->6507 6507->6508 6508->6181 6509->6507 7188 3226987 6510->7188 6512 32296b9 6511->6512 6513 32273ff 17 API calls 6512->6513 6514 32296e2 6513->6514 6515 32296f7 6514->6515 6516 322704c 16 API calls 6514->6516 6515->6158 6515->6159 6516->6515 6518 32242a5 6517->6518 6519 322429d 6517->6519 7194 3223ecd 6518->7194 6519->6163 6519->6178 6521 32242b0 7198 3224000 6521->7198 6523 32243c1 CloseHandle 6523->6519 6524 32242b6 6524->6519 6524->6523 7204 3223f18 WriteFile 6524->7204 6529 32243ba CloseHandle 6529->6523 6530 3224318 6531 3223f18 4 API calls 6530->6531 6532 3224331 6531->6532 6533 3223f18 4 API calls 6532->6533 6534 322434a 6533->6534 6535 322ebcc 4 API calls 6534->6535 6536 3224350 6535->6536 6537 3223f18 4 API calls 6536->6537 6538 3224389 6537->6538 6539 322ec2e codecvt 4 API calls 6538->6539 6540 322438f 6539->6540 6541 3223f8c 4 API calls 6540->6541 6542 322439f CloseHandle CloseHandle 6541->6542 6542->6519 6544 32299eb 6543->6544 6545 3229a2f lstrcatA 6544->6545 6546 322ee2a 6545->6546 6547 3229a4b lstrcatA 6546->6547 6548 3226a60 13 API calls 6547->6548 6549 3229a60 6548->6549 6549->6188 6549->6216 6550 3226dc2 6549->6550 6551 3226e33 6550->6551 6552 3226dd7 6550->6552 6551->6203 6553 3226cc9 5 API calls 6552->6553 6554 3226ddc 6553->6554 6555 3226e02 GetVolumeInformationA 6554->6555 6556 3226e24 6554->6556 6555->6556 6556->6551 6558 3226cdc GetModuleHandleA GetProcAddress 6557->6558 6565 3226d8b 6557->6565 6559 3226d12 GetSystemDirectoryA 6558->6559 6560 3226cfd 6558->6560 6561 3226d27 GetWindowsDirectoryA 6559->6561 6562 3226d1e 6559->6562 6560->6559 6560->6565 6563 3226d42 6561->6563 6562->6561 6562->6565 6564 322ef1e lstrlenA 6563->6564 6564->6565 6565->6213 7212 3221910 6566->7212 6569 322934a GetModuleHandleA GetModuleFileNameA 6571 322937f 6569->6571 6572 32293a4 6571->6572 6573 32293d9 6571->6573 6574 32293c3 wsprintfA 6572->6574 6575 3229401 wsprintfA 6573->6575 6576 3229415 6574->6576 6575->6576 6579 3226cc9 5 API calls 6576->6579 6599 32294a0 6576->6599 6577 3226edd 5 API calls 6578 32294ac 6577->6578 6580 322962f 6578->6580 6582 32294e8 RegOpenKeyExA 6578->6582 6581 3229439 6579->6581 6589 3229646 6580->6589 7227 3221820 6580->7227 6587 322ef1e lstrlenA 6581->6587 6585 32294fb 6582->6585 6586 3229502 6582->6586 6585->6580 6588 322958a 6585->6588 6590 322951f RegQueryValueExA 6586->6590 6593 3229462 6587->6593 6588->6589 6594 3229593 6588->6594 6596 32295d6 6589->6596 7233 32291eb 6589->7233 6591 3229530 6590->6591 6592 3229539 6590->6592 6595 322956e RegCloseKey 6591->6595 6597 3229556 RegQueryValueExA 6592->6597 6598 322947e wsprintfA 6593->6598 6594->6596 7214 322f0e4 6594->7214 6595->6585 6596->6223 6596->6224 6597->6591 6597->6595 6598->6599 6599->6577 6601 32295bb 6601->6596 7221 32218e0 6601->7221 6604 3222544 6603->6604 6605 322972d RegOpenKeyExA 6604->6605 6606 3229740 6605->6606 6608 3229765 6605->6608 6607 322974f RegDeleteValueA RegCloseKey 6606->6607 6607->6608 6608->6198 6610 3222554 lstrcatA 6609->6610 6611 322ee2a 6610->6611 6612 322a0ec lstrcatA 6611->6612 6612->6231 6614 322ec37 6613->6614 6615 322a15d 6613->6615 6616 322eba0 codecvt 2 API calls 6614->6616 6615->6163 6615->6165 6617 322ec3d GetProcessHeap RtlFreeHeap 6616->6617 6617->6615 6619 3222544 6618->6619 6620 322919e wsprintfA 6619->6620 6621 32291bb 6620->6621 7272 3229064 GetTempPathA 6621->7272 6624 32291e7 6624->6181 6625 32291d5 ShellExecuteA 6625->6624 6627 3226ed5 6626->6627 6628 3226ecc 6626->6628 6627->6218 6629 3226e36 2 API calls 6628->6629 6629->6627 6631 32298f6 6630->6631 6632 3224280 30 API calls 6631->6632 6633 3229904 Sleep 6631->6633 6634 3229915 6631->6634 6632->6631 6633->6631 6633->6634 6636 3229947 6634->6636 7279 322977c 6634->7279 6636->6214 6638 322dd41 InterlockedExchange 6637->6638 6639 322dd20 GetCurrentThreadId 6638->6639 6640 322dd4a 6638->6640 6641 322dd53 GetCurrentThreadId 6639->6641 6642 322dd2e GetTickCount 6639->6642 6640->6641 6641->6250 6643 322dd39 Sleep 6642->6643 6644 322dd4c 6642->6644 6643->6638 6644->6641 6646 322dbf0 6645->6646 6678 322db67 GetEnvironmentVariableA 6646->6678 6648 322dcda 6648->6252 6649 322dc19 6649->6648 6650 322db67 3 API calls 6649->6650 6651 322dc5c 6650->6651 6651->6648 6652 322db67 3 API calls 6651->6652 6653 322dc9b 6652->6653 6653->6648 6654 322db67 3 API calls 6653->6654 6654->6648 6656 322e3f4 6655->6656 6657 322e528 6655->6657 6658 322e434 RegQueryValueExA 6656->6658 6657->6264 6659 322e458 6658->6659 6660 322e51d RegCloseKey 6658->6660 6661 322e46e RegQueryValueExA 6659->6661 6660->6657 6661->6659 6662 322e488 6661->6662 6662->6660 6663 322db2e 8 API calls 6662->6663 6664 322e499 6663->6664 6664->6660 6665 322e4b9 RegQueryValueExA 6664->6665 6666 322e4e8 6664->6666 6665->6664 6665->6666 6666->6660 6667 322e332 14 API calls 6666->6667 6668 322e513 6667->6668 6668->6660 6670 322db55 6669->6670 6671 322db3a 6669->6671 6670->6255 6670->6259 6682 322ebed 6671->6682 6700 322f04e SystemTimeToFileTime GetSystemTimeAsFileTime 6673->6700 6675 322e3be 6675->6255 6676 322e342 6676->6675 6703 322de24 6676->6703 6679 322dbca 6678->6679 6680 322db89 lstrcpyA CreateFileA 6678->6680 6679->6649 6680->6649 6683 322ec01 6682->6683 6684 322ebf6 6682->6684 6694 322eba0 6683->6694 6691 322ebcc GetProcessHeap RtlAllocateHeap 6684->6691 6692 322eb74 2 API calls 6691->6692 6693 322ebe8 6692->6693 6693->6670 6695 322eba7 GetProcessHeap HeapSize 6694->6695 6696 322ebbf GetProcessHeap HeapReAlloc 6694->6696 6695->6696 6697 322eb74 6696->6697 6698 322eb7b GetProcessHeap HeapSize 6697->6698 6699 322eb93 6697->6699 6698->6699 6699->6670 6714 322eb41 6700->6714 6702 322f0b7 6702->6676 6704 322de3a 6703->6704 6710 322de4e 6704->6710 6723 322dd84 6704->6723 6707 322ebed 8 API calls 6712 322def6 6707->6712 6708 322de9e 6708->6707 6708->6710 6709 322de76 6727 322ddcf 6709->6727 6710->6676 6712->6710 6713 322ddcf lstrcmpA 6712->6713 6713->6710 6715 322eb4a 6714->6715 6718 322eb61 6714->6718 6719 322eae4 6715->6719 6717 322eb54 6717->6702 6717->6718 6718->6702 6720 322eb02 GetProcAddress 6719->6720 6721 322eaed LoadLibraryA 6719->6721 6720->6717 6721->6720 6722 322eb01 6721->6722 6722->6717 6724 322dd96 6723->6724 6725 322ddc5 6723->6725 6724->6725 6726 322ddad lstrcmpiA 6724->6726 6725->6708 6725->6709 6726->6724 6726->6725 6728 322dddd 6727->6728 6730 322de20 6727->6730 6729 322ddfa lstrcmpA 6728->6729 6728->6730 6729->6728 6730->6710 6732 322dd05 6 API calls 6731->6732 6733 322e821 6732->6733 6734 322dd84 lstrcmpiA 6733->6734 6735 322e82c 6734->6735 6736 322e844 6735->6736 6781 3222480 6735->6781 6736->6279 6739 322ea98 6738->6739 6790 322e8a1 6739->6790 6741 3221e84 6741->6288 6743 32219d5 GetProcAddress GetProcAddress GetProcAddress 6742->6743 6746 32219ce 6742->6746 6744 3221ab3 FreeLibrary 6743->6744 6745 3221a04 6743->6745 6744->6746 6745->6744 6747 3221a14 GetBestInterface GetProcessHeap 6745->6747 6746->6292 6747->6746 6748 3221a2e HeapAlloc 6747->6748 6748->6746 6749 3221a42 GetAdaptersInfo 6748->6749 6750 3221a62 6749->6750 6751 3221a52 HeapReAlloc 6749->6751 6752 3221aa1 FreeLibrary 6750->6752 6753 3221a69 GetAdaptersInfo 6750->6753 6751->6750 6752->6746 6753->6752 6754 3221a75 HeapFree 6753->6754 6754->6752 6818 3221ac3 LoadLibraryA 6756->6818 6759 3221bcf 6759->6304 6761 3221ac3 13 API calls 6760->6761 6762 3221c09 6761->6762 6763 3221c5a 6762->6763 6764 3221c0d GetComputerNameA 6762->6764 6763->6311 6765 3221c45 GetVolumeInformationA 6764->6765 6766 3221c1f 6764->6766 6765->6763 6766->6765 6767 3221c41 6766->6767 6767->6763 6769 322ee2a 6768->6769 6770 32230d0 gethostname gethostbyname 6769->6770 6771 3221f82 6770->6771 6771->6316 6771->6318 6773 322dd05 6 API calls 6772->6773 6774 322df7c 6773->6774 6775 322dd84 lstrcmpiA 6774->6775 6779 322df89 6775->6779 6776 322dfc4 6776->6285 6777 322ddcf lstrcmpA 6777->6779 6778 322ec2e codecvt 4 API calls 6778->6779 6779->6776 6779->6777 6779->6778 6780 322dd84 lstrcmpiA 6779->6780 6780->6779 6784 3222419 lstrlenA 6781->6784 6783 3222491 6783->6736 6785 3222474 6784->6785 6786 322243d lstrlenA 6784->6786 6785->6783 6787 3222464 lstrlenA 6786->6787 6788 322244e lstrcmpiA 6786->6788 6787->6785 6787->6786 6788->6787 6789 322245c 6788->6789 6789->6785 6789->6787 6791 322dd05 6 API calls 6790->6791 6792 322e8b4 6791->6792 6793 322dd84 lstrcmpiA 6792->6793 6794 322e8c0 6793->6794 6795 322e8c8 lstrcpynA 6794->6795 6805 322e90a 6794->6805 6796 322e8f5 6795->6796 6811 322df4c 6796->6811 6797 3222419 4 API calls 6798 322e926 lstrlenA lstrlenA 6797->6798 6800 322e94c lstrlenA 6798->6800 6802 322e96a 6798->6802 6800->6802 6801 322e901 6803 322dd84 lstrcmpiA 6801->6803 6804 322ebcc 4 API calls 6802->6804 6806 322ea27 6802->6806 6803->6805 6807 322e98f 6804->6807 6805->6797 6805->6806 6806->6741 6807->6806 6808 322df4c 20 API calls 6807->6808 6809 322ea1e 6808->6809 6810 322ec2e codecvt 4 API calls 6809->6810 6810->6806 6812 322dd05 6 API calls 6811->6812 6813 322df51 6812->6813 6814 322f04e 4 API calls 6813->6814 6815 322df58 6814->6815 6816 322de24 10 API calls 6815->6816 6817 322df63 6816->6817 6817->6801 6819 3221ae2 GetProcAddress 6818->6819 6820 3221b68 GetComputerNameA GetVolumeInformationA 6818->6820 6819->6820 6823 3221af5 6819->6823 6820->6759 6821 3221b1c GetAdaptersAddresses 6821->6823 6824 3221b29 6821->6824 6822 322ebed 8 API calls 6822->6823 6823->6821 6823->6822 6823->6824 6824->6820 6824->6824 6825 322ec2e codecvt 4 API calls 6824->6825 6825->6820 6827 3226ec3 2 API calls 6826->6827 6828 3227ef4 6827->6828 6838 3227fc9 6828->6838 6862 32273ff 6828->6862 6830 3227f16 6830->6838 6882 3227809 GetUserNameA 6830->6882 6832 3227f63 6832->6838 6906 322ef1e lstrlenA 6832->6906 6835 322ef1e lstrlenA 6836 3227fb7 6835->6836 6908 3227a95 RegOpenKeyExA 6836->6908 6838->6327 6840 3227073 6839->6840 6841 32270b9 RegOpenKeyExA 6840->6841 6842 32270d0 6841->6842 6853 32271b8 6841->6853 6843 3226dc2 6 API calls 6842->6843 6846 32270d5 6843->6846 6844 322719b RegEnumValueA 6845 32271af RegCloseKey 6844->6845 6844->6846 6845->6853 6846->6844 6848 32271d0 6846->6848 6939 322f1a5 lstrlenA 6846->6939 6849 3227205 RegCloseKey 6848->6849 6850 3227227 6848->6850 6849->6853 6851 32272b8 ___ascii_stricmp 6850->6851 6852 322728e RegCloseKey 6850->6852 6854 32272dd 6851->6854 6855 32272cd RegCloseKey 6851->6855 6852->6853 6853->6328 6856 3227311 RegCloseKey 6854->6856 6858 3227335 6854->6858 6855->6853 6856->6853 6857 32273d5 RegCloseKey 6859 32273e4 6857->6859 6858->6857 6860 322737e GetFileAttributesExA 6858->6860 6861 3227397 6858->6861 6860->6861 6861->6857 6863 322741b 6862->6863 6864 3226dc2 6 API calls 6863->6864 6865 322743f 6864->6865 6866 3227469 RegOpenKeyExA 6865->6866 6868 32277f9 6866->6868 6878 3227487 ___ascii_stricmp 6866->6878 6867 3227703 RegEnumKeyA 6869 3227714 RegCloseKey 6867->6869 6867->6878 6868->6830 6869->6868 6870 322f1a5 lstrlenA 6870->6878 6871 32274d2 RegOpenKeyExA 6871->6878 6872 322772c 6874 3227742 RegCloseKey 6872->6874 6875 322774b 6872->6875 6873 3227521 RegQueryValueExA 6873->6878 6874->6875 6876 32277ec RegCloseKey 6875->6876 6876->6868 6877 32276e4 RegCloseKey 6877->6878 6878->6867 6878->6870 6878->6871 6878->6872 6878->6873 6878->6877 6880 322777e GetFileAttributesExA 6878->6880 6881 3227769 6878->6881 6879 32277e3 RegCloseKey 6879->6876 6880->6881 6881->6879 6883 3227a8d 6882->6883 6884 322783d LookupAccountNameA 6882->6884 6883->6832 6884->6883 6885 3227874 GetLengthSid GetFileSecurityA 6884->6885 6885->6883 6886 32278a8 GetSecurityDescriptorOwner 6885->6886 6887 32278c5 EqualSid 6886->6887 6888 322791d GetSecurityDescriptorDacl 6886->6888 6887->6888 6889 32278dc LocalAlloc 6887->6889 6888->6883 6903 3227941 6888->6903 6889->6888 6890 32278ef InitializeSecurityDescriptor 6889->6890 6892 3227916 LocalFree 6890->6892 6893 32278fb SetSecurityDescriptorOwner 6890->6893 6891 322795b GetAce 6891->6903 6892->6888 6893->6892 6894 322790b SetFileSecurityA 6893->6894 6894->6892 6895 3227980 EqualSid 6895->6903 6896 3227a3d 6896->6883 6899 3227a43 LocalAlloc 6896->6899 6897 32279be EqualSid 6897->6903 6898 322799d DeleteAce 6898->6903 6899->6883 6900 3227a56 InitializeSecurityDescriptor 6899->6900 6901 3227a62 SetSecurityDescriptorDacl 6900->6901 6902 3227a86 LocalFree 6900->6902 6901->6902 6904 3227a73 SetFileSecurityA 6901->6904 6902->6883 6903->6883 6903->6891 6903->6895 6903->6896 6903->6897 6903->6898 6904->6902 6905 3227a83 6904->6905 6905->6902 6907 3227fa6 6906->6907 6907->6835 6909 3227ac4 6908->6909 6910 3227acb GetUserNameA 6908->6910 6909->6838 6911 3227da7 RegCloseKey 6910->6911 6912 3227aed LookupAccountNameA 6910->6912 6911->6909 6912->6911 6913 3227b24 RegGetKeySecurity 6912->6913 6913->6911 6914 3227b49 GetSecurityDescriptorOwner 6913->6914 6915 3227b63 EqualSid 6914->6915 6916 3227bb8 GetSecurityDescriptorDacl 6914->6916 6915->6916 6917 3227b74 LocalAlloc 6915->6917 6918 3227da6 6916->6918 6923 3227bdc 6916->6923 6917->6916 6919 3227b8a InitializeSecurityDescriptor 6917->6919 6918->6911 6921 3227bb1 LocalFree 6919->6921 6922 3227b96 SetSecurityDescriptorOwner 6919->6922 6920 3227bf8 GetAce 6920->6923 6921->6916 6922->6921 6924 3227ba6 RegSetKeySecurity 6922->6924 6923->6918 6923->6920 6925 3227c1d EqualSid 6923->6925 6926 3227c5f EqualSid 6923->6926 6927 3227cd9 6923->6927 6928 3227c3a DeleteAce 6923->6928 6924->6921 6925->6923 6926->6923 6927->6918 6929 3227d5a LocalAlloc 6927->6929 6930 3227cf2 RegOpenKeyExA 6927->6930 6928->6923 6929->6918 6931 3227d70 InitializeSecurityDescriptor 6929->6931 6930->6929 6936 3227d0f 6930->6936 6932 3227d9f LocalFree 6931->6932 6933 3227d7c SetSecurityDescriptorDacl 6931->6933 6932->6918 6933->6932 6934 3227d8c RegSetKeySecurity 6933->6934 6934->6932 6935 3227d9c 6934->6935 6935->6932 6937 3227d43 RegSetValueExA 6936->6937 6937->6929 6938 3227d54 6937->6938 6938->6929 6940 322f1c3 6939->6940 6940->6846 6941->6347 6943 322dd05 6 API calls 6942->6943 6946 322e65f 6943->6946 6944 322e6a5 6945 322ebcc 4 API calls 6944->6945 6949 322e6f5 6944->6949 6948 322e6b0 6945->6948 6946->6944 6947 322e68c lstrcmpA 6946->6947 6947->6946 6948->6949 6951 322e6b7 6948->6951 6952 322e6e0 lstrcpynA 6948->6952 6950 322e71d lstrcmpA 6949->6950 6949->6951 6950->6949 6951->6349 6952->6949 6953->6355 6955 3222692 inet_addr 6954->6955 6956 322268e 6954->6956 6955->6956 6957 322269e gethostbyname 6955->6957 6958 322f428 6956->6958 6957->6956 7106 322f315 6958->7106 6961 322f43e 6962 322f473 recv 6961->6962 6963 322f458 6962->6963 6964 322f47c 6962->6964 6963->6962 6963->6964 6964->6386 6966 322c525 6965->6966 6967 322c532 6965->6967 6966->6967 6970 322ec2e codecvt 4 API calls 6966->6970 6968 322c548 6967->6968 7119 322e7ff 6967->7119 6971 322e7ff lstrcmpiA 6968->6971 6978 322c54f 6968->6978 6970->6967 6972 322c615 6971->6972 6973 322ebcc 4 API calls 6972->6973 6972->6978 6973->6978 6974 322c5d1 6976 322ebcc 4 API calls 6974->6976 6976->6978 6977 322e819 11 API calls 6979 322c5b7 6977->6979 6978->6368 6980 322f04e 4 API calls 6979->6980 6981 322c5bf 6980->6981 6981->6968 6981->6974 6984 322c8d2 6982->6984 6983 322c907 6983->6370 6984->6983 6985 322c517 23 API calls 6984->6985 6985->6983 6987 322c67d 6986->6987 6988 322c670 6986->6988 6990 322ebcc 4 API calls 6987->6990 6991 322c699 6987->6991 6989 322ebcc 4 API calls 6988->6989 6989->6987 6990->6991 6992 322c6f3 6991->6992 6993 322c73c send 6991->6993 6992->6399 6992->6431 6993->6992 6995 322c77d 6994->6995 6996 322c770 6994->6996 6998 322c799 6995->6998 6999 322ebcc 4 API calls 6995->6999 6997 322ebcc 4 API calls 6996->6997 6997->6995 7000 322c7b5 6998->7000 7001 322ebcc 4 API calls 6998->7001 6999->6998 7002 322f43e recv 7000->7002 7001->7000 7003 322c7cb 7002->7003 7004 322c7d3 7003->7004 7005 322f43e recv 7003->7005 7004->6431 7005->7004 7122 3227db7 7006->7122 7009 3227e70 7012 322f04e 4 API calls 7009->7012 7013 3227e96 7009->7013 7010 322f04e 4 API calls 7011 3227e4c 7010->7011 7011->7009 7014 322f04e 4 API calls 7011->7014 7012->7013 7013->6431 7014->7009 7016 3226ec3 2 API calls 7015->7016 7017 3227fdd 7016->7017 7018 32273ff 17 API calls 7017->7018 7027 32280c2 CreateProcessA 7017->7027 7019 3227fff 7018->7019 7020 3227809 21 API calls 7019->7020 7019->7027 7021 322804d 7020->7021 7022 322ef1e lstrlenA 7021->7022 7021->7027 7023 322809e 7022->7023 7024 322ef1e lstrlenA 7023->7024 7025 32280af 7024->7025 7026 3227a95 24 API calls 7025->7026 7026->7027 7027->6452 7027->6453 7029 3227db7 2 API calls 7028->7029 7030 3227eb8 7029->7030 7031 322f04e 4 API calls 7030->7031 7032 3227ece DeleteFileA 7031->7032 7032->6431 7034 322dd05 6 API calls 7033->7034 7035 322e31d 7034->7035 7126 322e177 7035->7126 7037 322e326 7037->6424 7039 32231f3 7038->7039 7049 32231ec 7038->7049 7040 322ebcc 4 API calls 7039->7040 7054 32231fc 7040->7054 7041 322344b 7042 3223459 7041->7042 7043 322349d 7041->7043 7045 322f04e 4 API calls 7042->7045 7044 322ec2e codecvt 4 API calls 7043->7044 7044->7049 7046 322345f 7045->7046 7047 32230fa 4 API calls 7046->7047 7047->7049 7048 322ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 7048->7054 7049->6431 7050 322344d 7051 322ec2e codecvt 4 API calls 7050->7051 7051->7041 7053 3223141 lstrcmpiA 7053->7054 7054->7041 7054->7048 7054->7049 7054->7050 7054->7053 7152 32230fa GetTickCount 7054->7152 7056 32230fa 4 API calls 7055->7056 7058 3223c1a 7056->7058 7057 3223ce6 7057->6431 7058->7057 7157 3223a72 7058->7157 7061 3223a72 9 API calls 7064 3223c5e 7061->7064 7062 3223a72 9 API calls 7062->7064 7063 322ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7063->7064 7064->7057 7064->7062 7064->7063 7066 3223a10 7065->7066 7067 32230fa 4 API calls 7066->7067 7068 3223a1a 7067->7068 7068->6431 7070 322dd05 6 API calls 7069->7070 7071 322e7be 7070->7071 7071->6431 7073 322c07e wsprintfA 7072->7073 7077 322c105 7072->7077 7166 322bfce GetTickCount wsprintfA 7073->7166 7075 322c0ef 7167 322bfce GetTickCount wsprintfA 7075->7167 7077->6431 7079 3227047 7078->7079 7080 3226f88 LookupAccountNameA 7078->7080 7079->6431 7082 3227025 7080->7082 7083 3226fcb 7080->7083 7168 3226edd 7082->7168 7086 3226fdb ConvertSidToStringSidA 7083->7086 7086->7082 7087 3226ff1 7086->7087 7088 3227013 LocalFree 7087->7088 7088->7082 7090 322dd05 6 API calls 7089->7090 7091 322e85c 7090->7091 7092 322dd84 lstrcmpiA 7091->7092 7093 322e867 7092->7093 7094 322e885 lstrcpyA 7093->7094 7179 32224a5 7093->7179 7182 322dd69 7094->7182 7100 3227db7 2 API calls 7099->7100 7101 3227de1 7100->7101 7102 322f04e 4 API calls 7101->7102 7105 3227e16 7101->7105 7103 3227df2 7102->7103 7104 322f04e 4 API calls 7103->7104 7103->7105 7104->7105 7105->6431 7107 322ca1d 7106->7107 7108 322f33b 7106->7108 7107->6383 7107->6961 7109 322f347 htons socket 7108->7109 7110 322f382 ioctlsocket 7109->7110 7111 322f374 closesocket 7109->7111 7112 322f3aa connect select 7110->7112 7113 322f39d 7110->7113 7111->7107 7112->7107 7115 322f3f2 __WSAFDIsSet 7112->7115 7114 322f39f closesocket 7113->7114 7114->7107 7115->7114 7116 322f403 ioctlsocket 7115->7116 7118 322f26d setsockopt setsockopt setsockopt setsockopt setsockopt 7116->7118 7118->7107 7120 322dd84 lstrcmpiA 7119->7120 7121 322c58e 7120->7121 7121->6968 7121->6974 7121->6977 7123 3227dc8 InterlockedExchange 7122->7123 7124 3227dc0 Sleep 7123->7124 7125 3227dd4 7123->7125 7124->7123 7125->7009 7125->7010 7127 322e184 7126->7127 7128 322e2e4 7127->7128 7129 322e223 7127->7129 7142 322dfe2 7127->7142 7128->7037 7129->7128 7131 322dfe2 8 API calls 7129->7131 7135 322e23c 7131->7135 7132 322e1be 7132->7129 7133 322dbcf 3 API calls 7132->7133 7136 322e1d6 7133->7136 7134 322e21a CloseHandle 7134->7129 7135->7128 7146 322e095 RegCreateKeyExA 7135->7146 7136->7129 7136->7134 7137 322e1f9 WriteFile 7136->7137 7137->7134 7139 322e213 7137->7139 7139->7134 7140 322e2a3 7140->7128 7141 322e095 4 API calls 7140->7141 7141->7128 7143 322dffc 7142->7143 7145 322e024 7142->7145 7144 322db2e 8 API calls 7143->7144 7143->7145 7144->7145 7145->7132 7147 322e172 7146->7147 7149 322e0c0 7146->7149 7147->7140 7148 322e13d 7150 322e14e RegDeleteValueA RegCloseKey 7148->7150 7149->7148 7151 322e115 RegSetValueExA 7149->7151 7150->7147 7151->7148 7151->7149 7153 3223122 InterlockedExchange 7152->7153 7154 322312e 7153->7154 7155 322310f GetTickCount 7153->7155 7154->7054 7155->7154 7156 322311a Sleep 7155->7156 7156->7153 7158 322f04e 4 API calls 7157->7158 7165 3223a83 7158->7165 7159 3223ac1 7159->7057 7159->7061 7160 3223be6 7163 322ec2e codecvt 4 API calls 7160->7163 7161 322ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7162 3223bc0 7161->7162 7162->7160 7162->7161 7163->7159 7164 3223b66 lstrlenA 7164->7159 7164->7165 7165->7159 7165->7162 7165->7164 7166->7075 7167->7077 7169 3226eef AllocateAndInitializeSid 7168->7169 7170 3226f55 wsprintfA 7168->7170 7171 3226f44 7169->7171 7172 3226f1c CheckTokenMembership 7169->7172 7170->7079 7171->7170 7176 3226e36 GetUserNameW 7171->7176 7173 3226f3b FreeSid 7172->7173 7174 3226f2e 7172->7174 7173->7171 7174->7173 7177 3226e5f LookupAccountNameW 7176->7177 7178 3226e97 7176->7178 7177->7178 7178->7170 7180 3222419 4 API calls 7179->7180 7181 32224b6 7180->7181 7181->7094 7183 322dd79 lstrlenA 7182->7183 7183->6431 7185 322eb17 7184->7185 7186 322eb21 7184->7186 7187 322eae4 2 API calls 7185->7187 7186->6510 7187->7186 7190 32269b9 WriteFile 7188->7190 7191 3226a3c 7190->7191 7193 32269ff 7190->7193 7191->6505 7191->6506 7192 3226a10 WriteFile 7192->7191 7192->7193 7193->7191 7193->7192 7195 3223ee2 7194->7195 7196 3223edc 7194->7196 7195->6521 7197 3226dc2 6 API calls 7196->7197 7197->7195 7199 322400b CreateFileA 7198->7199 7200 322402c GetLastError 7199->7200 7201 3224052 7199->7201 7200->7201 7202 3224037 7200->7202 7201->6524 7202->7201 7203 3224041 Sleep 7202->7203 7203->7199 7203->7201 7205 3223f4e GetLastError 7204->7205 7206 3223f7c 7204->7206 7205->7206 7207 3223f5b WaitForSingleObject GetOverlappedResult 7205->7207 7208 3223f8c ReadFile 7206->7208 7207->7206 7209 3223fc2 GetLastError 7208->7209 7211 3223ff0 7208->7211 7210 3223fcf WaitForSingleObject GetOverlappedResult 7209->7210 7209->7211 7210->7211 7211->6529 7211->6530 7213 3221924 GetVersionExA 7212->7213 7213->6569 7215 322f0f1 7214->7215 7216 322f0ed 7214->7216 7217 322f0fa lstrlenA SysAllocStringByteLen 7215->7217 7218 322f119 7215->7218 7216->6601 7219 322f117 7217->7219 7220 322f11c MultiByteToWideChar 7217->7220 7218->7220 7219->6601 7220->7219 7222 3221820 17 API calls 7221->7222 7223 32218f2 7222->7223 7224 32218f9 7223->7224 7238 3221280 7223->7238 7224->6596 7226 3221908 7226->6596 7251 3221000 7227->7251 7229 3221839 7230 3221851 GetCurrentProcess 7229->7230 7231 322183d 7229->7231 7232 3221864 7230->7232 7231->6589 7232->6589 7235 322920e 7233->7235 7237 3229308 7233->7237 7234 32292f1 Sleep 7234->7235 7235->7234 7236 32292bf ShellExecuteA 7235->7236 7235->7237 7236->7235 7236->7237 7237->6596 7241 32212e1 ShellExecuteExW 7238->7241 7240 32216f9 GetLastError 7242 3221699 7240->7242 7241->7240 7248 32213a8 7241->7248 7242->7226 7243 3221570 lstrlenW 7243->7248 7244 32215be GetStartupInfoW 7244->7248 7245 32215ff CreateProcessWithLogonW 7246 32216bf GetLastError 7245->7246 7247 322163f WaitForSingleObject 7245->7247 7246->7242 7247->7248 7249 3221659 CloseHandle 7247->7249 7248->7242 7248->7243 7248->7244 7248->7245 7250 3221668 CloseHandle 7248->7250 7249->7248 7250->7248 7252 322100d LoadLibraryA 7251->7252 7258 3221023 7251->7258 7253 3221021 7252->7253 7252->7258 7253->7229 7254 32210b5 GetProcAddress 7255 32210d1 GetProcAddress 7254->7255 7256 322127b 7254->7256 7255->7256 7257 32210f0 GetProcAddress 7255->7257 7256->7229 7257->7256 7259 3221110 GetProcAddress 7257->7259 7258->7254 7271 32210ae 7258->7271 7259->7256 7260 3221130 GetProcAddress 7259->7260 7260->7256 7261 322114f GetProcAddress 7260->7261 7261->7256 7262 322116f GetProcAddress 7261->7262 7262->7256 7263 322118f GetProcAddress 7262->7263 7263->7256 7264 32211ae GetProcAddress 7263->7264 7264->7256 7265 32211ce GetProcAddress 7264->7265 7265->7256 7266 32211ee GetProcAddress 7265->7266 7266->7256 7267 3221209 GetProcAddress 7266->7267 7267->7256 7268 3221225 GetProcAddress 7267->7268 7268->7256 7269 3221241 GetProcAddress 7268->7269 7269->7256 7270 322125c GetProcAddress 7269->7270 7270->7256 7271->7229 7273 322908d 7272->7273 7274 32290e2 wsprintfA 7273->7274 7275 322ee2a 7274->7275 7276 32290fd CreateFileA 7275->7276 7277 322911a lstrlenA WriteFile CloseHandle 7276->7277 7278 322913f 7276->7278 7277->7278 7278->6624 7278->6625 7280 322ee2a 7279->7280 7281 3229794 CreateProcessA 7280->7281 7282 32297c2 7281->7282 7283 32297bb 7281->7283 7284 32297d4 GetThreadContext 7282->7284 7283->6636 7285 3229801 7284->7285 7286 32297f5 7284->7286 7293 322637c 7285->7293 7287 32297f6 TerminateProcess 7286->7287 7287->7283 7289 3229816 7289->7287 7290 322981e WriteProcessMemory 7289->7290 7290->7286 7291 322983b SetThreadContext 7290->7291 7291->7286 7292 3229858 ResumeThread 7291->7292 7292->7283 7294 3226386 7293->7294 7295 322638a GetModuleHandleA VirtualAlloc 7293->7295 7294->7289 7296 32263b6 7295->7296 7297 32263f5 7295->7297 7298 32263be VirtualAllocEx 7296->7298 7297->7289 7298->7297 7299 32263d6 7298->7299 7300 32263df WriteProcessMemory 7299->7300 7300->7297 7302 3228791 7301->7302 7303 322879f 7301->7303 7304 322f04e 4 API calls 7302->7304 7305 32287bc 7303->7305 7307 322f04e 4 API calls 7303->7307 7304->7303 7306 322e819 11 API calls 7305->7306 7308 32287d7 7306->7308 7307->7305 7321 3228803 7308->7321 7456 32226b2 gethostbyaddr 7308->7456 7311 32287eb 7313 322e8a1 30 API calls 7311->7313 7311->7321 7313->7321 7316 322f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 7316->7321 7317 322e819 11 API calls 7317->7321 7318 32288a0 Sleep 7318->7321 7320 32226b2 2 API calls 7320->7321 7321->7316 7321->7317 7321->7318 7321->7320 7322 322e8a1 30 API calls 7321->7322 7353 3228cee 7321->7353 7361 322c4d6 7321->7361 7364 322c4e2 7321->7364 7367 3222011 7321->7367 7402 3228328 7321->7402 7322->7321 7324 3224084 7323->7324 7325 322407d 7323->7325 7326 3223ecd 6 API calls 7324->7326 7327 322408f 7326->7327 7328 3224000 3 API calls 7327->7328 7329 3224095 7328->7329 7330 3224130 7329->7330 7331 32240c0 7329->7331 7332 3223ecd 6 API calls 7330->7332 7336 3223f18 4 API calls 7331->7336 7333 3224159 CreateNamedPipeA 7332->7333 7334 3224167 Sleep 7333->7334 7335 3224188 ConnectNamedPipe 7333->7335 7334->7330 7337 3224176 CloseHandle 7334->7337 7339 3224195 GetLastError 7335->7339 7348 32241ab 7335->7348 7338 32240da 7336->7338 7337->7335 7340 3223f8c 4 API calls 7338->7340 7341 322425e DisconnectNamedPipe 7339->7341 7339->7348 7342 32240ec 7340->7342 7341->7335 7343 3224127 CloseHandle 7342->7343 7344 3224101 7342->7344 7343->7330 7345 3223f18 4 API calls 7344->7345 7346 322411c ExitProcess 7345->7346 7347 3223f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 7347->7348 7348->7335 7348->7341 7348->7347 7349 3223f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 7348->7349 7350 322426a CloseHandle CloseHandle 7348->7350 7349->7348 7351 322e318 23 API calls 7350->7351 7352 322427b 7351->7352 7352->7352 7354 3228d02 GetTickCount 7353->7354 7355 3228dae 7353->7355 7354->7355 7358 3228d19 7354->7358 7355->7321 7356 3228da1 GetTickCount 7356->7355 7358->7356 7360 3228d89 7358->7360 7461 322a677 7358->7461 7464 322a688 7358->7464 7360->7356 7472 322c2dc 7361->7472 7365 322c2dc 142 API calls 7364->7365 7366 322c4ec 7365->7366 7366->7321 7368 3222020 7367->7368 7369 322202e 7367->7369 7370 322f04e 4 API calls 7368->7370 7371 322204b 7369->7371 7372 322f04e 4 API calls 7369->7372 7370->7369 7373 322206e GetTickCount 7371->7373 7375 322f04e 4 API calls 7371->7375 7372->7371 7374 32220db GetTickCount 7373->7374 7386 3222090 7373->7386 7378 3222132 GetTickCount GetTickCount 7374->7378 7385 32220e7 7374->7385 7376 3222068 7375->7376 7376->7373 7377 32220d4 GetTickCount 7377->7374 7380 322f04e 4 API calls 7378->7380 7379 322212b GetTickCount 7379->7378 7382 3222159 7380->7382 7381 3222684 2 API calls 7381->7386 7384 32221b4 7382->7384 7388 322e854 13 API calls 7382->7388 7387 322f04e 4 API calls 7384->7387 7385->7379 7394 3221978 15 API calls 7385->7394 7395 3222125 7385->7395 7802 3222ef8 7385->7802 7386->7377 7386->7381 7392 32220ce 7386->7392 7812 3221978 7386->7812 7391 32221d1 7387->7391 7389 322218e 7388->7389 7393 322e819 11 API calls 7389->7393 7396 32221f2 7391->7396 7398 322ea84 30 API calls 7391->7398 7392->7377 7397 322219c 7393->7397 7394->7385 7395->7379 7396->7321 7397->7384 7817 3221c5f 7397->7817 7399 32221ec 7398->7399 7400 322f04e 4 API calls 7399->7400 7400->7396 7403 3227dd6 6 API calls 7402->7403 7404 322833c 7403->7404 7405 3226ec3 2 API calls 7404->7405 7412 3228340 7404->7412 7406 322834f 7405->7406 7407 322835c 7406->7407 7409 322846b 7406->7409 7408 32273ff 17 API calls 7407->7408 7418 3228373 7408->7418 7414 32284a7 RegOpenKeyExA 7409->7414 7445 3228450 7409->7445 7410 3228626 GetTempPathA 7432 3228638 7410->7432 7411 3228671 7889 3226ba7 IsBadCodePtr 7411->7889 7412->7321 7413 322675c 21 API calls 7426 32285df 7413->7426 7416 32284c0 RegQueryValueExA 7414->7416 7425 322852f 7414->7425 7419 3228521 RegCloseKey 7416->7419 7420 32284dd 7416->7420 7417 32286ad 7421 3228762 7417->7421 7423 3227e2f 6 API calls 7417->7423 7418->7412 7435 32283ea RegOpenKeyExA 7418->7435 7418->7445 7419->7425 7420->7419 7428 322ebcc 4 API calls 7420->7428 7424 3228768 7421->7424 7422 3228564 RegOpenKeyExA 7427 3228573 7422->7427 7429 32285a5 7422->7429 7440 32286bb 7423->7440 7424->7412 7431 322ec2e codecvt 4 API calls 7424->7431 7425->7422 7425->7429 7426->7410 7426->7411 7426->7424 7427->7427 7433 3228585 RegSetValueExA RegCloseKey 7427->7433 7434 32284f0 7428->7434 7439 322ec2e codecvt 4 API calls 7429->7439 7429->7445 7430 322875b DeleteFileA 7430->7421 7431->7412 7432->7411 7433->7429 7434->7419 7436 32284f8 RegQueryValueExA 7434->7436 7437 32283fd RegQueryValueExA 7435->7437 7435->7445 7436->7419 7438 3228515 7436->7438 7442 322841e 7437->7442 7443 322842d RegSetValueExA 7437->7443 7444 322ec2e codecvt 4 API calls 7438->7444 7439->7445 7440->7430 7441 32286e0 lstrcpyA lstrlenA 7440->7441 7446 3227fcf 64 API calls 7441->7446 7442->7443 7447 3228447 RegCloseKey 7442->7447 7443->7447 7448 322851d 7444->7448 7445->7413 7445->7426 7449 3228719 CreateProcessA 7446->7449 7447->7445 7448->7419 7450 322874f 7449->7450 7451 322873d CloseHandle CloseHandle 7449->7451 7452 3227ee6 64 API calls 7450->7452 7451->7424 7453 3228754 7452->7453 7454 3227ead 6 API calls 7453->7454 7455 322875a 7454->7455 7455->7430 7457 32226fb 7456->7457 7458 32226cd 7456->7458 7457->7311 7459 32226e1 inet_ntoa 7458->7459 7460 32226de 7458->7460 7459->7460 7460->7311 7467 322a63d 7461->7467 7463 322a685 7463->7358 7465 322a63d GetTickCount 7464->7465 7466 322a696 7465->7466 7466->7358 7468 322a645 7467->7468 7469 322a64d 7467->7469 7468->7463 7470 322a65e GetTickCount 7469->7470 7471 322a66e 7469->7471 7470->7471 7471->7463 7489 322a4c7 GetTickCount 7472->7489 7475 322c47a 7480 322c4d2 7475->7480 7481 322c4ab InterlockedIncrement CreateThread 7475->7481 7476 322c300 GetTickCount 7478 322c337 7476->7478 7477 322c326 7477->7478 7479 322c32b GetTickCount 7477->7479 7478->7475 7483 322c363 GetTickCount 7478->7483 7479->7478 7480->7321 7481->7480 7482 322c4cb CloseHandle 7481->7482 7494 322b535 7481->7494 7482->7480 7483->7475 7484 322c373 7483->7484 7485 322c378 GetTickCount 7484->7485 7486 322c37f 7484->7486 7485->7486 7487 322c43b GetTickCount 7486->7487 7488 322c45e 7487->7488 7488->7475 7490 322a4f7 InterlockedExchange 7489->7490 7491 322a500 7490->7491 7492 322a4e4 GetTickCount 7490->7492 7491->7475 7491->7476 7491->7477 7492->7491 7493 322a4ef Sleep 7492->7493 7493->7490 7495 322b566 7494->7495 7496 322ebcc 4 API calls 7495->7496 7497 322b587 7496->7497 7498 322ebcc 4 API calls 7497->7498 7525 322b590 7498->7525 7499 322bdcd InterlockedDecrement 7500 322bde2 7499->7500 7502 322ec2e codecvt 4 API calls 7500->7502 7503 322bdea 7502->7503 7505 322ec2e codecvt 4 API calls 7503->7505 7504 322bdb7 Sleep 7504->7525 7506 322bdf2 7505->7506 7508 322be05 7506->7508 7509 322ec2e codecvt 4 API calls 7506->7509 7507 322bdcc 7507->7499 7509->7508 7510 322ebed 8 API calls 7510->7525 7513 322b6b6 lstrlenA 7513->7525 7514 32230b5 2 API calls 7514->7525 7515 322e819 11 API calls 7515->7525 7516 322b6ed lstrcpyA 7569 3225ce1 7516->7569 7519 322b731 lstrlenA 7519->7525 7520 322b71f lstrcmpA 7520->7519 7520->7525 7521 322b772 GetTickCount 7521->7525 7522 322bd49 InterlockedIncrement 7663 322a628 7522->7663 7525->7499 7525->7504 7525->7507 7525->7510 7525->7513 7525->7514 7525->7515 7525->7516 7525->7519 7525->7520 7525->7521 7525->7522 7526 322b7ce InterlockedIncrement 7525->7526 7527 322bc5b InterlockedIncrement 7525->7527 7530 322b912 GetTickCount 7525->7530 7531 322b826 InterlockedIncrement 7525->7531 7532 322b932 GetTickCount 7525->7532 7533 322bcdc closesocket 7525->7533 7535 32238f0 6 API calls 7525->7535 7539 322bba6 InterlockedIncrement 7525->7539 7541 322bc4c closesocket 7525->7541 7542 322ab81 lstrcpynA InterlockedIncrement 7525->7542 7544 3225ce1 22 API calls 7525->7544 7545 322ba71 wsprintfA 7525->7545 7547 322a7c1 22 API calls 7525->7547 7548 322ef1e lstrlenA 7525->7548 7549 3225ded 12 API calls 7525->7549 7550 322a688 GetTickCount 7525->7550 7551 3223e10 7525->7551 7554 3223e4f 7525->7554 7557 322384f 7525->7557 7577 322a7a3 inet_ntoa 7525->7577 7584 322abee 7525->7584 7596 3221feb GetTickCount 7525->7596 7617 3223cfb 7525->7617 7620 322b3c5 7525->7620 7651 322ab81 7525->7651 7579 322acd7 7526->7579 7527->7525 7530->7525 7531->7521 7532->7525 7534 322bc6d InterlockedIncrement 7532->7534 7533->7525 7534->7525 7535->7525 7539->7525 7541->7525 7542->7525 7544->7525 7597 322a7c1 7545->7597 7547->7525 7548->7525 7549->7525 7550->7525 7552 32230fa 4 API calls 7551->7552 7553 3223e1d 7552->7553 7553->7525 7555 32230fa 4 API calls 7554->7555 7556 3223e5c 7555->7556 7556->7525 7558 32230fa 4 API calls 7557->7558 7559 3223863 7558->7559 7560 32238b9 7559->7560 7561 3223889 7559->7561 7568 32238b2 7559->7568 7672 32235f9 7560->7672 7666 3223718 7561->7666 7566 32235f9 6 API calls 7566->7568 7567 3223718 6 API calls 7567->7568 7568->7525 7570 3225cf4 7569->7570 7571 3225cec 7569->7571 7573 3224bd1 4 API calls 7570->7573 7678 3224bd1 GetTickCount 7571->7678 7574 3225d02 7573->7574 7683 3225472 7574->7683 7578 322a7b9 7577->7578 7578->7525 7580 322f315 14 API calls 7579->7580 7581 322aceb 7580->7581 7582 322acff 7581->7582 7583 322f315 14 API calls 7581->7583 7582->7525 7583->7582 7585 322abfb 7584->7585 7589 322ac65 7585->7589 7746 3222f22 7585->7746 7587 322f315 14 API calls 7587->7589 7588 322ac23 7588->7589 7593 3222684 2 API calls 7588->7593 7589->7587 7590 322ac6f 7589->7590 7591 322ac8a 7589->7591 7592 322ab81 2 API calls 7590->7592 7591->7525 7594 322ac81 7592->7594 7593->7588 7754 32238f0 7594->7754 7596->7525 7598 322a7df 7597->7598 7599 322a87d lstrlenA send 7597->7599 7598->7599 7605 322a7fa wsprintfA 7598->7605 7608 322a80a 7598->7608 7609 322a8f2 7598->7609 7600 322a899 7599->7600 7601 322a8bf 7599->7601 7603 322a8a5 wsprintfA 7600->7603 7616 322a89e 7600->7616 7604 322a8c4 send 7601->7604 7601->7609 7602 322a978 recv 7602->7609 7610 322a982 7602->7610 7603->7616 7606 322a8d8 wsprintfA 7604->7606 7604->7609 7605->7608 7606->7616 7607 322a9b0 wsprintfA 7607->7616 7608->7599 7609->7602 7609->7607 7609->7610 7611 32230b5 2 API calls 7610->7611 7610->7616 7612 322ab05 7611->7612 7613 322e819 11 API calls 7612->7613 7614 322ab17 7613->7614 7615 322a7a3 inet_ntoa 7614->7615 7615->7616 7616->7525 7618 32230fa 4 API calls 7617->7618 7619 3223d0b 7618->7619 7619->7525 7621 3225ce1 22 API calls 7620->7621 7622 322b3e6 7621->7622 7623 3225ce1 22 API calls 7622->7623 7625 322b404 7623->7625 7624 322b440 7627 322ef7c 3 API calls 7624->7627 7625->7624 7626 322ef7c 3 API calls 7625->7626 7628 322b42b 7626->7628 7629 322b458 wsprintfA 7627->7629 7630 322ef7c 3 API calls 7628->7630 7631 322ef7c 3 API calls 7629->7631 7630->7624 7632 322b480 7631->7632 7633 322ef7c 3 API calls 7632->7633 7634 322b493 7633->7634 7635 322ef7c 3 API calls 7634->7635 7636 322b4bb 7635->7636 7770 322ad89 GetLocalTime SystemTimeToFileTime 7636->7770 7640 322b4cc 7641 322ef7c 3 API calls 7640->7641 7642 322b4dd 7641->7642 7643 322b211 7 API calls 7642->7643 7644 322b4ec 7643->7644 7645 322ef7c 3 API calls 7644->7645 7646 322b4fd 7645->7646 7647 322b211 7 API calls 7646->7647 7648 322b509 7647->7648 7649 322ef7c 3 API calls 7648->7649 7650 322b51a 7649->7650 7650->7525 7652 322ab8c 7651->7652 7653 322abe9 GetTickCount 7651->7653 7652->7653 7654 322aba8 lstrcpynA 7652->7654 7655 322abe1 InterlockedIncrement 7652->7655 7656 322a51d 7653->7656 7654->7652 7655->7652 7657 322a4c7 4 API calls 7656->7657 7658 322a52c 7657->7658 7659 322a542 GetTickCount 7658->7659 7661 322a539 GetTickCount 7658->7661 7659->7661 7662 322a56c 7661->7662 7662->7525 7664 322a4c7 4 API calls 7663->7664 7665 322a633 7664->7665 7665->7525 7667 322f04e 4 API calls 7666->7667 7669 322372a 7667->7669 7668 3223847 7668->7567 7668->7568 7669->7668 7670 32237b3 GetCurrentThreadId 7669->7670 7670->7669 7671 32237c8 GetCurrentThreadId 7670->7671 7671->7669 7673 322f04e 4 API calls 7672->7673 7677 322360c 7673->7677 7674 32236f1 7674->7566 7674->7568 7675 32236da GetCurrentThreadId 7675->7674 7676 32236e5 GetCurrentThreadId 7675->7676 7676->7674 7677->7674 7677->7675 7679 3224bff InterlockedExchange 7678->7679 7680 3224c08 7679->7680 7681 3224bec GetTickCount 7679->7681 7680->7570 7681->7680 7682 3224bf7 Sleep 7681->7682 7682->7679 7702 3224763 7683->7702 7685 3225b58 7712 3224699 7685->7712 7688 3224763 lstrlenA 7689 3225b6e 7688->7689 7733 3224f9f 7689->7733 7691 3225b79 7691->7525 7693 3225549 lstrlenA 7699 322548a 7693->7699 7695 322558d lstrcpynA 7695->7699 7696 3225a9f lstrcpyA 7696->7699 7697 3225935 lstrcpynA 7697->7699 7698 3225472 13 API calls 7698->7699 7699->7685 7699->7695 7699->7696 7699->7697 7699->7698 7700 32258e7 lstrcpyA 7699->7700 7701 3224ae6 8 API calls 7699->7701 7706 3224ae6 7699->7706 7710 322ef7c lstrlenA lstrlenA lstrlenA 7699->7710 7700->7699 7701->7699 7704 322477a 7702->7704 7703 3224859 7703->7699 7704->7703 7705 322480d lstrlenA 7704->7705 7705->7704 7707 3224af3 7706->7707 7709 3224b03 7706->7709 7708 322ebed 8 API calls 7707->7708 7708->7709 7709->7693 7711 322efb4 7710->7711 7711->7699 7738 32245b3 7712->7738 7715 32245b3 7 API calls 7716 32246c6 7715->7716 7717 32245b3 7 API calls 7716->7717 7718 32246d8 7717->7718 7719 32245b3 7 API calls 7718->7719 7720 32246ea 7719->7720 7721 32245b3 7 API calls 7720->7721 7722 32246ff 7721->7722 7723 32245b3 7 API calls 7722->7723 7724 3224711 7723->7724 7725 32245b3 7 API calls 7724->7725 7726 3224723 7725->7726 7727 322ef7c 3 API calls 7726->7727 7728 3224735 7727->7728 7729 322ef7c 3 API calls 7728->7729 7730 322474a 7729->7730 7731 322ef7c 3 API calls 7730->7731 7732 322475c 7731->7732 7732->7688 7734 3224fac 7733->7734 7737 3224fb0 7733->7737 7734->7691 7735 3224ffd 7735->7691 7736 3224fd5 IsBadCodePtr 7736->7737 7737->7735 7737->7736 7739 32245c1 7738->7739 7740 32245c8 7738->7740 7741 322ebcc 4 API calls 7739->7741 7742 322ebcc 4 API calls 7740->7742 7744 32245e1 7740->7744 7741->7740 7742->7744 7743 3224691 7743->7715 7744->7743 7745 322ef7c 3 API calls 7744->7745 7745->7744 7761 3222d21 GetModuleHandleA 7746->7761 7749 3222fcf GetProcessHeap HeapFree 7753 3222f44 7749->7753 7750 3222f4f 7752 3222f6b GetProcessHeap HeapFree 7750->7752 7751 3222f85 7751->7749 7751->7751 7752->7753 7753->7588 7755 3223900 7754->7755 7756 3223980 7754->7756 7757 32230fa 4 API calls 7755->7757 7756->7591 7760 322390a 7757->7760 7758 322391b GetCurrentThreadId 7758->7760 7759 3223939 GetCurrentThreadId 7759->7760 7760->7756 7760->7758 7760->7759 7762 3222d46 LoadLibraryA 7761->7762 7763 3222d5b GetProcAddress 7761->7763 7762->7763 7764 3222d54 7762->7764 7763->7764 7765 3222d6b DnsQuery_A 7763->7765 7764->7750 7764->7751 7764->7753 7765->7764 7766 3222d7d 7765->7766 7766->7764 7767 3222d97 GetProcessHeap HeapAlloc 7766->7767 7767->7764 7769 3222dac 7767->7769 7768 3222db5 lstrcpynA 7768->7769 7769->7766 7769->7768 7771 322adbf 7770->7771 7795 322ad08 gethostname 7771->7795 7774 32230b5 2 API calls 7775 322add3 7774->7775 7776 322a7a3 inet_ntoa 7775->7776 7783 322ade4 7775->7783 7776->7783 7777 322ae85 wsprintfA 7778 322ef7c 3 API calls 7777->7778 7780 322aebb 7778->7780 7779 322ae36 wsprintfA wsprintfA 7781 322ef7c 3 API calls 7779->7781 7782 322ef7c 3 API calls 7780->7782 7781->7783 7784 322aed2 7782->7784 7783->7777 7783->7779 7785 322b211 7784->7785 7786 322b2bb FileTimeToLocalFileTime FileTimeToSystemTime 7785->7786 7787 322b2af GetLocalTime 7785->7787 7788 322b2d2 7786->7788 7787->7788 7789 322b2d9 SystemTimeToFileTime 7788->7789 7790 322b31c GetTimeZoneInformation 7788->7790 7791 322b2ec 7789->7791 7792 322b33a wsprintfA 7790->7792 7793 322b312 FileTimeToSystemTime 7791->7793 7792->7640 7793->7790 7796 322ad71 7795->7796 7800 322ad26 lstrlenA 7795->7800 7798 322ad85 7796->7798 7799 322ad79 lstrcpyA 7796->7799 7798->7774 7799->7798 7800->7796 7801 322ad68 lstrlenA 7800->7801 7801->7796 7803 3222d21 7 API calls 7802->7803 7804 3222f01 7803->7804 7805 3222f06 7804->7805 7806 3222f14 7804->7806 7825 3222df2 GetModuleHandleA 7805->7825 7807 3222684 2 API calls 7806->7807 7809 3222f1d 7807->7809 7809->7385 7811 3222f1f 7811->7385 7813 322f428 14 API calls 7812->7813 7814 322198a 7813->7814 7815 3221990 closesocket 7814->7815 7816 3221998 7814->7816 7815->7816 7816->7386 7818 3221c80 7817->7818 7819 3221cc2 wsprintfA 7818->7819 7821 3221d1c 7818->7821 7824 3221d79 7818->7824 7820 3222684 2 API calls 7819->7820 7820->7818 7822 3221d47 wsprintfA 7821->7822 7823 3222684 2 API calls 7822->7823 7823->7824 7824->7384 7826 3222e10 LoadLibraryA 7825->7826 7827 3222e0b 7825->7827 7828 3222e17 7826->7828 7827->7826 7827->7828 7829 3222ef1 7828->7829 7830 3222e28 GetProcAddress 7828->7830 7829->7806 7829->7811 7830->7829 7831 3222e3e GetProcessHeap HeapAlloc 7830->7831 7832 3222e62 7831->7832 7832->7829 7833 3222ede GetProcessHeap HeapFree 7832->7833 7834 3222e7f htons inet_addr 7832->7834 7835 3222ea5 gethostbyname 7832->7835 7837 3222ceb 7832->7837 7833->7829 7834->7832 7834->7835 7835->7832 7838 3222cf2 7837->7838 7840 3222d1c 7838->7840 7841 3222d0e Sleep 7838->7841 7842 3222a62 GetProcessHeap HeapAlloc 7838->7842 7840->7832 7841->7838 7841->7840 7843 3222a92 7842->7843 7844 3222a99 socket 7842->7844 7843->7838 7845 3222cd3 GetProcessHeap HeapFree 7844->7845 7846 3222ab4 7844->7846 7845->7843 7846->7845 7850 3222abd 7846->7850 7847 3222adb htons 7862 32226ff 7847->7862 7849 3222b04 select 7849->7850 7850->7847 7850->7849 7851 3222ca4 7850->7851 7852 3222cb3 GetProcessHeap HeapFree closesocket 7850->7852 7853 3222b3f recv 7850->7853 7854 3222b66 htons 7850->7854 7855 3222b87 htons 7850->7855 7858 3222bf3 GetProcessHeap HeapAlloc 7850->7858 7859 3222c17 htons 7850->7859 7861 3222c4d GetProcessHeap HeapFree 7850->7861 7869 3222923 7850->7869 7881 3222904 7850->7881 7851->7852 7852->7843 7853->7850 7854->7850 7854->7851 7855->7850 7855->7851 7858->7850 7877 3222871 7859->7877 7861->7850 7863 322271d 7862->7863 7864 3222717 7862->7864 7866 322272b GetTickCount htons 7863->7866 7865 322ebcc 4 API calls 7864->7865 7865->7863 7867 32227cc htons htons sendto 7866->7867 7868 322278a 7866->7868 7867->7850 7868->7867 7870 3222944 7869->7870 7872 322293d 7869->7872 7885 3222816 htons 7870->7885 7872->7850 7873 3222871 htons 7874 3222950 7873->7874 7874->7872 7874->7873 7875 32229bd htons htons htons 7874->7875 7875->7872 7876 32229f6 GetProcessHeap HeapAlloc 7875->7876 7876->7872 7876->7874 7878 32228e3 7877->7878 7880 3222889 7877->7880 7878->7850 7879 32228c3 htons 7879->7878 7879->7880 7880->7878 7880->7879 7882 3222921 7881->7882 7883 3222908 7881->7883 7882->7850 7884 3222909 GetProcessHeap HeapFree 7883->7884 7884->7882 7884->7884 7886 322286b 7885->7886 7887 3222836 7885->7887 7886->7874 7887->7886 7888 322285c htons 7887->7888 7888->7886 7888->7887 7890 3226bbc 7889->7890 7891 3226bc0 7889->7891 7890->7417 7892 322ebcc 4 API calls 7891->7892 7899 3226bd4 7891->7899 7893 3226be4 7892->7893 7894 3226c07 CreateFileA 7893->7894 7895 3226bfc 7893->7895 7893->7899 7897 3226c34 WriteFile 7894->7897 7898 3226c2a 7894->7898 7896 322ec2e codecvt 4 API calls 7895->7896 7896->7899 7901 3226c5a CloseHandle 7897->7901 7902 3226c49 CloseHandle DeleteFileA 7897->7902 7900 322ec2e codecvt 4 API calls 7898->7900 7899->7417 7900->7899 7903 322ec2e codecvt 4 API calls 7901->7903 7902->7898 7903->7899 7972 3225029 7977 3224a02 7972->7977 7978 3224a12 7977->7978 7979 3224a18 7977->7979 7980 322ec2e codecvt 4 API calls 7978->7980 7981 3224a26 7979->7981 7982 322ec2e codecvt 4 API calls 7979->7982 7980->7979 7983 3224a34 7981->7983 7984 322ec2e codecvt 4 API calls 7981->7984 7982->7981 7984->7983 7985 322be31 lstrcmpiA 7986 322be55 lstrcmpiA 7985->7986 7991 322be71 7985->7991 7987 322be61 lstrcmpiA 7986->7987 7986->7991 7990 322bfc8 7987->7990 7987->7991 7988 322bf62 lstrcmpiA 7989 322bf77 lstrcmpiA 7988->7989 7993 322bf70 7988->7993 7992 322bf8c lstrcmpiA 7989->7992 7989->7993 7991->7988 7996 322ebcc 4 API calls 7991->7996 7992->7993 7993->7990 7994 322bfc2 7993->7994 7995 322ec2e codecvt 4 API calls 7993->7995 7997 322ec2e codecvt 4 API calls 7994->7997 7995->7993 8000 322beb6 7996->8000 7997->7990 7998 322ebcc 4 API calls 7998->8000 7999 322bf5a 7999->7988 8000->7988 8000->7990 8000->7998 8000->7999 8001 3225d34 IsBadWritePtr 8002 3225d47 8001->8002 8003 3225d4a 8001->8003 8006 3225389 8003->8006 8007 3224bd1 4 API calls 8006->8007 8008 32253a5 8007->8008 8009 3224ae6 8 API calls 8008->8009 8012 32253ad 8009->8012 8010 3225407 8011 3224ae6 8 API calls 8011->8012 8012->8010 8012->8011 8013 322f483 WSAStartup 8014 322f304 8017 322f26d setsockopt setsockopt setsockopt setsockopt setsockopt 8014->8017 8016 322f312 8017->8016 8018 3225b84 IsBadWritePtr 8019 3225b99 8018->8019 8020 3225b9d 8018->8020 8021 3224bd1 4 API calls 8020->8021 8022 3225bcc 8021->8022 8023 3225472 18 API calls 8022->8023 8024 3225be5 8023->8024 8025 3225c05 IsBadWritePtr 8026 3225c24 IsBadWritePtr 8025->8026 8033 3225ca6 8025->8033 8027 3225c32 8026->8027 8026->8033 8028 3225c82 8027->8028 8029 3224bd1 4 API calls 8027->8029 8030 3224bd1 4 API calls 8028->8030 8029->8028 8031 3225c90 8030->8031 8032 3225472 18 API calls 8031->8032 8032->8033 8043 322448b 8044 3224499 8043->8044 8045 32244ab 8044->8045 8047 3221940 8044->8047 8048 322ec2e codecvt 4 API calls 8047->8048 8049 3221949 8048->8049 8049->8045 8127 322e749 8128 322dd05 6 API calls 8127->8128 8129 322e751 8128->8129 8130 322e781 lstrcmpA 8129->8130 8131 322e799 8129->8131 8130->8129 8050 3225e0d 8051 32250dc 17 API calls 8050->8051 8052 3225e20 8051->8052 8053 3224c0d 8054 3224ae6 8 API calls 8053->8054 8055 3224c17 8054->8055 8132 3225e4d 8137 3225048 8132->8137 8138 3224bd1 4 API calls 8137->8138 8140 3225056 8138->8140 8139 322508b 8140->8139 8141 322ec2e codecvt 4 API calls 8140->8141 8141->8139 8056 3224e92 GetTickCount 8057 3224ec0 InterlockedExchange 8056->8057 8058 3224ec9 8057->8058 8059 3224ead GetTickCount 8057->8059 8059->8058 8060 3224eb8 Sleep 8059->8060 8060->8057 8142 32243d2 8143 32243e0 8142->8143 8144 32243ef 8143->8144 8145 3221940 4 API calls 8143->8145 8145->8144 8061 3225d93 IsBadWritePtr 8062 3225ddc 8061->8062 8063 3225da8 8061->8063 8063->8062 8064 3225389 12 API calls 8063->8064 8064->8062 8146 3225453 8151 322543a 8146->8151 8152 3225048 8 API calls 8151->8152 8153 322544b 8152->8153 8154 3224ed3 8159 3224c9a 8154->8159 8160 3224ca9 8159->8160 8162 3224cd8 8159->8162 8161 322ec2e codecvt 4 API calls 8160->8161 8161->8162 8065 3226511 wsprintfA IsBadReadPtr 8066 322656a htonl htonl wsprintfA wsprintfA 8065->8066 8067 322674e 8065->8067 8071 32265f3 8066->8071 8068 322e318 23 API calls 8067->8068 8069 3226753 ExitProcess 8068->8069 8070 322668a GetCurrentProcess StackWalk64 8070->8071 8072 32266a0 wsprintfA 8070->8072 8071->8070 8071->8072 8074 3226652 wsprintfA 8071->8074 8073 32266ba 8072->8073 8075 3226712 wsprintfA 8073->8075 8076 32266da wsprintfA 8073->8076 8077 32266ed wsprintfA 8073->8077 8074->8071 8078 322e8a1 30 API calls 8075->8078 8076->8077 8077->8073 8079 3226739 8078->8079 8080 322e318 23 API calls 8079->8080 8081 3226741 8080->8081 8163 3228c51 8164 3228c86 8163->8164 8165 3228c5d 8163->8165 8166 3228c8b lstrcmpA 8164->8166 8176 3228c7b 8164->8176 8168 3228c6e 8165->8168 8169 3228c7d 8165->8169 8167 3228c9e 8166->8167 8166->8176 8172 322ec2e codecvt 4 API calls 8167->8172 8174 3228cad 8167->8174 8177 3228be7 8168->8177 8185 3228bb3 8169->8185 8172->8174 8175 322ebcc 4 API calls 8174->8175 8174->8176 8175->8176 8178 3228bf2 8177->8178 8179 3228c2a 8177->8179 8180 3228bb3 6 API calls 8178->8180 8179->8176 8181 3228bf8 8180->8181 8189 3226410 8181->8189 8183 3228c01 8183->8179 8204 3226246 8183->8204 8186 3228bbc 8185->8186 8188 3228be4 8185->8188 8187 3226246 6 API calls 8186->8187 8186->8188 8187->8188 8190 3226421 8189->8190 8191 322641e 8189->8191 8192 322643a 8190->8192 8193 322643e VirtualAlloc 8190->8193 8191->8183 8192->8183 8194 3226472 8193->8194 8195 322645b VirtualAlloc 8193->8195 8196 322ebcc 4 API calls 8194->8196 8195->8194 8203 32264fb 8195->8203 8197 3226479 8196->8197 8197->8203 8214 3226069 8197->8214 8200 32264da 8202 3226246 6 API calls 8200->8202 8200->8203 8202->8203 8203->8183 8205 3226252 8204->8205 8213 32262b3 8204->8213 8206 3226297 8205->8206 8209 322628f 8205->8209 8211 3226281 FreeLibrary 8205->8211 8207 32262a0 VirtualFree 8206->8207 8208 32262ad 8206->8208 8207->8208 8210 322ec2e codecvt 4 API calls 8208->8210 8212 322ec2e codecvt 4 API calls 8209->8212 8210->8213 8211->8205 8212->8206 8213->8179 8215 3226090 IsBadReadPtr 8214->8215 8217 3226089 8214->8217 8215->8217 8220 32260aa 8215->8220 8216 32260c0 LoadLibraryA 8216->8217 8216->8220 8217->8200 8224 3225f3f 8217->8224 8218 322ebcc 4 API calls 8218->8220 8219 322ebed 8 API calls 8219->8220 8220->8216 8220->8217 8220->8218 8220->8219 8221 3226191 IsBadReadPtr 8220->8221 8222 3226141 GetProcAddress 8220->8222 8223 3226155 GetProcAddress 8220->8223 8221->8217 8221->8220 8222->8220 8223->8220 8225 3225fe6 8224->8225 8226 3225f61 8224->8226 8225->8200 8226->8225 8227 3225fbf VirtualProtect 8226->8227 8227->8225 8227->8226 8082 3228314 8083 322675c 21 API calls 8082->8083 8084 3228324 8083->8084 8228 322195b 8229 3221971 8228->8229 8230 322196b 8228->8230 8231 322ec2e codecvt 4 API calls 8230->8231 8231->8229 8085 3225099 8086 3224bd1 4 API calls 8085->8086 8087 32250a2 8086->8087
                                                                                          APIs
                                                                                          • closesocket.WS2_32(?), ref: 0322CA4E
                                                                                          • closesocket.WS2_32(?), ref: 0322CB63
                                                                                          • GetTempPathA.KERNEL32(00000120,?), ref: 0322CC28
                                                                                          • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0322CCB4
                                                                                          • WriteFile.KERNEL32(0322A4B3,?,-000000E8,?,00000000), ref: 0322CCDC
                                                                                          • CloseHandle.KERNEL32(0322A4B3), ref: 0322CCED
                                                                                          • wsprintfA.USER32 ref: 0322CD21
                                                                                          • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0322CD77
                                                                                          • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0322CD89
                                                                                          • CloseHandle.KERNEL32(?), ref: 0322CD98
                                                                                          • CloseHandle.KERNEL32(?), ref: 0322CD9D
                                                                                          • DeleteFileA.KERNEL32(?), ref: 0322CDC4
                                                                                          • CloseHandle.KERNEL32(0322A4B3), ref: 0322CDCC
                                                                                          • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0322CFB1
                                                                                          • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0322CFEF
                                                                                          • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0322D033
                                                                                          • lstrcatA.KERNEL32(?,04700108), ref: 0322D10C
                                                                                          • SetFileAttributesA.KERNEL32(?,00000080), ref: 0322D155
                                                                                          • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0322D171
                                                                                          • WriteFile.KERNEL32(00000000,0470012C,?,?,00000000), ref: 0322D195
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0322D19C
                                                                                          • SetFileAttributesA.KERNEL32(?,00000002), ref: 0322D1C8
                                                                                          • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0322D231
                                                                                          • lstrcatA.KERNEL32(?,04700108,?,?,?,?,?,?,?,00000100), ref: 0322D27C
                                                                                          • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0322D2AB
                                                                                          • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0322D2C7
                                                                                          • WriteFile.KERNEL32(00000000,0470012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0322D2EB
                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0322D2F2
                                                                                          • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0322D326
                                                                                          • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0322D372
                                                                                          • lstrcatA.KERNEL32(?,04700108,?,?,?,?,?,?,?,00000100), ref: 0322D3BD
                                                                                          • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0322D3EC
                                                                                          • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0322D408
                                                                                          • WriteFile.KERNEL32(00000000,0470012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0322D428
                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0322D42F
                                                                                          • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0322D45B
                                                                                          • CreateProcessA.KERNEL32(?,03230264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0322D4DE
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0322D4F4
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0322D4FC
                                                                                          • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0322D513
                                                                                          • closesocket.WS2_32(?), ref: 0322D56C
                                                                                          • Sleep.KERNEL32(000003E8), ref: 0322D577
                                                                                          • ExitProcess.KERNEL32 ref: 0322D583
                                                                                          • wsprintfA.USER32 ref: 0322D81F
                                                                                            • Part of subcall function 0322C65C: send.WS2_32(00000000,?,00000000), ref: 0322C74B
                                                                                          • closesocket.WS2_32(?), ref: 0322DAD5
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                          • String ID: .dat$.sys$4$@$C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exe$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                          • API String ID: 562065436-3369033204
                                                                                          • Opcode ID: 7c6e0582867fa23eb24a41e66e3892830d033b709d34d37ad6f799324f90ef5c
                                                                                          • Instruction ID: 3c14a2df241f8ff2afb26a040565da723c1f0a6375d5469efc36036f1bbbbf59
                                                                                          • Opcode Fuzzy Hash: 7c6e0582867fa23eb24a41e66e3892830d033b709d34d37ad6f799324f90ef5c
                                                                                          • Instruction Fuzzy Hash: 52B2B6B1950229BFEB10EFA4DD48EEEBFBCEB05300F148469E655A6141D7709AC5CF60
                                                                                          APIs
                                                                                          • SetErrorMode.KERNELBASE(00000003), ref: 03229A7F
                                                                                          • SetErrorMode.KERNELBASE(00000003), ref: 03229A83
                                                                                          • SetUnhandledExceptionFilter.KERNEL32(03226511), ref: 03229A8A
                                                                                            • Part of subcall function 0322EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0322EC5E
                                                                                            • Part of subcall function 0322EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0322EC72
                                                                                            • Part of subcall function 0322EC54: GetTickCount.KERNEL32 ref: 0322EC78
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 03229AB3
                                                                                          • GetModuleFileNameA.KERNEL32(00000000), ref: 03229ABA
                                                                                          • GetCommandLineA.KERNEL32 ref: 03229AFD
                                                                                          • lstrlenA.KERNEL32(?), ref: 03229B99
                                                                                          • ExitProcess.KERNEL32 ref: 03229C06
                                                                                          • GetTempPathA.KERNEL32(000001F4,?), ref: 03229CAC
                                                                                          • lstrcpyA.KERNEL32(?,00000000), ref: 03229D7A
                                                                                          • lstrcatA.KERNEL32(?,?), ref: 03229D8B
                                                                                          • lstrcatA.KERNEL32(?,0323070C), ref: 03229D9D
                                                                                          • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 03229DED
                                                                                          • DeleteFileA.KERNEL32(00000022), ref: 03229E38
                                                                                          • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 03229E6F
                                                                                          • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 03229EC8
                                                                                          • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 03229ED5
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 03229F3B
                                                                                          • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 03229F5E
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 03229F6A
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 03229FAD
                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 03229FB4
                                                                                          • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 03229FFE
                                                                                          • lstrcatA.KERNEL32(00000022,00000000), ref: 0322A038
                                                                                          • lstrcatA.KERNEL32(00000022,03230A34), ref: 0322A05E
                                                                                          • lstrcatA.KERNEL32(00000022,00000022), ref: 0322A072
                                                                                          • lstrcatA.KERNEL32(00000022,03230A34), ref: 0322A08D
                                                                                          • wsprintfA.USER32 ref: 0322A0B6
                                                                                          • lstrcatA.KERNEL32(00000022,00000000), ref: 0322A0DE
                                                                                          • lstrcatA.KERNEL32(00000022,?), ref: 0322A0FD
                                                                                          • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0322A120
                                                                                          • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0322A131
                                                                                          • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0322A174
                                                                                          • GetModuleFileNameA.KERNEL32(00000000), ref: 0322A17B
                                                                                          • GetDriveTypeA.KERNEL32(00000022), ref: 0322A1B6
                                                                                          • GetCommandLineA.KERNEL32 ref: 0322A1E5
                                                                                            • Part of subcall function 032299D2: lstrcpyA.KERNEL32(?,?,00000100,032322F8,00000000,?,03229E9D,?,00000022,?,?,?,?,?,?,?), ref: 032299DF
                                                                                            • Part of subcall function 032299D2: lstrcatA.KERNEL32(00000022,00000000,?,?,03229E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 03229A3C
                                                                                            • Part of subcall function 032299D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,03229E9D,?,00000022,?,?,?), ref: 03229A52
                                                                                          • lstrlenA.KERNEL32(?), ref: 0322A288
                                                                                          • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0322A3B7
                                                                                          • GetLastError.KERNEL32 ref: 0322A3ED
                                                                                          • Sleep.KERNELBASE(000003E8), ref: 0322A400
                                                                                          • DeleteFileA.KERNELBASE(032333D8), ref: 0322A407
                                                                                          • CreateThread.KERNELBASE(00000000,00000000,0322405E,00000000,00000000,00000000), ref: 0322A42C
                                                                                          • WSAStartup.WS2_32(00001010,?), ref: 0322A43A
                                                                                          • CreateThread.KERNELBASE(00000000,00000000,0322877E,00000000,00000000,00000000), ref: 0322A469
                                                                                          • Sleep.KERNELBASE(00000BB8), ref: 0322A48A
                                                                                          • GetTickCount.KERNEL32 ref: 0322A49F
                                                                                          • GetTickCount.KERNEL32 ref: 0322A4B7
                                                                                          • Sleep.KERNELBASE(00001A90), ref: 0322A4C3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                          • String ID: "$"$"$%X%08X$C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exe$D$P$\$dkajlqvv
                                                                                          • API String ID: 2089075347-365796532
                                                                                          • Opcode ID: 34e327132edb888ec23124bd2f65ada6dccc3a6ca9c30bd8501c740b341f419c
                                                                                          • Instruction ID: f6fd98e4aa66f00a752e877b214fb9a289e61877b2c0e035d877caf404f510f2
                                                                                          • Opcode Fuzzy Hash: 34e327132edb888ec23124bd2f65ada6dccc3a6ca9c30bd8501c740b341f419c
                                                                                          • Instruction Fuzzy Hash: 625285B1D6036ABFDF11EFA4DC49EEE7FBCAB05700F0484A5E505A6141DBB09AC48B61

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 905 322199c-32219cc inet_addr LoadLibraryA 906 32219d5-32219fe GetProcAddress * 3 905->906 907 32219ce-32219d0 905->907 909 3221ab3-3221ab6 FreeLibrary 906->909 910 3221a04-3221a06 906->910 908 3221abf-3221ac2 907->908 912 3221abc 909->912 910->909 911 3221a0c-3221a0e 910->911 911->909 913 3221a14-3221a28 GetBestInterface GetProcessHeap 911->913 914 3221abe 912->914 913->912 915 3221a2e-3221a40 HeapAlloc 913->915 914->908 915->912 916 3221a42-3221a50 GetAdaptersInfo 915->916 917 3221a62-3221a67 916->917 918 3221a52-3221a60 HeapReAlloc 916->918 919 3221aa1-3221aad FreeLibrary 917->919 920 3221a69-3221a73 GetAdaptersInfo 917->920 918->917 919->912 922 3221aaf-3221ab1 919->922 920->919 921 3221a75 920->921 923 3221a77-3221a80 921->923 922->914 924 3221a82-3221a86 923->924 925 3221a8a-3221a91 923->925 924->923 926 3221a88 924->926 927 3221a93 925->927 928 3221a96-3221a9b HeapFree 925->928 926->928 927->928 928->919
                                                                                          APIs
                                                                                          • inet_addr.WS2_32(123.45.67.89), ref: 032219B1
                                                                                          • LoadLibraryA.KERNELBASE(Iphlpapi.dll,?,?,?,?,00000001,03221E9E), ref: 032219BF
                                                                                          • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 032219E2
                                                                                          • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 032219ED
                                                                                          • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 032219F9
                                                                                          • GetBestInterface.IPHLPAPI(?,?,?,?,?,?,00000001,03221E9E), ref: 03221A1B
                                                                                          • GetProcessHeap.KERNEL32(?,?,?,?,00000001,03221E9E), ref: 03221A1D
                                                                                          • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,03221E9E), ref: 03221A36
                                                                                          • GetAdaptersInfo.IPHLPAPI(00000000,03221E9E,?,?,?,?,00000001,03221E9E), ref: 03221A4A
                                                                                          • HeapReAlloc.KERNEL32(?,00000000,00000000,03221E9E,?,?,?,?,00000001,03221E9E), ref: 03221A5A
                                                                                          • GetAdaptersInfo.IPHLPAPI(00000000,03221E9E,?,?,?,?,00000001,03221E9E), ref: 03221A6E
                                                                                          • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,03221E9E), ref: 03221A9B
                                                                                          • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,03221E9E), ref: 03221AA4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$AddressProc$AdaptersAllocFreeInfoLibrary$BestInterfaceLoadProcessinet_addr
                                                                                          • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                          • API String ID: 293628436-270533642
                                                                                          • Opcode ID: 98a1199ff426b5ad4d40384db80cea03682b774e90d85acffcf4f272bce89384
                                                                                          • Instruction ID: b59f1c3a88cccacf8ef470eb16a8b871b8d3ba9a432ded52c3532e33601804a5
                                                                                          • Opcode Fuzzy Hash: 98a1199ff426b5ad4d40384db80cea03682b774e90d85acffcf4f272bce89384
                                                                                          • Instruction Fuzzy Hash: 50315072D1026ABFCF11EFE4DC88CBEBFB9EF45601B198579E502A2110D7705A91DBA0

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 696 3227a95-3227ac2 RegOpenKeyExA 697 3227ac4-3227ac6 696->697 698 3227acb-3227ae7 GetUserNameA 696->698 699 3227db4-3227db6 697->699 700 3227da7-3227db3 RegCloseKey 698->700 701 3227aed-3227b1e LookupAccountNameA 698->701 700->699 701->700 702 3227b24-3227b43 RegGetKeySecurity 701->702 702->700 703 3227b49-3227b61 GetSecurityDescriptorOwner 702->703 704 3227b63-3227b72 EqualSid 703->704 705 3227bb8-3227bd6 GetSecurityDescriptorDacl 703->705 704->705 706 3227b74-3227b88 LocalAlloc 704->706 707 3227da6 705->707 708 3227bdc-3227be1 705->708 706->705 710 3227b8a-3227b94 InitializeSecurityDescriptor 706->710 707->700 708->707 709 3227be7-3227bf2 708->709 709->707 711 3227bf8-3227c08 GetAce 709->711 712 3227bb1-3227bb2 LocalFree 710->712 713 3227b96-3227ba4 SetSecurityDescriptorOwner 710->713 714 3227cc6 711->714 715 3227c0e-3227c1b 711->715 712->705 713->712 716 3227ba6-3227bab RegSetKeySecurity 713->716 717 3227cc9-3227cd3 714->717 718 3227c4f-3227c52 715->718 719 3227c1d-3227c2f EqualSid 715->719 716->712 717->711 720 3227cd9-3227cdc 717->720 723 3227c54-3227c5e 718->723 724 3227c5f-3227c71 EqualSid 718->724 721 3227c31-3227c34 719->721 722 3227c36-3227c38 719->722 720->707 725 3227ce2-3227ce8 720->725 721->719 721->722 722->718 726 3227c3a-3227c4d DeleteAce 722->726 723->724 727 3227c73-3227c84 724->727 728 3227c86 724->728 729 3227d5a-3227d6e LocalAlloc 725->729 730 3227cea-3227cf0 725->730 726->717 731 3227c8b-3227c8e 727->731 728->731 729->707 735 3227d70-3227d7a InitializeSecurityDescriptor 729->735 730->729 732 3227cf2-3227d0d RegOpenKeyExA 730->732 733 3227c90-3227c96 731->733 734 3227c9d-3227c9f 731->734 732->729 736 3227d0f-3227d16 732->736 733->734 737 3227ca1-3227ca5 734->737 738 3227ca7-3227cc3 734->738 739 3227d9f-3227da0 LocalFree 735->739 740 3227d7c-3227d8a SetSecurityDescriptorDacl 735->740 742 3227d19-3227d1e 736->742 737->714 737->738 738->714 739->707 740->739 741 3227d8c-3227d9a RegSetKeySecurity 740->741 741->739 743 3227d9c 741->743 742->742 744 3227d20-3227d52 call 3222544 RegSetValueExA 742->744 743->739 744->729 747 3227d54 744->747 747->729
                                                                                          APIs
                                                                                          • RegOpenKeyExA.KERNELBASE(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 03227ABA
                                                                                          • GetUserNameA.ADVAPI32(?,?), ref: 03227ADF
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,0323070C,?,?,?), ref: 03227B16
                                                                                          • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 03227B3B
                                                                                          • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 03227B59
                                                                                          • EqualSid.ADVAPI32(?,00000022), ref: 03227B6A
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 03227B7E
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 03227B8C
                                                                                          • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 03227B9C
                                                                                          • RegSetKeySecurity.KERNELBASE(00000000,00000001,00000000), ref: 03227BAB
                                                                                          • LocalFree.KERNEL32(00000000), ref: 03227BB2
                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,03227FC9,?,00000000), ref: 03227BCE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                          • String ID: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exe$D
                                                                                          • API String ID: 2976863881-2164713515
                                                                                          • Opcode ID: 031596aebca2464c2e97e5e950fe4ab942d07c2e692e2cc4278dd4d13894186b
                                                                                          • Instruction ID: 87501bc3136128c0cbe97907e8e7438f0af4bea398573958281b5c81bde6665b
                                                                                          • Opcode Fuzzy Hash: 031596aebca2464c2e97e5e950fe4ab942d07c2e692e2cc4278dd4d13894186b
                                                                                          • Instruction Fuzzy Hash: 51A11B7191422ABBDF11DFA5DD88EEEBFB9FB44700F0880A9E506A2141D7359A85CB60

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 748 3227809-3227837 GetUserNameA 749 3227a8e-3227a94 748->749 750 322783d-322786e LookupAccountNameA 748->750 750->749 751 3227874-32278a2 GetLengthSid GetFileSecurityA 750->751 751->749 752 32278a8-32278c3 GetSecurityDescriptorOwner 751->752 753 32278c5-32278da EqualSid 752->753 754 322791d-322793b GetSecurityDescriptorDacl 752->754 753->754 757 32278dc-32278ed LocalAlloc 753->757 755 3227941-3227946 754->755 756 3227a8d 754->756 755->756 758 322794c-3227955 755->758 756->749 757->754 759 32278ef-32278f9 InitializeSecurityDescriptor 757->759 758->756 760 322795b-322796b GetAce 758->760 761 3227916-3227917 LocalFree 759->761 762 32278fb-3227909 SetSecurityDescriptorOwner 759->762 764 3227971-322797e 760->764 765 3227a2a 760->765 761->754 762->761 763 322790b-3227910 SetFileSecurityA 762->763 763->761 766 3227980-3227992 EqualSid 764->766 767 32279ae-32279b1 764->767 768 3227a2d-3227a37 765->768 769 3227994-3227997 766->769 770 3227999-322799b 766->770 772 32279b3-32279bd 767->772 773 32279be-32279d0 EqualSid 767->773 768->760 771 3227a3d-3227a41 768->771 769->766 769->770 770->767 774 322799d-32279ac DeleteAce 770->774 771->756 775 3227a43-3227a54 LocalAlloc 771->775 772->773 776 32279d2-32279e3 773->776 777 32279e5 773->777 774->768 775->756 779 3227a56-3227a60 InitializeSecurityDescriptor 775->779 778 32279ea-32279ed 776->778 777->778 780 32279f8-32279fb 778->780 781 32279ef-32279f5 778->781 782 3227a62-3227a71 SetSecurityDescriptorDacl 779->782 783 3227a86-3227a87 LocalFree 779->783 784 3227a03-3227a0e 780->784 785 32279fd-3227a01 780->785 781->780 782->783 786 3227a73-3227a81 SetFileSecurityA 782->786 783->756 787 3227a10-3227a17 784->787 788 3227a19-3227a24 784->788 785->765 785->784 786->783 789 3227a83 786->789 790 3227a27 787->790 788->790 789->783 790->765
                                                                                          APIs
                                                                                          • GetUserNameA.ADVAPI32(?,?), ref: 0322782F
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 03227866
                                                                                          • GetLengthSid.ADVAPI32(?), ref: 03227878
                                                                                          • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0322789A
                                                                                          • GetSecurityDescriptorOwner.ADVAPI32(?,03227F63,?), ref: 032278B8
                                                                                          • EqualSid.ADVAPI32(?,03227F63), ref: 032278D2
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 032278E3
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 032278F1
                                                                                          • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 03227901
                                                                                          • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 03227910
                                                                                          • LocalFree.KERNEL32(00000000), ref: 03227917
                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 03227933
                                                                                          • GetAce.ADVAPI32(?,00000000,?), ref: 03227963
                                                                                          • EqualSid.ADVAPI32(?,03227F63), ref: 0322798A
                                                                                          • DeleteAce.ADVAPI32(?,00000000), ref: 032279A3
                                                                                          • EqualSid.ADVAPI32(?,03227F63), ref: 032279C5
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 03227A4A
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 03227A58
                                                                                          • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 03227A69
                                                                                          • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 03227A79
                                                                                          • LocalFree.KERNEL32(00000000), ref: 03227A87
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                          • String ID: D
                                                                                          • API String ID: 3722657555-2746444292
                                                                                          • Opcode ID: 92993a7158f8fc116fa391b450cc53afb6c430c46fdd73e38e62d61cf6209b0b
                                                                                          • Instruction ID: c2b4a07b705e7009b25f1b33f6c018e2041c5414b0ce4fadda0be22c6af6dd7d
                                                                                          • Opcode Fuzzy Hash: 92993a7158f8fc116fa391b450cc53afb6c430c46fdd73e38e62d61cf6209b0b
                                                                                          • Instruction Fuzzy Hash: 42814E71D1422AABDB11DFA9DD48EEEBFBCAF08740F14816AE506E2141D735D681CFA0

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 791 3228328-322833e call 3227dd6 794 3228340-3228343 791->794 795 3228348-3228356 call 3226ec3 791->795 796 322877b-322877d 794->796 799 322846b-3228474 795->799 800 322835c-3228378 call 32273ff 795->800 802 32285c2-32285ce 799->802 803 322847a-3228480 799->803 811 3228464-3228466 800->811 812 322837e-3228384 800->812 806 32285d0-32285da call 322675c 802->806 807 3228615-3228620 802->807 803->802 804 3228486-32284ba call 3222544 RegOpenKeyExA 803->804 821 3228543-3228571 call 3222544 RegOpenKeyExA 804->821 822 32284c0-32284db RegQueryValueExA 804->822 814 32285df-32285eb 806->814 809 3228626-322864c GetTempPathA call 3228274 call 322eca5 807->809 810 32286a7-32286b0 call 3226ba7 807->810 849 3228671-32286a4 call 3222544 call 322ef00 call 322ee2a 809->849 850 322864e-322866f call 322eca5 809->850 830 3228762 810->830 831 32286b6-32286bd call 3227e2f 810->831 819 3228779-322877a 811->819 812->811 818 322838a-322838d 812->818 814->807 820 32285ed-32285ef 814->820 818->811 825 3228393-3228399 818->825 819->796 820->807 826 32285f1-32285fa 820->826 843 3228573-322857b 821->843 844 32285a5-32285b7 call 322ee2a 821->844 828 3228521-322852d RegCloseKey 822->828 829 32284dd-32284e1 822->829 833 322839c-32283a1 825->833 826->807 834 32285fc-322860f call 32224c2 826->834 828->821 840 322852f-3228541 call 322eed1 828->840 829->828 836 32284e3-32284e6 829->836 838 3228768-322876b 830->838 862 32286c3-322873b call 322ee2a * 2 lstrcpyA lstrlenA call 3227fcf CreateProcessA 831->862 863 322875b-322875c DeleteFileA 831->863 833->833 841 32283a3-32283af 833->841 834->807 834->838 836->828 845 32284e8-32284f6 call 322ebcc 836->845 847 3228776-3228778 838->847 848 322876d-3228775 call 322ec2e 838->848 840->821 840->844 852 32283b3-32283ba 841->852 853 32283b1 841->853 859 322857e-3228583 843->859 844->802 878 32285b9-32285c1 call 322ec2e 844->878 845->828 877 32284f8-3228513 RegQueryValueExA 845->877 847->819 848->847 849->810 850->849 856 3228450-322845f call 322ee2a 852->856 857 32283c0-32283fb call 3222544 RegOpenKeyExA 852->857 853->852 856->802 857->856 882 32283fd-322841c RegQueryValueExA 857->882 859->859 868 3228585-322859f RegSetValueExA RegCloseKey 859->868 899 322874f-322875a call 3227ee6 call 3227ead 862->899 900 322873d-322874d CloseHandle * 2 862->900 863->830 868->844 877->828 883 3228515-322851e call 322ec2e 877->883 878->802 888 322841e-3228421 882->888 889 322842d-3228441 RegSetValueExA 882->889 883->828 888->889 894 3228423-3228426 888->894 895 3228447-322844a RegCloseKey 889->895 894->889 898 3228428-322842b 894->898 895->856 898->889 898->895 899->863 900->838
                                                                                          APIs
                                                                                          • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000103,03230750,?,?,00000000,localcfg,00000000), ref: 032283F3
                                                                                          • RegQueryValueExA.KERNELBASE(03230750,?,00000000,?,03228893,?,?,?,00000000,00000103,03230750,?,?,00000000,localcfg,00000000), ref: 03228414
                                                                                          • RegSetValueExA.KERNELBASE(03230750,?,00000000,00000004,03228893,00000004,?,?,00000000,00000103,03230750,?,?,00000000,localcfg,00000000), ref: 03228441
                                                                                          • RegCloseKey.ADVAPI32(03230750,?,?,00000000,00000103,03230750,?,?,00000000,localcfg,00000000), ref: 0322844A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Value$CloseOpenQuery
                                                                                          • String ID: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exe$localcfg
                                                                                          • API String ID: 237177642-3593170167
                                                                                          • Opcode ID: a4c2c6fc7cfa38cba8a245968c1034db96f1a82de7c19e4334bdaf461fea806d
                                                                                          • Instruction ID: 831b59e2c4a242b7d051cdbf3d4ca316736705b958a9c2341df08d81fbd713e3
                                                                                          • Opcode Fuzzy Hash: a4c2c6fc7cfa38cba8a245968c1034db96f1a82de7c19e4334bdaf461fea806d
                                                                                          • Instruction Fuzzy Hash: BAC192B5D50229BFEB11EBA4EC84EEEBFBCEB04700F188465F505A6041D6B19AC4DB61

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • GetVersionExA.KERNEL32 ref: 03221DC6
                                                                                          • GetSystemInfo.KERNELBASE(?), ref: 03221DE8
                                                                                          • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 03221E03
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 03221E0A
                                                                                          • GetCurrentProcess.KERNEL32(?), ref: 03221E1B
                                                                                          • GetTickCount.KERNEL32 ref: 03221FC9
                                                                                            • Part of subcall function 03221BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 03221C15
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                          • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                          • API String ID: 4207808166-1381319158
                                                                                          • Opcode ID: 57a5d02983724ca9372affb7fc390aa5d4535f18af5c00823ce6e0b65dc5094c
                                                                                          • Instruction ID: 1b166c248630d0bee9b77654f6cdfccd729f37f41c30484715229934647f40c9
                                                                                          • Opcode Fuzzy Hash: 57a5d02983724ca9372affb7fc390aa5d4535f18af5c00823ce6e0b65dc5094c
                                                                                          • Instruction Fuzzy Hash: BB51E2B09203547FE320EF658C89F6BBEECEB45604F04481CF59686502D7B4B99487B2

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 999 32273ff-3227419 1000 322741b 999->1000 1001 322741d-3227422 999->1001 1000->1001 1002 3227426-322742b 1001->1002 1003 3227424 1001->1003 1004 3227430-3227435 1002->1004 1005 322742d 1002->1005 1003->1002 1006 3227437 1004->1006 1007 322743a-3227481 call 3226dc2 call 3222544 RegOpenKeyExA 1004->1007 1005->1004 1006->1007 1012 3227487-322749d call 322ee2a 1007->1012 1013 32277f9-32277fe call 322ee2a 1007->1013 1018 3227703-322770e RegEnumKeyA 1012->1018 1019 3227801 1013->1019 1020 32274a2-32274b1 call 3226cad 1018->1020 1021 3227714-322771d RegCloseKey 1018->1021 1022 3227804-3227808 1019->1022 1025 32274b7-32274cc call 322f1a5 1020->1025 1026 32276ed-3227700 1020->1026 1021->1019 1025->1026 1029 32274d2-32274f8 RegOpenKeyExA 1025->1029 1026->1018 1030 3227727-322772a 1029->1030 1031 32274fe-3227530 call 3222544 RegQueryValueExA 1029->1031 1032 3227755-3227764 call 322ee2a 1030->1032 1033 322772c-3227740 call 322ef00 1030->1033 1031->1030 1039 3227536-322753c 1031->1039 1044 32276df-32276e2 1032->1044 1041 3227742-3227745 RegCloseKey 1033->1041 1042 322774b-322774e 1033->1042 1043 322753f-3227544 1039->1043 1041->1042 1046 32277ec-32277f7 RegCloseKey 1042->1046 1043->1043 1045 3227546-322754b 1043->1045 1044->1026 1047 32276e4-32276e7 RegCloseKey 1044->1047 1045->1032 1048 3227551-322756b call 322ee95 1045->1048 1046->1022 1047->1026 1048->1032 1051 3227571-3227593 call 3222544 call 322ee95 1048->1051 1056 3227753 1051->1056 1057 3227599-32275a0 1051->1057 1056->1032 1058 32275a2-32275c6 call 322ef00 call 322ed03 1057->1058 1059 32275c8-32275d7 call 322ed03 1057->1059 1064 32275d8-32275da 1058->1064 1059->1064 1067 32275df-3227623 call 322ee95 call 3222544 call 322ee95 call 322ee2a 1064->1067 1068 32275dc 1064->1068 1077 3227626-322762b 1067->1077 1068->1067 1077->1077 1078 322762d-3227634 1077->1078 1079 3227637-322763c 1078->1079 1079->1079 1080 322763e-3227642 1079->1080 1081 3227644-3227656 call 322ed77 1080->1081 1082 322765c-3227673 call 322ed23 1080->1082 1081->1082 1087 3227769-322777c call 322ef00 1081->1087 1088 3227680 1082->1088 1089 3227675-322767e 1082->1089 1094 32277e3-32277e6 RegCloseKey 1087->1094 1091 3227683-322768e call 3226cad 1088->1091 1089->1091 1096 3227722-3227725 1091->1096 1097 3227694-32276bf call 322f1a5 call 3226c96 1091->1097 1094->1046 1098 32276dd 1096->1098 1103 32276c1-32276c7 1097->1103 1104 32276d8 1097->1104 1098->1044 1103->1104 1105 32276c9-32276d2 1103->1105 1104->1098 1105->1104 1106 322777e-3227797 GetFileAttributesExA 1105->1106 1107 322779a-322779f 1106->1107 1108 3227799 1106->1108 1109 32277a3-32277a8 1107->1109 1110 32277a1 1107->1110 1108->1107 1111 32277c4-32277c8 1109->1111 1112 32277aa-32277c0 call 322ee08 1109->1112 1110->1109 1114 32277d7-32277dc 1111->1114 1115 32277ca-32277d6 call 322ef00 1111->1115 1112->1111 1118 32277e0-32277e2 1114->1118 1119 32277de 1114->1119 1115->1114 1118->1094 1119->1118
                                                                                          APIs
                                                                                          • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,76230F10,00000000), ref: 03227472
                                                                                          • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,76230F10,00000000), ref: 032274F0
                                                                                          • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,76230F10,00000000), ref: 03227528
                                                                                          • ___ascii_stricmp.LIBCMT ref: 0322764D
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,76230F10,00000000), ref: 032276E7
                                                                                          • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 03227706
                                                                                          • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,76230F10,00000000), ref: 03227717
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,76230F10,00000000), ref: 03227745
                                                                                          • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,76230F10,00000000), ref: 032277EF
                                                                                            • Part of subcall function 0322F1A5: lstrlenA.KERNEL32(000000C8,000000E4,032322F8,000000C8,03227150,?), ref: 0322F1AD
                                                                                          • GetFileAttributesExA.KERNELBASE(00000022,00000000,?), ref: 0322778F
                                                                                          • RegCloseKey.KERNELBASE(?), ref: 032277E6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                          • String ID: "
                                                                                          • API String ID: 3433985886-123907689
                                                                                          • Opcode ID: efe51c53f0fd3b6e2f3f4bef3bcbcf1e6734960c058d6860fa902ccf8e6bc192
                                                                                          • Instruction ID: 0aedca499b36558fe0fae3a2ae311c3f694fcf19cba408898f03e32357c1ef36
                                                                                          • Opcode Fuzzy Hash: efe51c53f0fd3b6e2f3f4bef3bcbcf1e6734960c058d6860fa902ccf8e6bc192
                                                                                          • Instruction Fuzzy Hash: 87C1B37191422ABFDB11DFA8DC48EEEBFB9EF45310F144095E504AA191EBB1DAC4CB60

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1121 322675c-3226778 1122 3226784-32267a2 CreateFileA 1121->1122 1123 322677a-322677e SetFileAttributesA 1121->1123 1124 32267a4-32267b2 CreateFileA 1122->1124 1125 32267b5-32267b8 1122->1125 1123->1122 1124->1125 1126 32267c5-32267c9 1125->1126 1127 32267ba-32267bf SetFileAttributesA 1125->1127 1128 3226977-3226986 1126->1128 1129 32267cf-32267df GetFileSize 1126->1129 1127->1126 1130 32267e5-32267e7 1129->1130 1131 322696b 1129->1131 1130->1131 1133 32267ed-322680b ReadFile 1130->1133 1132 322696e-3226971 CloseHandle 1131->1132 1132->1128 1133->1131 1134 3226811-3226824 SetFilePointer 1133->1134 1134->1131 1135 322682a-3226842 ReadFile 1134->1135 1135->1131 1136 3226848-3226861 SetFilePointer 1135->1136 1136->1131 1137 3226867-3226876 1136->1137 1138 32268d5-32268df 1137->1138 1139 3226878-322688f ReadFile 1137->1139 1138->1132 1142 32268e5-32268eb 1138->1142 1140 32268d2 1139->1140 1141 3226891-322689e 1139->1141 1140->1138 1143 32268a0-32268b5 1141->1143 1144 32268b7-32268ba 1141->1144 1145 32268f0-32268fe call 322ebcc 1142->1145 1146 32268ed 1142->1146 1147 32268bd-32268c3 1143->1147 1144->1147 1145->1131 1152 3226900-322690b SetFilePointer 1145->1152 1146->1145 1150 32268c5 1147->1150 1151 32268c8-32268ce 1147->1151 1150->1151 1151->1139 1153 32268d0 1151->1153 1154 322695a-3226969 call 322ec2e 1152->1154 1155 322690d-3226920 ReadFile 1152->1155 1153->1138 1154->1132 1155->1154 1156 3226922-3226958 1155->1156 1156->1132
                                                                                          APIs
                                                                                          • SetFileAttributesA.KERNEL32(?,00000080,?,76230F10,00000000), ref: 0322677E
                                                                                          • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,76230F10,00000000), ref: 0322679A
                                                                                          • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,76230F10,00000000), ref: 032267B0
                                                                                          • SetFileAttributesA.KERNEL32(?,00000002,?,76230F10,00000000), ref: 032267BF
                                                                                          • GetFileSize.KERNEL32(000000FF,00000000,?,76230F10,00000000), ref: 032267D3
                                                                                          • ReadFile.KERNELBASE(000000FF,?,00000040,03228244,00000000,?,76230F10,00000000), ref: 03226807
                                                                                          • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0322681F
                                                                                          • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,76230F10,00000000), ref: 0322683E
                                                                                          • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0322685C
                                                                                          • ReadFile.KERNEL32(000000FF,?,00000028,03228244,00000000,?,76230F10,00000000), ref: 0322688B
                                                                                          • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,76230F10,00000000), ref: 03226906
                                                                                          • ReadFile.KERNEL32(000000FF,?,00000000,03228244,00000000,?,76230F10,00000000), ref: 0322691C
                                                                                          • CloseHandle.KERNELBASE(000000FF,?,76230F10,00000000), ref: 03226971
                                                                                            • Part of subcall function 0322EC2E: GetProcessHeap.KERNEL32(00000000,0322EA27,00000000,0322EA27,00000000), ref: 0322EC41
                                                                                            • Part of subcall function 0322EC2E: RtlFreeHeap.NTDLL(00000000), ref: 0322EC48
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                                          • String ID:
                                                                                          • API String ID: 2622201749-0
                                                                                          • Opcode ID: 148cbfddc6d3099d8d8669436ccf83f11aaaabbd3042ed3277edcf28d0a421ec
                                                                                          • Instruction ID: 5ad93cb41c42d075083c3dfe84b15d85de3c41143794aa5487e6c45a8cdf619f
                                                                                          • Opcode Fuzzy Hash: 148cbfddc6d3099d8d8669436ccf83f11aaaabbd3042ed3277edcf28d0a421ec
                                                                                          • Instruction Fuzzy Hash: 35715872C1022AFFDF10DFA5DC849EEBBB8FB04314F14456AE915A6190E7709E92DB60

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1159 322f315-322f332 1160 322f334-322f336 1159->1160 1161 322f33b-322f372 call 322ee2a htons socket 1159->1161 1162 322f424-322f427 1160->1162 1165 322f382-322f39b ioctlsocket 1161->1165 1166 322f374-322f37d closesocket 1161->1166 1167 322f3aa-322f3f0 connect select 1165->1167 1168 322f39d 1165->1168 1166->1162 1170 322f3f2-322f401 __WSAFDIsSet 1167->1170 1171 322f421 1167->1171 1169 322f39f-322f3a8 closesocket 1168->1169 1172 322f423 1169->1172 1170->1169 1173 322f403-322f416 ioctlsocket call 322f26d 1170->1173 1171->1172 1172->1162 1175 322f41b-322f41f 1173->1175 1175->1172
                                                                                          APIs
                                                                                          • htons.WS2_32(0322CA1D), ref: 0322F34D
                                                                                          • socket.WS2_32(00000002,00000001,00000000), ref: 0322F367
                                                                                          • closesocket.WS2_32(00000000), ref: 0322F375
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: closesockethtonssocket
                                                                                          • String ID: time_cfg
                                                                                          • API String ID: 311057483-2401304539
                                                                                          • Opcode ID: e55c39f6a1adee37606c84baf549ddecb8f70445983afe91dc3c0e756d5b49c9
                                                                                          • Instruction ID: 9d4916cf409df8f55f7f574f7b76d6b233375f991b19cb6aef580ceb4ba090e4
                                                                                          • Opcode Fuzzy Hash: e55c39f6a1adee37606c84baf549ddecb8f70445983afe91dc3c0e756d5b49c9
                                                                                          • Instruction Fuzzy Hash: E4318376914229BFDB10DFA5ED84DEE7BBCEF48314F108166FA15D3140D7B09A818BA0

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1176 322405e-322407b CreateEventA 1177 3224084-32240a8 call 3223ecd call 3224000 1176->1177 1178 322407d-3224081 1176->1178 1183 3224130-322413e call 322ee2a 1177->1183 1184 32240ae-32240be call 322ee2a 1177->1184 1189 322413f-3224165 call 3223ecd CreateNamedPipeA 1183->1189 1184->1183 1190 32240c0-32240f1 call 322eca5 call 3223f18 call 3223f8c 1184->1190 1195 3224167-3224174 Sleep 1189->1195 1196 3224188-3224193 ConnectNamedPipe 1189->1196 1207 32240f3-32240ff 1190->1207 1208 3224127-322412a CloseHandle 1190->1208 1195->1189 1198 3224176-3224182 CloseHandle 1195->1198 1200 3224195-32241a5 GetLastError 1196->1200 1201 32241ab-32241c0 call 3223f8c 1196->1201 1198->1196 1200->1201 1203 322425e-3224265 DisconnectNamedPipe 1200->1203 1201->1196 1209 32241c2-32241f2 call 3223f18 call 3223f8c 1201->1209 1203->1196 1207->1208 1210 3224101-3224121 call 3223f18 ExitProcess 1207->1210 1208->1183 1209->1203 1217 32241f4-3224200 1209->1217 1217->1203 1218 3224202-3224215 call 3223f8c 1217->1218 1218->1203 1221 3224217-322421b 1218->1221 1221->1203 1222 322421d-3224230 call 3223f8c 1221->1222 1222->1203 1225 3224232-3224236 1222->1225 1225->1196 1226 322423c-3224251 call 3223f18 1225->1226 1229 3224253-3224259 1226->1229 1230 322426a-3224276 CloseHandle * 2 call 322e318 1226->1230 1229->1196 1232 322427b 1230->1232 1232->1232
                                                                                          APIs
                                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 03224070
                                                                                          • ExitProcess.KERNEL32 ref: 03224121
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateEventExitProcess
                                                                                          • String ID:
                                                                                          • API String ID: 2404124870-0
                                                                                          • Opcode ID: 7d4e07adb0d2803d98274fd713bbca65e04ebe7a1ac24c6443ef62099f6dd579
                                                                                          • Instruction ID: cc0c3460f69c1796cd707e05641499a14fa11ba54b5c7a6bdda1b2e44738d075
                                                                                          • Opcode Fuzzy Hash: 7d4e07adb0d2803d98274fd713bbca65e04ebe7a1ac24c6443ef62099f6dd579
                                                                                          • Instruction Fuzzy Hash: 3951A2B5D20229BAEB10FBA29C85FFF7E7CEF10A14F144155F601A6080E7748A81D7A1

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1233 3222d21-3222d44 GetModuleHandleA 1234 3222d46-3222d52 LoadLibraryA 1233->1234 1235 3222d5b-3222d69 GetProcAddress 1233->1235 1234->1235 1236 3222d54-3222d56 1234->1236 1235->1236 1237 3222d6b-3222d7b DnsQuery_A 1235->1237 1238 3222dee-3222df1 1236->1238 1237->1236 1239 3222d7d-3222d88 1237->1239 1240 3222d8a-3222d8b 1239->1240 1241 3222deb 1239->1241 1242 3222d90-3222d95 1240->1242 1241->1238 1243 3222de2-3222de8 1242->1243 1244 3222d97-3222daa GetProcessHeap HeapAlloc 1242->1244 1243->1242 1245 3222dea 1243->1245 1244->1245 1246 3222dac-3222dd9 call 322ee2a lstrcpynA 1244->1246 1245->1241 1249 3222de0 1246->1249 1250 3222ddb-3222dde 1246->1250 1249->1243 1250->1243
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00000000,762323A0,?,00000000,03222F01,?,032220FF,03232000), ref: 03222D3A
                                                                                          • LoadLibraryA.KERNEL32(?), ref: 03222D4A
                                                                                          • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 03222D61
                                                                                          • DnsQuery_A.DNSAPI(00000000,0000000F,00000000,00000000,?,00000000), ref: 03222D77
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 03222D99
                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 03222DA0
                                                                                          • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 03222DCB
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcessQuery_lstrcpyn
                                                                                          • String ID: DnsQuery_A$dnsapi.dll
                                                                                          • API String ID: 233223969-3847274415
                                                                                          • Opcode ID: 9fc80f5edca4f26b97114b0c68c44886218abcaf257d3ee62489bc13d7074020
                                                                                          • Instruction ID: 1629217e4a52e07cbeb7adddd3a7ce6833a78909670c6ab68d965c64738606bd
                                                                                          • Opcode Fuzzy Hash: 9fc80f5edca4f26b97114b0c68c44886218abcaf257d3ee62489bc13d7074020
                                                                                          • Instruction Fuzzy Hash: B4214C71910726FBCB61DF64DC489AEBFBCEF08A50F148891F946A7104D7B1A98587E0

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1251 32280c9-32280ed call 3226ec3 1254 32280f9-3228115 call 322704c 1251->1254 1255 32280ef call 3227ee6 1251->1255 1260 3228225-322822b 1254->1260 1261 322811b-3228121 1254->1261 1259 32280f4 1255->1259 1259->1260 1262 322826c-3228273 1260->1262 1263 322822d-3228233 1260->1263 1261->1260 1264 3228127-322812a 1261->1264 1263->1262 1265 3228235-322823f call 322675c 1263->1265 1264->1260 1266 3228130-3228167 call 3222544 RegOpenKeyExA 1264->1266 1269 3228244-322824b 1265->1269 1272 3228216-3228222 call 322ee2a 1266->1272 1273 322816d-322818b RegQueryValueExA 1266->1273 1269->1262 1271 322824d-3228269 call 32224c2 call 322ec2e 1269->1271 1271->1262 1272->1260 1275 32281f7-32281fe 1273->1275 1276 322818d-3228191 1273->1276 1279 3228200-3228206 call 322ec2e 1275->1279 1280 322820d-3228210 RegCloseKey 1275->1280 1276->1275 1281 3228193-3228196 1276->1281 1289 322820c 1279->1289 1280->1272 1281->1275 1285 3228198-32281a8 call 322ebcc 1281->1285 1285->1280 1291 32281aa-32281c2 RegQueryValueExA 1285->1291 1289->1280 1291->1275 1292 32281c4-32281ca 1291->1292 1293 32281cd-32281d2 1292->1293 1293->1293 1294 32281d4-32281e5 call 322ebcc 1293->1294 1294->1280 1297 32281e7-32281f5 call 322ef00 1294->1297 1297->1289
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 0322815F
                                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0322A45F,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 03228187
                                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0322A45F,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 032281BE
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 03228210
                                                                                            • Part of subcall function 0322675C: SetFileAttributesA.KERNEL32(?,00000080,?,76230F10,00000000), ref: 0322677E
                                                                                            • Part of subcall function 0322675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,76230F10,00000000), ref: 0322679A
                                                                                            • Part of subcall function 0322675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,76230F10,00000000), ref: 032267B0
                                                                                            • Part of subcall function 0322675C: SetFileAttributesA.KERNEL32(?,00000002,?,76230F10,00000000), ref: 032267BF
                                                                                            • Part of subcall function 0322675C: GetFileSize.KERNEL32(000000FF,00000000,?,76230F10,00000000), ref: 032267D3
                                                                                            • Part of subcall function 0322675C: ReadFile.KERNELBASE(000000FF,?,00000040,03228244,00000000,?,76230F10,00000000), ref: 03226807
                                                                                            • Part of subcall function 0322675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0322681F
                                                                                            • Part of subcall function 0322675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,76230F10,00000000), ref: 0322683E
                                                                                            • Part of subcall function 0322675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0322685C
                                                                                            • Part of subcall function 0322EC2E: GetProcessHeap.KERNEL32(00000000,0322EA27,00000000,0322EA27,00000000), ref: 0322EC41
                                                                                            • Part of subcall function 0322EC2E: RtlFreeHeap.NTDLL(00000000), ref: 0322EC48
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                          • String ID: C:\Windows\SysWOW64\dkajlqvv\dpbgdjiw.exe
                                                                                          • API String ID: 124786226-648084860
                                                                                          • Opcode ID: dac77d5bb4f0f790fc7857b63b52ec75b806bc96aeb93dbad11a193aef2cc69a
                                                                                          • Instruction ID: 281e666ec25d6c914b52693ed2fc9596324c8008ada67ed601ce5183ffbfa09b
                                                                                          • Opcode Fuzzy Hash: dac77d5bb4f0f790fc7857b63b52ec75b806bc96aeb93dbad11a193aef2cc69a
                                                                                          • Instruction Fuzzy Hash: 694185B6925369BFEB10EBA4ED84DBE7F6CEB04600F0449A6E50197005E6B1DAC48B61

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1300 3221ac3-3221adc LoadLibraryA 1301 3221ae2-3221af3 GetProcAddress 1300->1301 1302 3221b6b-3221b70 1300->1302 1303 3221af5-3221b01 1301->1303 1304 3221b6a 1301->1304 1305 3221b1c-3221b27 GetAdaptersAddresses 1303->1305 1304->1302 1306 3221b03-3221b12 call 322ebed 1305->1306 1307 3221b29-3221b2b 1305->1307 1306->1307 1315 3221b14-3221b1b 1306->1315 1309 3221b5b-3221b5e 1307->1309 1310 3221b2d-3221b32 1307->1310 1313 3221b69 1309->1313 1314 3221b60-3221b68 call 322ec2e 1309->1314 1312 3221b34-3221b3b 1310->1312 1310->1313 1316 3221b54-3221b59 1312->1316 1317 3221b3d-3221b52 1312->1317 1313->1304 1314->1313 1315->1305 1316->1309 1316->1312 1317->1316 1317->1317
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 03221AD4
                                                                                          • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 03221AE9
                                                                                          • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 03221B20
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AdaptersAddressAddressesLibraryLoadProc
                                                                                          • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                          • API String ID: 3646706440-1087626847
                                                                                          • Opcode ID: 6278b52abc27259d714e8119546bcd525771c66b2e3a9c615b2e2b3ec0c8e728
                                                                                          • Instruction ID: e1fd3eddc767b75d5a61ead0b5940ebab295aa033e731e9d6c2c22b64bc02df4
                                                                                          • Opcode Fuzzy Hash: 6278b52abc27259d714e8119546bcd525771c66b2e3a9c615b2e2b3ec0c8e728
                                                                                          • Instruction Fuzzy Hash: 97119675E21138BFCB25DBA5DC84CEDFFB9EB45B10B198055F006A7101E6706AD0DB94

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1320 322e3ca-322e3ee RegOpenKeyExA 1321 322e3f4-322e3fb 1320->1321 1322 322e528-322e52d 1320->1322 1323 322e3fe-322e403 1321->1323 1323->1323 1324 322e405-322e40f 1323->1324 1325 322e411-322e413 1324->1325 1326 322e414-322e452 call 322ee08 call 322f1ed RegQueryValueExA 1324->1326 1325->1326 1331 322e458-322e486 call 322f1ed RegQueryValueExA 1326->1331 1332 322e51d-322e527 RegCloseKey 1326->1332 1335 322e488-322e48a 1331->1335 1332->1322 1335->1332 1336 322e490-322e4a1 call 322db2e 1335->1336 1336->1332 1339 322e4a3-322e4a6 1336->1339 1340 322e4a9-322e4d3 call 322f1ed RegQueryValueExA 1339->1340 1343 322e4d5-322e4da 1340->1343 1344 322e4e8-322e4ea 1340->1344 1343->1344 1345 322e4dc-322e4e6 1343->1345 1344->1332 1346 322e4ec-322e516 call 3222544 call 322e332 1344->1346 1345->1340 1345->1344 1346->1332
                                                                                          APIs
                                                                                          • RegOpenKeyExA.KERNELBASE(80000001,0322E5F2,00000000,00020119,0322E5F2,032322F8), ref: 0322E3E6
                                                                                          • RegQueryValueExA.ADVAPI32(0322E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0322E44E
                                                                                          • RegQueryValueExA.ADVAPI32(0322E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0322E482
                                                                                          • RegQueryValueExA.ADVAPI32(0322E5F2,?,00000000,?,80000001,?), ref: 0322E4CF
                                                                                          • RegCloseKey.ADVAPI32(0322E5F2,?,?,?,?,000000C8,000000E4), ref: 0322E520
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: QueryValue$CloseOpen
                                                                                          • String ID:
                                                                                          • API String ID: 1586453840-0
                                                                                          • Opcode ID: 817a0b1fc1ae8b93506f0af31db52a3d172c9eec0d6506e1812af2a7f8295d40
                                                                                          • Instruction ID: c17e6012c73820f022f65b2736bd0dd9a784f59514524d86407a267cd73d6524
                                                                                          • Opcode Fuzzy Hash: 817a0b1fc1ae8b93506f0af31db52a3d172c9eec0d6506e1812af2a7f8295d40
                                                                                          • Instruction Fuzzy Hash: AD4136B6D1022EBFEF11EFD4DC84DEEBBBDEB04300F054066EA11A6150E3719A959B60

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1351 322f26d-322f303 setsockopt * 5
                                                                                          APIs
                                                                                          • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0322F2A0
                                                                                          • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0322F2C0
                                                                                          • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0322F2DD
                                                                                          • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0322F2EC
                                                                                          • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0322F2FD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: setsockopt
                                                                                          • String ID:
                                                                                          • API String ID: 3981526788-0
                                                                                          • Opcode ID: 3a6c467cec723e60a90bf90d88bade230fa971430db512ef588e66bca2728e9c
                                                                                          • Instruction ID: 360da281fe2b9b192851218df7afc52e7428a735dc1d032439ff1c1f6f146b3e
                                                                                          • Opcode Fuzzy Hash: 3a6c467cec723e60a90bf90d88bade230fa971430db512ef588e66bca2728e9c
                                                                                          • Instruction Fuzzy Hash: 5C110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1352 3221bdf-3221c04 call 3221ac3 1354 3221c09-3221c0b 1352->1354 1355 3221c5a-3221c5e 1354->1355 1356 3221c0d-3221c1d GetComputerNameA 1354->1356 1357 3221c45-3221c57 GetVolumeInformationA 1356->1357 1358 3221c1f-3221c24 1356->1358 1357->1355 1358->1357 1359 3221c26-3221c3b 1358->1359 1359->1359 1360 3221c3d-3221c3f 1359->1360 1360->1357 1361 3221c41-3221c43 1360->1361 1361->1355
                                                                                          APIs
                                                                                            • Part of subcall function 03221AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 03221AD4
                                                                                            • Part of subcall function 03221AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 03221AE9
                                                                                            • Part of subcall function 03221AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 03221B20
                                                                                          • GetComputerNameA.KERNEL32(?,0000000F), ref: 03221C15
                                                                                          • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 03221C51
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                          • String ID: hi_id$localcfg
                                                                                          • API String ID: 2794401326-2393279970
                                                                                          • Opcode ID: 2723d76a07e6c5aef2eec93825690cb9615ae4a2cf29399b607c8056d97d478f
                                                                                          • Instruction ID: 56acbd3bb1a9fedeb4027366498c7467e06f9f04bfa61b894f8216ff9f4d5bb9
                                                                                          • Opcode Fuzzy Hash: 2723d76a07e6c5aef2eec93825690cb9615ae4a2cf29399b607c8056d97d478f
                                                                                          • Instruction Fuzzy Hash: F1018476910129BBEB10DAE8CCC6CEFBABCA744645F144475D602E2100D170AD8486A1
                                                                                          APIs
                                                                                            • Part of subcall function 03221AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 03221AD4
                                                                                            • Part of subcall function 03221AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 03221AE9
                                                                                            • Part of subcall function 03221AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 03221B20
                                                                                          • GetComputerNameA.KERNEL32(?,0000000F), ref: 03221BA3
                                                                                          • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,03221EFD,00000000,00000000,00000000,00000000), ref: 03221BB8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 2794401326-1857712256
                                                                                          • Opcode ID: 84f0b792fe75aec30bc168d391fe4173b2a2e0b2b7628601a0584eb6e02be71a
                                                                                          • Instruction ID: 64af620e6347e1e1d9d58d00532db96b4d56343168459b8ed630382b158ad1ca
                                                                                          • Opcode Fuzzy Hash: 84f0b792fe75aec30bc168d391fe4173b2a2e0b2b7628601a0584eb6e02be71a
                                                                                          • Instruction Fuzzy Hash: 18014BB6D00118BFEB00DAE9CC85DEFFABCAB48650F154162A601E7140D5B06E4886A0
                                                                                          APIs
                                                                                          • inet_addr.WS2_32(00000001), ref: 03222693
                                                                                          • gethostbyname.WS2_32(00000001), ref: 0322269F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: gethostbynameinet_addr
                                                                                          • String ID: time_cfg
                                                                                          • API String ID: 1594361348-2401304539
                                                                                          • Opcode ID: 275f0317c12c146549bdd8e71d3eaf3fc174ce1a3e9efcb935001daa1c0d277d
                                                                                          • Instruction ID: 618f0761a5ae356b2797c082824673efd9b215783f9bda2833fc5bec6579ed9e
                                                                                          • Opcode Fuzzy Hash: 275f0317c12c146549bdd8e71d3eaf3fc174ce1a3e9efcb935001daa1c0d277d
                                                                                          • Instruction Fuzzy Hash: A0E0C231228222EFCB90DF28F848AD57BE8EF06230F09C980F441D3194C730D8C08B90
                                                                                          APIs
                                                                                            • Part of subcall function 0322DD05: GetTickCount.KERNEL32 ref: 0322DD0F
                                                                                            • Part of subcall function 0322DD05: InterlockedExchange.KERNEL32(032336B4,00000001), ref: 0322DD44
                                                                                            • Part of subcall function 0322DD05: GetCurrentThreadId.KERNEL32 ref: 0322DD53
                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,76230F10,?,00000000,?,0322A445), ref: 0322E558
                                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,76230F10,?,00000000,?,0322A445), ref: 0322E583
                                                                                          • CloseHandle.KERNEL32(00000000,?,76230F10,?,00000000,?,0322A445), ref: 0322E5B2
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                          • String ID:
                                                                                          • API String ID: 3683885500-0
                                                                                          • Opcode ID: 5365a68d591b32ff3db76014b809df7b5ab402bf0efdc104d6cd82b475b0e40e
                                                                                          • Instruction ID: cd60d209b004e5369d6e95f5e29bbbcc14d7b38c9ecbb0046e9fad0ff59b3d8b
                                                                                          • Opcode Fuzzy Hash: 5365a68d591b32ff3db76014b809df7b5ab402bf0efdc104d6cd82b475b0e40e
                                                                                          • Instruction Fuzzy Hash: 5B2129FA5603217EE164FA21AC09FAB7E0CDB55710F014418FE0AB91C2E9D1E5E0D1F1
                                                                                          APIs
                                                                                          • Sleep.KERNELBASE(000003E8), ref: 032288A5
                                                                                            • Part of subcall function 0322F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0322E342,00000000,75B4EA50,80000001,00000000,0322E513,?,00000000,00000000,?,000000E4), ref: 0322F089
                                                                                            • Part of subcall function 0322F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0322E342,00000000,75B4EA50,80000001,00000000,0322E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0322F093
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Time$FileSystem$Sleep
                                                                                          • String ID: localcfg$rresolv
                                                                                          • API String ID: 1561729337-486471987
                                                                                          • Opcode ID: 308fdbe873f72ca735c1bd0e08e4b069725a99092ef3a29d938520dea567f98a
                                                                                          • Instruction ID: fdf259dfac202df1d3113af82a251d5e3ab99acc2413ad0eda74a36ccd274c25
                                                                                          • Opcode Fuzzy Hash: 308fdbe873f72ca735c1bd0e08e4b069725a99092ef3a29d938520dea567f98a
                                                                                          • Instruction Fuzzy Hash: 9F213476568335BAF314FB65BD8AF6F3E98EB00710F544809F9088E0C5EAE595C081B3
                                                                                          APIs
                                                                                          • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,032322F8,032242B6,00000000,00000001,032322F8,00000000,?,032298FD), ref: 03224021
                                                                                          • GetLastError.KERNEL32(?,032298FD,00000001,00000100,032322F8,0322A3C7), ref: 0322402C
                                                                                          • Sleep.KERNEL32(000001F4,?,032298FD,00000001,00000100,032322F8,0322A3C7), ref: 03224046
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateErrorFileLastSleep
                                                                                          • String ID:
                                                                                          • API String ID: 408151869-0
                                                                                          • Opcode ID: 8ddb488733b6df3715c714f01e6e1c220f6788edb42b86599680b5bea75910b8
                                                                                          • Instruction ID: 699e8214fe22c8c782ffe5f6148a87b618bc3c0fb8a13f61f575d886b3ddbfee
                                                                                          • Opcode Fuzzy Hash: 8ddb488733b6df3715c714f01e6e1c220f6788edb42b86599680b5bea75910b8
                                                                                          • Instruction Fuzzy Hash: 1BF0A7312601127BD739AB2ABC49B5A7A65FB81720F298B24F3B6E60D0C67056C59B24
                                                                                          APIs
                                                                                          • GetEnvironmentVariableA.KERNEL32(0322DC19,?,00000104), ref: 0322DB7F
                                                                                          • lstrcpyA.KERNEL32(?,032328F8), ref: 0322DBA4
                                                                                          • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000080,00000000), ref: 0322DBC2
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateEnvironmentFileVariablelstrcpy
                                                                                          • String ID:
                                                                                          • API String ID: 2536392590-0
                                                                                          • Opcode ID: ba6d41be566768535171ba5a2b9188e40ae5fb8c01d1eb55b2c89ef61b9980aa
                                                                                          • Instruction ID: 609944ed96c6ff75cea24e74b223b7bba47fc0a5e97e1d36f99c52092a2f93a0
                                                                                          • Opcode Fuzzy Hash: ba6d41be566768535171ba5a2b9188e40ae5fb8c01d1eb55b2c89ef61b9980aa
                                                                                          • Instruction Fuzzy Hash: 43F0B470110209BBEF10DF64EC49FD97B69BB04708F208194BB51A40D0D7F2D585CF20
                                                                                          APIs
                                                                                          • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0322EC5E
                                                                                          • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0322EC72
                                                                                          • GetTickCount.KERNEL32 ref: 0322EC78
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Time$CountFileInformationSystemTickVolume
                                                                                          • String ID:
                                                                                          • API String ID: 1209300637-0
                                                                                          • Opcode ID: 3f869f8cc81e32a55bb80a2427f748ffc91c5129b9ec5b80bc9b34fc6a1a3872
                                                                                          • Instruction ID: b143f52f12e8f90151d414b4e3d145c7999867fefec1c3d1cd6ca541c1a17560
                                                                                          • Opcode Fuzzy Hash: 3f869f8cc81e32a55bb80a2427f748ffc91c5129b9ec5b80bc9b34fc6a1a3872
                                                                                          • Instruction Fuzzy Hash: 09E0BFF5810104BFE701FBB0ED4EDBB77BCFB08614F508650B912D6094DA709A048B74
                                                                                          APIs
                                                                                          • gethostname.WS2_32(?,00000080), ref: 032230D8
                                                                                          • gethostbyname.WS2_32(?), ref: 032230E2
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: gethostbynamegethostname
                                                                                          • String ID:
                                                                                          • API String ID: 3961807697-0
                                                                                          • Opcode ID: db95e571d7f1f6864d8a11491fe07ce60ffe7d9004b3f587e81f8de8f0d11d18
                                                                                          • Instruction ID: d83cdbad2b85aa8d455d442394177ca6e31a1f48910796ec380146705529ad48
                                                                                          • Opcode Fuzzy Hash: db95e571d7f1f6864d8a11491fe07ce60ffe7d9004b3f587e81f8de8f0d11d18
                                                                                          • Instruction Fuzzy Hash: EEE09B75900129ABCF00EBA8EC89F8A7BECFF04204F084061F946E7244EE74E50487A0
                                                                                          APIs
                                                                                            • Part of subcall function 0322EBA0: GetProcessHeap.KERNEL32(00000000,00000000,0322EC0A,00000000,80000001,?,0322DB55,7FFF0001), ref: 0322EBAD
                                                                                            • Part of subcall function 0322EBA0: HeapSize.KERNEL32(00000000,?,0322DB55,7FFF0001), ref: 0322EBB4
                                                                                          • GetProcessHeap.KERNEL32(00000000,0322EA27,00000000,0322EA27,00000000), ref: 0322EC41
                                                                                          • RtlFreeHeap.NTDLL(00000000), ref: 0322EC48
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$Process$FreeSize
                                                                                          • String ID:
                                                                                          • API String ID: 1305341483-0
                                                                                          • Opcode ID: 18f077b357eb6810714e50be5cf2b13e84a41cb3b6ca739f18d4aa7dae931d76
                                                                                          • Instruction ID: be9752959beab50b4ae6e9e79daaefce5eb575f52effa0f49d218d6ef2ad58c2
                                                                                          • Opcode Fuzzy Hash: 18f077b357eb6810714e50be5cf2b13e84a41cb3b6ca739f18d4aa7dae931d76
                                                                                          • Instruction Fuzzy Hash: 76C012324163307BC5517654BC0CF9B6F18AF45A11F0A8409F4466A1448764588056F1
                                                                                          APIs
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0322EBFE,7FFF0001,?,0322DB55,7FFF0001), ref: 0322EBD3
                                                                                          • RtlAllocateHeap.NTDLL(00000000,?,0322DB55,7FFF0001), ref: 0322EBDA
                                                                                            • Part of subcall function 0322EB74: GetProcessHeap.KERNEL32(00000000,00000000,0322EC28,00000000,?,0322DB55,7FFF0001), ref: 0322EB81
                                                                                            • Part of subcall function 0322EB74: HeapSize.KERNEL32(00000000,?,0322DB55,7FFF0001), ref: 0322EB88
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$Process$AllocateSize
                                                                                          • String ID:
                                                                                          • API String ID: 2559512979-0
                                                                                          • Opcode ID: 439e4629a1c799b19c329acf8eea3b76c3a1277c35b50c1ef0b4b5df8e65d00e
                                                                                          • Instruction ID: 1241ce2e6c520759516ca9fed4a53549f1ba2358ed9f87aaa865d49a18e051e2
                                                                                          • Opcode Fuzzy Hash: 439e4629a1c799b19c329acf8eea3b76c3a1277c35b50c1ef0b4b5df8e65d00e
                                                                                          • Instruction Fuzzy Hash: 3BC08C376093307BC60137A8BC0CEDA3E98EF08AA2F05C004F64AC6154CB30488097B2
                                                                                          APIs
                                                                                          • recv.WS2_32(000000C8,?,00000000,0322CA44), ref: 0322F476
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: recv
                                                                                          • String ID:
                                                                                          • API String ID: 1507349165-0
                                                                                          • Opcode ID: 8c4bede91dc1be30c7e08f0da6f5954f422903f95aa5df56c2e9bff2b16fbe08
                                                                                          • Instruction ID: 6bb94911668ef67770983ec56182585a637cd6a4a8577cdcb31f589e48f553bd
                                                                                          • Opcode Fuzzy Hash: 8c4bede91dc1be30c7e08f0da6f5954f422903f95aa5df56c2e9bff2b16fbe08
                                                                                          • Instruction Fuzzy Hash: 4AF08C3221416ABBDB019E9AED84CEB3FBEFB892107040122FB04D7110D671E860CBB0
                                                                                          APIs
                                                                                          • closesocket.WS2_32(00000000), ref: 03221992
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: closesocket
                                                                                          • String ID:
                                                                                          • API String ID: 2781271927-0
                                                                                          • Opcode ID: 04fa1f588b7fe9ad637e94f181c13a049d4d7030e99be84ff7d7b974f81746b1
                                                                                          • Instruction ID: c46381b77c09f3b7c94502ff108664e51dad2493610fe3503dd752194b465814
                                                                                          • Opcode Fuzzy Hash: 04fa1f588b7fe9ad637e94f181c13a049d4d7030e99be84ff7d7b974f81746b1
                                                                                          • Instruction Fuzzy Hash: D3D0122625C6327A92113759BC0487FAF9CDF45562711C42AFD49C4154D674C88183A5
                                                                                          APIs
                                                                                          • lstrcmpiA.KERNEL32(80000011,00000000), ref: 0322DDB5
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcmpi
                                                                                          • String ID:
                                                                                          • API String ID: 1586166983-0
                                                                                          • Opcode ID: c8ecbda6df3694f86325cd5839304101deb91c63af64aa62256d8e0b0948d3b8
                                                                                          • Instruction ID: e9bbd687f22f54e5cb52efb199fe4be40cf4abfcd3ab19cd58be7bc91f9e9265
                                                                                          • Opcode Fuzzy Hash: c8ecbda6df3694f86325cd5839304101deb91c63af64aa62256d8e0b0948d3b8
                                                                                          • Instruction Fuzzy Hash: E8F08237220B63EBCB20CE25DC44696FBE8EB45625F184C2EE165D2140D730D8C5CB11
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,03229816,EntryPoint), ref: 0322638F
                                                                                          • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,03229816,EntryPoint), ref: 032263A9
                                                                                          • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 032263CA
                                                                                          • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 032263EB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                          • String ID:
                                                                                          • API String ID: 1965334864-0
                                                                                          • Opcode ID: 167c89d26024265ece10f999eac36037ef8f56c707e7dd10116e8edc10a727f2
                                                                                          • Instruction ID: 0ed4bd53b5c9e351c4e15896ed3489f09837e7e01fb261372d4f9ad49750ddc6
                                                                                          • Opcode Fuzzy Hash: 167c89d26024265ece10f999eac36037ef8f56c707e7dd10116e8edc10a727f2
                                                                                          • Instruction Fuzzy Hash: C5117772610229BFDB219F65DC49F9B3FACEB04BA5F158064F905E7240DAB1DC408AB0
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(ntdll.dll,00000000,03221839,03229646), ref: 03221012
                                                                                          • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 032210C2
                                                                                          • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 032210E1
                                                                                          • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 03221101
                                                                                          • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 03221121
                                                                                          • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 03221140
                                                                                          • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 03221160
                                                                                          • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 03221180
                                                                                          • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0322119F
                                                                                          • GetProcAddress.KERNEL32(00000000,NtClose), ref: 032211BF
                                                                                          • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 032211DF
                                                                                          • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 032211FE
                                                                                          • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0322121A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressProc$LibraryLoad
                                                                                          • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                          • API String ID: 2238633743-3228201535
                                                                                          • Opcode ID: 57f2da94b401301e8ddcfcd663186c2823bbb4fded96618b9e0c2eee7cd4dc51
                                                                                          • Instruction ID: 37a7f85f8b5c31d2ebe128182435b932a63364caa0da3d3b60b7b5e13f0543c8
                                                                                          • Opcode Fuzzy Hash: 57f2da94b401301e8ddcfcd663186c2823bbb4fded96618b9e0c2eee7cd4dc51
                                                                                          • Instruction Fuzzy Hash: 4351D675622623FAC720EA6DBC48B967AE86748731F088356A620C31D4D7B4E3D3CF51
                                                                                          APIs
                                                                                          • GetLocalTime.KERNEL32(?), ref: 0322B2B3
                                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0322B2C2
                                                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 0322B2D0
                                                                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 0322B2E1
                                                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 0322B31A
                                                                                          • GetTimeZoneInformation.KERNEL32(?), ref: 0322B329
                                                                                          • wsprintfA.USER32 ref: 0322B3B7
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                          • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                          • API String ID: 766114626-2976066047
                                                                                          • Opcode ID: 118b55cb1c0cfcdb1b356409d4e1a42405c5f6780947a6963c99f7adcf2fdc9d
                                                                                          • Instruction ID: e4c00bb75665dc8ebda56c89528754c0a6dbba48c842d8f8c59e91d156a5f917
                                                                                          • Opcode Fuzzy Hash: 118b55cb1c0cfcdb1b356409d4e1a42405c5f6780947a6963c99f7adcf2fdc9d
                                                                                          • Instruction Fuzzy Hash: CC513AB1D2022DABCF14DFD5D8889EEBBB9BF49704F148859E602A7150D3744AC9CBA4
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                          • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                          • API String ID: 2400214276-165278494
                                                                                          • Opcode ID: 82a2111cbfe6b5c35028045b20633b009f3a1a645701549ffd8e97a009bf2053
                                                                                          • Instruction ID: a489c7ec6106745b588da3eabba03411e0408d43b70f3892cbb589e6fc46cdea
                                                                                          • Opcode Fuzzy Hash: 82a2111cbfe6b5c35028045b20633b009f3a1a645701549ffd8e97a009bf2053
                                                                                          • Instruction Fuzzy Hash: 94616FB2960218AFDB60DFB4DC45FEA7BF9FF09300F148069F969D2121DA7199808F60
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wsprintf$send$lstrlenrecv
                                                                                          • String ID: .$ $AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                          • API String ID: 3650048968-4264063882
                                                                                          • Opcode ID: 72e2c480e21e6ecc255108694e26fa51fada8664e2a014e4cb69c969679ef3ee
                                                                                          • Instruction ID: 5c3aefc14d82ec252c2d0e0185643d694ba28e6346b962a5bacd87cbfedd3445
                                                                                          • Opcode Fuzzy Hash: 72e2c480e21e6ecc255108694e26fa51fada8664e2a014e4cb69c969679ef3ee
                                                                                          • Instruction Fuzzy Hash: D3A17A71970376BFDF20DA54EC85FAE7F69AB11704F184056F902AA890DEB089C8C755
                                                                                          APIs
                                                                                          • ShellExecuteExW.SHELL32(?), ref: 0322139A
                                                                                          • lstrlenW.KERNEL32(-00000003), ref: 03221571
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExecuteShelllstrlen
                                                                                          • String ID: $%systemroot%\system32\cmd.exe$<$@$D$uac$useless$wusa.exe
                                                                                          • API String ID: 1628651668-1839596206
                                                                                          • Opcode ID: 189d8fb9d3306a7642f0f0795dbc5261756c8b53716bb76a018030312cfd1e2e
                                                                                          • Instruction ID: a8da5fbf9d634f12f8b8dff24ad254cc0ef15b95261455a363648fccd3538617
                                                                                          • Opcode Fuzzy Hash: 189d8fb9d3306a7642f0f0795dbc5261756c8b53716bb76a018030312cfd1e2e
                                                                                          • Instruction Fuzzy Hash: 6BF19DB5518351EFD320DF64C888FAABBE9FB88300F04891DF69697290D774E994CB52
                                                                                          APIs
                                                                                          • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7622F380), ref: 03222A83
                                                                                          • HeapAlloc.KERNEL32(00000000,?,7622F380), ref: 03222A86
                                                                                          • socket.WS2_32(00000002,00000002,00000011), ref: 03222AA0
                                                                                          • htons.WS2_32(00000000), ref: 03222ADB
                                                                                          • select.WS2_32 ref: 03222B28
                                                                                          • recv.WS2_32(?,00000000,00001000,00000000), ref: 03222B4A
                                                                                          • htons.WS2_32(?), ref: 03222B71
                                                                                          • htons.WS2_32(?), ref: 03222B8C
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000108), ref: 03222BFB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                          • String ID:
                                                                                          • API String ID: 1639031587-0
                                                                                          • Opcode ID: 12b6b136582db26f65784025e5175366c7f563dc99b3ee1304477d61568e10ac
                                                                                          • Instruction ID: b6bc7c4d316bf8f8e791fb54ead5e0ebe59e3853216a653cd01611a30c57981b
                                                                                          • Opcode Fuzzy Hash: 12b6b136582db26f65784025e5175366c7f563dc99b3ee1304477d61568e10ac
                                                                                          • Instruction Fuzzy Hash: AD61B271518325EBC760EF55DC48B6ABFECFB48751F068C09F9859B140D7B6D8808BA2
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,76230F10,?,76230F10,00000000), ref: 032270C2
                                                                                          • RegEnumValueA.ADVAPI32(76230F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,76230F10,00000000), ref: 0322719E
                                                                                          • RegCloseKey.ADVAPI32(76230F10,?,76230F10,00000000), ref: 032271B2
                                                                                          • RegCloseKey.ADVAPI32(76230F10), ref: 03227208
                                                                                          • RegCloseKey.ADVAPI32(76230F10), ref: 03227291
                                                                                          • ___ascii_stricmp.LIBCMT ref: 032272C2
                                                                                          • RegCloseKey.ADVAPI32(76230F10), ref: 032272D0
                                                                                          • RegCloseKey.ADVAPI32(76230F10), ref: 03227314
                                                                                          • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0322738D
                                                                                          • RegCloseKey.ADVAPI32(76230F10), ref: 032273D8
                                                                                            • Part of subcall function 0322F1A5: lstrlenA.KERNEL32(000000C8,000000E4,032322F8,000000C8,03227150,?), ref: 0322F1AD
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                          • String ID: $"
                                                                                          • API String ID: 4293430545-3817095088
                                                                                          • Opcode ID: 5b9e7b0c92e92c9eb994109b77721f97ef30f344225a067e8b204145042cfcd6
                                                                                          • Instruction ID: be3b45225035a69dc582eff64c413d562056945fdcad69c07f947ed6d2287010
                                                                                          • Opcode Fuzzy Hash: 5b9e7b0c92e92c9eb994109b77721f97ef30f344225a067e8b204145042cfcd6
                                                                                          • Instruction Fuzzy Hash: F7B1947282422ABEDF15EFA4DC44EEE7BB8EF04310F144566F501E6081EBB59AC4CB60
                                                                                          APIs
                                                                                          • GetLocalTime.KERNEL32(?), ref: 0322AD98
                                                                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 0322ADA6
                                                                                            • Part of subcall function 0322AD08: gethostname.WS2_32(?,00000080), ref: 0322AD1C
                                                                                            • Part of subcall function 0322AD08: lstrlenA.KERNEL32(?), ref: 0322AD60
                                                                                            • Part of subcall function 0322AD08: lstrlenA.KERNEL32(?), ref: 0322AD69
                                                                                            • Part of subcall function 0322AD08: lstrcpyA.KERNEL32(?,LocalHost), ref: 0322AD7F
                                                                                            • Part of subcall function 032230B5: gethostname.WS2_32(?,00000080), ref: 032230D8
                                                                                            • Part of subcall function 032230B5: gethostbyname.WS2_32(?), ref: 032230E2
                                                                                          • wsprintfA.USER32 ref: 0322AEA5
                                                                                            • Part of subcall function 0322A7A3: inet_ntoa.WS2_32(00000000), ref: 0322A7A9
                                                                                          • wsprintfA.USER32 ref: 0322AE4F
                                                                                          • wsprintfA.USER32 ref: 0322AE5E
                                                                                            • Part of subcall function 0322EF7C: lstrlenA.KERNEL32(?,?,00000000,?,?), ref: 0322EF92
                                                                                            • Part of subcall function 0322EF7C: lstrlenA.KERNEL32(?), ref: 0322EF99
                                                                                            • Part of subcall function 0322EF7C: lstrlenA.KERNEL32(00000000), ref: 0322EFA0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                          • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                          • API String ID: 3631595830-1816598006
                                                                                          • Opcode ID: fb0236dc59d6d22df902167bbd032d483441319b30907a4abce23af7b4e7530f
                                                                                          • Instruction ID: c3a2caa9f285790c25abcfcb672f70fef29399a2b4cfa0f3853f9efa5d89ed4a
                                                                                          • Opcode Fuzzy Hash: fb0236dc59d6d22df902167bbd032d483441319b30907a4abce23af7b4e7530f
                                                                                          • Instruction Fuzzy Hash: 684161B691031CBFDF25EFA0DC45EEE3BADFB08300F14441AF92596151EAB1D9849B60
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(iphlpapi.dll,762323A0,?,000DBBA0,?,00000000,03222F0F,?,032220FF,03232000), ref: 03222E01
                                                                                          • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,03222F0F,?,032220FF,03232000), ref: 03222E11
                                                                                          • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 03222E2E
                                                                                          • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,03222F0F,?,032220FF,03232000), ref: 03222E4C
                                                                                          • HeapAlloc.KERNEL32(00000000,?,00000000,03222F0F,?,032220FF,03232000), ref: 03222E4F
                                                                                          • htons.WS2_32(00000035), ref: 03222E88
                                                                                          • inet_addr.WS2_32(?), ref: 03222E93
                                                                                          • gethostbyname.WS2_32(?), ref: 03222EA6
                                                                                          • GetProcessHeap.KERNEL32(00000000,?,?,00000000,03222F0F,?,032220FF,03232000), ref: 03222EE3
                                                                                          • HeapFree.KERNEL32(00000000,?,00000000,03222F0F,?,032220FF,03232000), ref: 03222EE6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                          • String ID: GetNetworkParams$iphlpapi.dll
                                                                                          • API String ID: 929413710-2099955842
                                                                                          • Opcode ID: 6ab67b09f4f98a9fa7960d3aeba528615c612a8c1b91b1bc5c1a5da02cf59568
                                                                                          • Instruction ID: 96117ed86c2dd1115efb8d1719f2a70e6b803d8870bb62a6e0cb469239853313
                                                                                          • Opcode Fuzzy Hash: 6ab67b09f4f98a9fa7960d3aeba528615c612a8c1b91b1bc5c1a5da02cf59568
                                                                                          • Instruction Fuzzy Hash: 8F31B531A10316FBDB50EB789C48AAEBBBCEF08760F188555F915E7190DB31E581A7A0
                                                                                          APIs
                                                                                          • GetVersionExA.KERNEL32(?,?,03229DD7,?,00000022,?,?,00000000,00000001), ref: 03229340
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,03229DD7,?,00000022,?,?,00000000,00000001), ref: 0322936E
                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,03229DD7,?,00000022,?,?,00000000,00000001), ref: 03229375
                                                                                          • wsprintfA.USER32 ref: 032293CE
                                                                                          • wsprintfA.USER32 ref: 0322940C
                                                                                          • wsprintfA.USER32 ref: 0322948D
                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 032294F1
                                                                                          • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 03229526
                                                                                          • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 03229571
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                          • String ID: runas
                                                                                          • API String ID: 3696105349-4000483414
                                                                                          • Opcode ID: 9f41a73a91ed71eba3a5b85c969451e3d70ecce73a16d2f04efa448dd986ae21
                                                                                          • Instruction ID: 7a5f47e5359c1872e76bdb9619a0d3cbdc32af2b696da371e59e7aede2e0ef05
                                                                                          • Opcode Fuzzy Hash: 9f41a73a91ed71eba3a5b85c969451e3d70ecce73a16d2f04efa448dd986ae21
                                                                                          • Instruction Fuzzy Hash: DCA14AB2920318FFEB25DFA0DC49FEE3BACEB04740F148426FA1596151E7B595D48BA0
                                                                                          APIs
                                                                                          • wsprintfA.USER32 ref: 0322B467
                                                                                            • Part of subcall function 0322EF7C: lstrlenA.KERNEL32(?,?,00000000,?,?), ref: 0322EF92
                                                                                            • Part of subcall function 0322EF7C: lstrlenA.KERNEL32(?), ref: 0322EF99
                                                                                            • Part of subcall function 0322EF7C: lstrlenA.KERNEL32(00000000), ref: 0322EFA0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$wsprintf
                                                                                          • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                          • API String ID: 1220175532-2340906255
                                                                                          • Opcode ID: ce5a43960cf2c2df6fb297410b287e1f5151993c8040ef4e2fcdb210cb2c3f03
                                                                                          • Instruction ID: 1be1a71e236aafb5b7de5b1b9a4afa964afbd7e52caac06d303480389c1035b1
                                                                                          • Opcode Fuzzy Hash: ce5a43960cf2c2df6fb297410b287e1f5151993c8040ef4e2fcdb210cb2c3f03
                                                                                          • Instruction Fuzzy Hash: F9417DF642022C7EEF00EAA4CCC1CFF7F6CEF4A688F144415F905A6001DAB0AA9597B0
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 03222078
                                                                                          • GetTickCount.KERNEL32 ref: 032220D4
                                                                                          • GetTickCount.KERNEL32 ref: 032220DB
                                                                                          • GetTickCount.KERNEL32 ref: 0322212B
                                                                                          • GetTickCount.KERNEL32 ref: 03222132
                                                                                          • GetTickCount.KERNEL32 ref: 03222142
                                                                                            • Part of subcall function 0322F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0322E342,00000000,75B4EA50,80000001,00000000,0322E513,?,00000000,00000000,?,000000E4), ref: 0322F089
                                                                                            • Part of subcall function 0322F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0322E342,00000000,75B4EA50,80000001,00000000,0322E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0322F093
                                                                                            • Part of subcall function 0322E854: lstrcpyA.KERNEL32(00000001,?,?,0322D8DF,00000001,localcfg,except_info,00100000,03230264), ref: 0322E88B
                                                                                            • Part of subcall function 0322E854: lstrlenA.KERNEL32(00000001,?,0322D8DF,00000001,localcfg,except_info,00100000,03230264), ref: 0322E899
                                                                                            • Part of subcall function 03221C5F: wsprintfA.USER32 ref: 03221CE1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                          • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                          • API String ID: 3976553417-1522128867
                                                                                          • Opcode ID: d6ed62023f12078c7c02a1ff92d456c977d4454cbb2a777d75e2c0e55d280fd5
                                                                                          • Instruction ID: 45ada82df007f013fe7d966a07442d0dcdc54e044cd252b60088366422710cff
                                                                                          • Opcode Fuzzy Hash: d6ed62023f12078c7c02a1ff92d456c977d4454cbb2a777d75e2c0e55d280fd5
                                                                                          • Instruction Fuzzy Hash: 3651E27491835AFEE728FF24FE49B563FE8EB01710F048C1AE6018A195DBF695C4DA21
                                                                                          APIs
                                                                                            • Part of subcall function 0322A4C7: GetTickCount.KERNEL32 ref: 0322A4D1
                                                                                            • Part of subcall function 0322A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0322A4FA
                                                                                          • GetTickCount.KERNEL32 ref: 0322C31F
                                                                                          • GetTickCount.KERNEL32 ref: 0322C32B
                                                                                          • GetTickCount.KERNEL32 ref: 0322C363
                                                                                          • GetTickCount.KERNEL32 ref: 0322C378
                                                                                          • GetTickCount.KERNEL32 ref: 0322C44D
                                                                                          • InterlockedIncrement.KERNEL32(0322C4E4), ref: 0322C4AE
                                                                                          • CreateThread.KERNEL32(00000000,00000000,0322B535,00000000,?,0322C4E0), ref: 0322C4C1
                                                                                          • CloseHandle.KERNEL32(00000000,?,0322C4E0,03233588,03228810), ref: 0322C4CC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 1553760989-1857712256
                                                                                          • Opcode ID: ce4dfa426da17d00b35285b7ccab897965169b6ed33a3097e6e13a10d3fd3c34
                                                                                          • Instruction ID: 2879e5c36db687cc403d7a8de0ee5c98be30745b0c5b45e72d42f11e9b5a861c
                                                                                          • Opcode Fuzzy Hash: ce4dfa426da17d00b35285b7ccab897965169b6ed33a3097e6e13a10d3fd3c34
                                                                                          • Instruction Fuzzy Hash: BD5128B1A10B619FD724DF69C9C492AFBE9FB48300B545D2EE58BC7A90D774E884CB10
                                                                                          APIs
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0322BE4F
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0322BE5B
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0322BE67
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0322BF6A
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0322BF7F
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0322BF94
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcmpi
                                                                                          • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                          • API String ID: 1586166983-1625972887
                                                                                          • Opcode ID: 13fea5834dc70c792385eea5f104c7a3617aa75a85050f4445411aac3f728b56
                                                                                          • Instruction ID: 47e0787ace93c98b75baf6eba4675c03db410dfea4d1f8a09d0a6fce6a5c48c2
                                                                                          • Opcode Fuzzy Hash: 13fea5834dc70c792385eea5f104c7a3617aa75a85050f4445411aac3f728b56
                                                                                          • Instruction Fuzzy Hash: 5251B175A2032ABFDB15DBA5CC40AA9BFA9AF05344F488055F9419B215D770E9C18FA0
                                                                                          APIs
                                                                                          • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,76228A60,?,?,?,?,03229A60,?,?,03229E9D), ref: 03226A7D
                                                                                          • GetDiskFreeSpaceA.KERNEL32(03229E9D,03229A60,?,?,?,032322F8,?,?,?,03229A60,?,?,03229E9D), ref: 03226ABB
                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,03229A60,?,?,03229E9D), ref: 03226B40
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,03229A60,?,?,03229E9D), ref: 03226B4E
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,03229A60,?,?,03229E9D), ref: 03226B5F
                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,03229A60,?,?,03229E9D), ref: 03226B6F
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,03229A60,?,?,03229E9D), ref: 03226B7D
                                                                                          • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,03229A60,?,?,03229E9D), ref: 03226B80
                                                                                          • GetLastError.KERNEL32(?,?,?,03229A60,?,?,03229E9D,?,?,?,?,?,03229E9D,?,00000022,?), ref: 03226B96
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                          • String ID:
                                                                                          • API String ID: 3188212458-0
                                                                                          • Opcode ID: 9215b1b2461d4d22775243b0829c6c54ed21ed51f387f8a1b8d0c0b82932027c
                                                                                          • Instruction ID: d16491a599c6eacdfc2f55be7b470e70f12f15e2a451680a2ac4f920eafd89a0
                                                                                          • Opcode Fuzzy Hash: 9215b1b2461d4d22775243b0829c6c54ed21ed51f387f8a1b8d0c0b82932027c
                                                                                          • Instruction Fuzzy Hash: E131F2B791025DBFCB01EFA49D88ADEBF79EB48300F18C466F252A7241D7B085848B61
                                                                                          APIs
                                                                                          • GetUserNameA.ADVAPI32(?,0322D7C3), ref: 03226F7A
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0322D7C3), ref: 03226FC1
                                                                                          • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 03226FE8
                                                                                          • LocalFree.KERNEL32(00000120), ref: 0322701F
                                                                                          • wsprintfA.USER32 ref: 03227036
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                          • String ID: /%d$|
                                                                                          • API String ID: 676856371-4124749705
                                                                                          • Opcode ID: 0597908f5001688fb98fb33a34b593d5655c0ac9642010280df5388789a2f0ee
                                                                                          • Instruction ID: 96057348eeba3ebf31e7b70f558d90be35455ca17aa17d789cf667521dfa7b64
                                                                                          • Opcode Fuzzy Hash: 0597908f5001688fb98fb33a34b593d5655c0ac9642010280df5388789a2f0ee
                                                                                          • Instruction Fuzzy Hash: ED312772914219BFDB01DFA8DC48ADE7FBCAF04210F04C066F85ADB101EA74E7488BA4
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,032322F8,000000E4,03226DDC,000000C8), ref: 03226CE7
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 03226CEE
                                                                                          • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 03226D14
                                                                                          • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 03226D2B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                          • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                          • API String ID: 1082366364-3395550214
                                                                                          • Opcode ID: 5de252a5528dbb357184b03bd99dfecc41b454331396b7a1a014f306f77938e4
                                                                                          • Instruction ID: 06ecee726b6db37a18c9fa2a5daedbf925a351b919ccbf7618e0f8fe739c13d0
                                                                                          • Opcode Fuzzy Hash: 5de252a5528dbb357184b03bd99dfecc41b454331396b7a1a014f306f77938e4
                                                                                          • Instruction Fuzzy Hash: 24215E66662369BEF731E632AC8DF7B6E4C8B17640F0CC484F844BA085C6D594C6C2F5
                                                                                          APIs
                                                                                          • CreateProcessA.KERNEL32(00000000,03229947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,032322F8), ref: 032297B1
                                                                                          • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,032322F8), ref: 032297EB
                                                                                          • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,032322F8), ref: 032297F9
                                                                                          • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,032322F8), ref: 03229831
                                                                                          • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,032322F8), ref: 0322984E
                                                                                          • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,032322F8), ref: 0322985B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                          • String ID: D
                                                                                          • API String ID: 2981417381-2746444292
                                                                                          • Opcode ID: 3d287c6270448c0b87b0d757d60b5d114a3e11ad53dda3ba514704f997020f97
                                                                                          • Instruction ID: 06c6546dc920456bdbe42591eadac6264ca900f349d8a51a1d26ad34030d44de
                                                                                          • Opcode Fuzzy Hash: 3d287c6270448c0b87b0d757d60b5d114a3e11ad53dda3ba514704f997020f97
                                                                                          • Instruction Fuzzy Hash: CD211DB1911229BBDB21EFA1DC49EEFBF7CEF05650F044061B919E5144EB709694CAA0
                                                                                          APIs
                                                                                            • Part of subcall function 0322DD05: GetTickCount.KERNEL32 ref: 0322DD0F
                                                                                            • Part of subcall function 0322DD05: InterlockedExchange.KERNEL32(032336B4,00000001), ref: 0322DD44
                                                                                            • Part of subcall function 0322DD05: GetCurrentThreadId.KERNEL32 ref: 0322DD53
                                                                                            • Part of subcall function 0322DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0322DDB5
                                                                                          • lstrcpynA.KERNEL32(?,03221E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0322EAAA,?,?), ref: 0322E8DE
                                                                                          • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0322EAAA,?,?,00000001,?,03221E84,?), ref: 0322E935
                                                                                          • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0322EAAA,?,?,00000001,?,03221E84,?,0000000A), ref: 0322E93D
                                                                                          • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0322EAAA,?,?,00000001,?,03221E84,?), ref: 0322E94F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                          • String ID: flags_upd$localcfg
                                                                                          • API String ID: 204374128-3505511081
                                                                                          • Opcode ID: 55badd2b30781129e3fb0bf2842a3ca517baf1a8dcf44fe7edafe831ab266b23
                                                                                          • Instruction ID: bd3a4f5719a8d986bbecda8ab2553ab9f4a7f679fe2a5be44116336635d58900
                                                                                          • Opcode Fuzzy Hash: 55badd2b30781129e3fb0bf2842a3ca517baf1a8dcf44fe7edafe831ab266b23
                                                                                          • Instruction Fuzzy Hash: 51514F7691021AFFCB00EFA8CD84DAEBBF9FF48204F05452AE415A7210D775EA55DBA0
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Code
                                                                                          • String ID:
                                                                                          • API String ID: 3609698214-0
                                                                                          • Opcode ID: 2a8cfa52f40b0da0bee0c8b005bc204b48adc404b3b3e7e62c168ea7805a9108
                                                                                          • Instruction ID: 6d567987cdf8e76adac42a1ab189127381140f8ae00197703f99c7c040ece8ee
                                                                                          • Opcode Fuzzy Hash: 2a8cfa52f40b0da0bee0c8b005bc204b48adc404b3b3e7e62c168ea7805a9108
                                                                                          • Instruction Fuzzy Hash: 9D214AB7124226FFDB15FBA0FD8CDEF7EACEB44660B108515F502E5084EAB19A809674
                                                                                          APIs
                                                                                          • GetTempPathA.KERNEL32(00000400,?,00000000,032322F8), ref: 0322907B
                                                                                          • wsprintfA.USER32 ref: 032290E9
                                                                                          • CreateFileA.KERNEL32(032322F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0322910E
                                                                                          • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 03229122
                                                                                          • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0322912D
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 03229134
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                          • String ID:
                                                                                          • API String ID: 2439722600-0
                                                                                          • Opcode ID: 6af6b8c88fd5f762c3914818979b4a20d11fa5cca59939ba7fb22dd338edf8bb
                                                                                          • Instruction ID: 7f03abe885354c02937ed5034da39370a94c23288b2f9c7c9179f4ca873bd133
                                                                                          • Opcode Fuzzy Hash: 6af6b8c88fd5f762c3914818979b4a20d11fa5cca59939ba7fb22dd338edf8bb
                                                                                          • Instruction Fuzzy Hash: FA119AB66502247FF724BA72EC0DFEF3A7DDBC5B00F00C065BB0AA5144EAB44A919670
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 0322DD0F
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0322DD20
                                                                                          • GetTickCount.KERNEL32 ref: 0322DD2E
                                                                                          • Sleep.KERNEL32(00000000,?,76230F10,?,00000000,0322E538,?,76230F10,?,00000000,?,0322A445), ref: 0322DD3B
                                                                                          • InterlockedExchange.KERNEL32(032336B4,00000001), ref: 0322DD44
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0322DD53
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 3819781495-0
                                                                                          • Opcode ID: eb4ee137eee201e34d35b37d10e26cdbb6414fd69834905d99c2e2273dfa4308
                                                                                          • Instruction ID: b5b8598956ded9894ea546fb73df18b1678cc35d1b77cda364816029e46f4887
                                                                                          • Opcode Fuzzy Hash: eb4ee137eee201e34d35b37d10e26cdbb6414fd69834905d99c2e2273dfa4308
                                                                                          • Instruction Fuzzy Hash: 22F05E77564214EFD780FB6ABD8CBA97BA9E744212F00C015E60AC2249D66091858E76
                                                                                          APIs
                                                                                          • gethostname.WS2_32(?,00000080), ref: 0322AD1C
                                                                                          • lstrlenA.KERNEL32(?), ref: 0322AD60
                                                                                          • lstrlenA.KERNEL32(?), ref: 0322AD69
                                                                                          • lstrcpyA.KERNEL32(?,LocalHost), ref: 0322AD7F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$gethostnamelstrcpy
                                                                                          • String ID: LocalHost
                                                                                          • API String ID: 3695455745-3154191806
                                                                                          • Opcode ID: 72f690add1b1e035400d6abce2521c5355d50e3390183b8d7581cb4deab9f975
                                                                                          • Instruction ID: 92f8bebf2f818ee4eaa822009b0266657f894a61dc9147c71087c47f3040aeea
                                                                                          • Opcode Fuzzy Hash: 72f690add1b1e035400d6abce2521c5355d50e3390183b8d7581cb4deab9f975
                                                                                          • Instruction Fuzzy Hash: 0A016824C641AB7EDF35D628DC44BF87F7AAB87606F088096E4C18B915EF6490C78762
                                                                                          APIs
                                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,032298FD,00000001,00000100,032322F8,0322A3C7), ref: 03224290
                                                                                          • CloseHandle.KERNEL32(0322A3C7), ref: 032243AB
                                                                                          • CloseHandle.KERNEL32(00000001), ref: 032243AE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseHandle$CreateEvent
                                                                                          • String ID:
                                                                                          • API String ID: 1371578007-0
                                                                                          • Opcode ID: 47662f9d9abc25cdb9f6c2861132e846b4d7b9caf5d14e991eeb1c945f44691d
                                                                                          • Instruction ID: a261c3ddfdff62f569f2aab78e07064f19d12d8f20622ba12547b81063b61473
                                                                                          • Opcode Fuzzy Hash: 47662f9d9abc25cdb9f6c2861132e846b4d7b9caf5d14e991eeb1c945f44691d
                                                                                          • Instruction Fuzzy Hash: D541AFB5820219BADF10EBA2DD85FEFBFBCEF40324F204555F615A6180D7749680DBA0
                                                                                          APIs
                                                                                          • IsBadReadPtr.KERNEL32(?,00000014), ref: 0322609C
                                                                                          • LoadLibraryA.KERNEL32(?,?,032264CF,00000000), ref: 032260C3
                                                                                          • GetProcAddress.KERNEL32(?,00000014), ref: 0322614A
                                                                                          • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0322619E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Read$AddressLibraryLoadProc
                                                                                          • String ID:
                                                                                          • API String ID: 2438460464-0
                                                                                          • Opcode ID: b23f9976b167aea0e0abadbb837cb0093693284ed0ac880a73e80832c1ad9c63
                                                                                          • Instruction ID: 873570f8f1abcc25a6f834d0b5f3b264ee3c16d242cdff9113a595d30c47d6d6
                                                                                          • Opcode Fuzzy Hash: b23f9976b167aea0e0abadbb837cb0093693284ed0ac880a73e80832c1ad9c63
                                                                                          • Instruction Fuzzy Hash: 87414D72A20116BBDB14CF58CC84AA9BBB9FF04754F188069E896D7391D7B0F980CB90
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5973c4eff1ec3c8465f83a6f6ad95c383170b6c64efdebc156ab691aeb45bc41
                                                                                          • Instruction ID: d9e7680bfeed46979c9b3efbafe7483ff731ea38e05ff9f12c22222f6e633cb9
                                                                                          • Opcode Fuzzy Hash: 5973c4eff1ec3c8465f83a6f6ad95c383170b6c64efdebc156ab691aeb45bc41
                                                                                          • Instruction Fuzzy Hash: 8D31B175910329FBCB10DFA5CC81ABEBBF8EF48701F108856E945EA244E3B5D6918B60
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 0322272E
                                                                                          • htons.WS2_32(00000001), ref: 03222752
                                                                                          • htons.WS2_32(0000000F), ref: 032227D5
                                                                                          • htons.WS2_32(00000001), ref: 032227E3
                                                                                          • sendto.WS2_32(?,03232BF8,00000009,00000000,00000010,00000010), ref: 03222802
                                                                                            • Part of subcall function 0322EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0322EBFE,7FFF0001,?,0322DB55,7FFF0001), ref: 0322EBD3
                                                                                            • Part of subcall function 0322EBCC: RtlAllocateHeap.NTDLL(00000000,?,0322DB55,7FFF0001), ref: 0322EBDA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                          • String ID:
                                                                                          • API String ID: 1128258776-0
                                                                                          • Opcode ID: dd5ac2c80152a3940d4cd9ad38b8e03ca546feac7e250a7e704549facc03cd49
                                                                                          • Instruction ID: a73750abbbb255c884535e3e451e3d09ac76b939b5d75f7989b2ef2222b8987f
                                                                                          • Opcode Fuzzy Hash: dd5ac2c80152a3940d4cd9ad38b8e03ca546feac7e250a7e704549facc03cd49
                                                                                          • Instruction Fuzzy Hash: D9310034258392FFD710EF74F884A697B75AF19318B1AC8ADE8558B312D6739882DB10
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,032322F8), ref: 0322915F
                                                                                          • GetModuleFileNameA.KERNEL32(00000000), ref: 03229166
                                                                                          • CharToOemA.USER32(?,?), ref: 03229174
                                                                                          • wsprintfA.USER32 ref: 032291A9
                                                                                            • Part of subcall function 03229064: GetTempPathA.KERNEL32(00000400,?,00000000,032322F8), ref: 0322907B
                                                                                            • Part of subcall function 03229064: wsprintfA.USER32 ref: 032290E9
                                                                                            • Part of subcall function 03229064: CreateFileA.KERNEL32(032322F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0322910E
                                                                                            • Part of subcall function 03229064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 03229122
                                                                                            • Part of subcall function 03229064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0322912D
                                                                                            • Part of subcall function 03229064: CloseHandle.KERNEL32(00000000), ref: 03229134
                                                                                          • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 032291E1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                          • String ID:
                                                                                          • API String ID: 3857584221-0
                                                                                          • Opcode ID: ec3bc9be1b66d7cf3e48618c5c6ae851be7b684f68aeea3ff855ea0e3fe31e1f
                                                                                          • Instruction ID: 67b38d52f9438329dfc737d39794dbff4a875480e5d247b5225d32d6e2167949
                                                                                          • Opcode Fuzzy Hash: ec3bc9be1b66d7cf3e48618c5c6ae851be7b684f68aeea3ff855ea0e3fe31e1f
                                                                                          • Instruction Fuzzy Hash: 230140F69002287BDB20E6619D8DEDF7A7CDB95B01F004091B74AE6040D6B096C5CF70
                                                                                          APIs
                                                                                          • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,03222491,?,?,?,0322E844,-00000030,?,?,?,00000001), ref: 03222429
                                                                                          • lstrlenA.KERNEL32(?,?,03222491,?,?,?,0322E844,-00000030,?,?,?,00000001,03221E3D,00000001,localcfg,lid_file_upd), ref: 0322243E
                                                                                          • lstrcmpiA.KERNEL32(?,?), ref: 03222452
                                                                                          • lstrlenA.KERNEL32(?,?,03222491,?,?,?,0322E844,-00000030,?,?,?,00000001,03221E3D,00000001,localcfg,lid_file_upd), ref: 03222467
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$lstrcmpi
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 1808961391-1857712256
                                                                                          • Opcode ID: b49e664d8b5fed5b58d53b3585597cc0146c24f514bb333185f43975f7acb50c
                                                                                          • Instruction ID: c70cf4eb31e9c3650795b57fbcc84b8e9ec0d70aab080665bbdc15a572dff2ab
                                                                                          • Opcode Fuzzy Hash: b49e664d8b5fed5b58d53b3585597cc0146c24f514bb333185f43975f7acb50c
                                                                                          • Instruction Fuzzy Hash: B5011A32A10229FFCF51EF69DC848DEBBB9EF44254B45C825F85997200E331EA80CA90
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wsprintf
                                                                                          • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                          • API String ID: 2111968516-120809033
                                                                                          • Opcode ID: 83dc89269974c8eeb9a183cccba78e38146bea8f29379816c2b6e88eebb8ba05
                                                                                          • Instruction ID: b24c47341c5d8fb0e466f2d36e3b38d4b63f988e93089f1b26e3e1c0def579f7
                                                                                          • Opcode Fuzzy Hash: 83dc89269974c8eeb9a183cccba78e38146bea8f29379816c2b6e88eebb8ba05
                                                                                          • Instruction Fuzzy Hash: 1641BB729042A9AFCB31CFB88C44AEE7FECAF49310F240052F9A4D7142D675E645CBA0
                                                                                          APIs
                                                                                            • Part of subcall function 0322DD05: GetTickCount.KERNEL32 ref: 0322DD0F
                                                                                            • Part of subcall function 0322DD05: InterlockedExchange.KERNEL32(032336B4,00000001), ref: 0322DD44
                                                                                            • Part of subcall function 0322DD05: GetCurrentThreadId.KERNEL32 ref: 0322DD53
                                                                                          • lstrcmpA.KERNEL32(76230F18,00000000,?,76230F10,00000000,?,03225EC1), ref: 0322E693
                                                                                          • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,76230F10,00000000,?,03225EC1), ref: 0322E6E9
                                                                                          • lstrcmpA.KERNEL32(89ABCDEF,00000008,?,76230F10,00000000,?,03225EC1), ref: 0322E722
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                          • String ID: 89ABCDEF
                                                                                          • API String ID: 3343386518-71641322
                                                                                          • Opcode ID: feb37bba2c2eb22325e0adb645ccb5af063cc31d4d5df9921aaef3e5336394f9
                                                                                          • Instruction ID: d9c3bbf6e279da95b84cafe3d433d60855c7dbf6ca1ebf7466c0ef7fd780ae5a
                                                                                          • Opcode Fuzzy Hash: feb37bba2c2eb22325e0adb645ccb5af063cc31d4d5df9921aaef3e5336394f9
                                                                                          • Instruction Fuzzy Hash: FA31D031520B22EBCB31CE60DC88BA67FE8AF01710F0A886AE4568B540D770E8C4DB91
                                                                                          APIs
                                                                                          • RegCreateKeyExA.ADVAPI32(80000001,0322E2A3,00000000,00000000,00000000,00020106,00000000,0322E2A3,00000000,000000E4), ref: 0322E0B2
                                                                                          • RegSetValueExA.ADVAPI32(0322E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,032322F8), ref: 0322E127
                                                                                          • RegDeleteValueA.ADVAPI32(0322E2A3,?,?,?,?,?,000000C8,032322F8), ref: 0322E158
                                                                                          • RegCloseKey.ADVAPI32(0322E2A3,?,?,?,?,000000C8,032322F8,?,?,?,?,?,?,?,?,0322E2A3), ref: 0322E161
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Value$CloseCreateDelete
                                                                                          • String ID:
                                                                                          • API String ID: 2667537340-0
                                                                                          • Opcode ID: 44c9e930bdfaeabe19ae528be796b155dbf2c318185382f73a65d400d76f3d22
                                                                                          • Instruction ID: 2056257f8a8da3f6399995ddc2ec61e305ca41b341f3b6dcc65104ee31248308
                                                                                          • Opcode Fuzzy Hash: 44c9e930bdfaeabe19ae528be796b155dbf2c318185382f73a65d400d76f3d22
                                                                                          • Instruction Fuzzy Hash: E0219171A1022ABBDF20DEA4DC89EDF7F7DEF09B50F048061F905E6050E6718A55DBA0
                                                                                          APIs
                                                                                          • WriteFile.KERNEL32(00000000,00000000,0322A3C7,00000000,00000000,000007D0,00000001), ref: 03223F44
                                                                                          • GetLastError.KERNEL32 ref: 03223F4E
                                                                                          • WaitForSingleObject.KERNEL32(00000004,?), ref: 03223F5F
                                                                                          • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 03223F72
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3373104450-0
                                                                                          • Opcode ID: d7c0206960a01717946cbb78e8d413c63f183f2839096ebc4eb13a34955434cc
                                                                                          • Instruction ID: 9849b1f420e666ad6b9c7ac5c63680bc1203251cba31b96708eba90710482518
                                                                                          • Opcode Fuzzy Hash: d7c0206960a01717946cbb78e8d413c63f183f2839096ebc4eb13a34955434cc
                                                                                          • Instruction Fuzzy Hash: 0C01087252111ABBDF01EF90ED88BEF7BBCEB04255F508065FA02E6040D774DA548BB2
                                                                                          APIs
                                                                                          • ReadFile.KERNEL32(00000000,00000000,0322A3C7,00000000,00000000,000007D0,00000001), ref: 03223FB8
                                                                                          • GetLastError.KERNEL32 ref: 03223FC2
                                                                                          • WaitForSingleObject.KERNEL32(00000004,?), ref: 03223FD3
                                                                                          • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 03223FE6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                          • String ID:
                                                                                          • API String ID: 888215731-0
                                                                                          • Opcode ID: 84183a3152d8963a460838e7f33e9954cf975a7875c37ad710770f39003a0ded
                                                                                          • Instruction ID: 5d556fd2c20270337eb05b8820d0dcff44ccd967ba453cccddf8e95fa436e2e8
                                                                                          • Opcode Fuzzy Hash: 84183a3152d8963a460838e7f33e9954cf975a7875c37ad710770f39003a0ded
                                                                                          • Instruction Fuzzy Hash: A201A97252021AABDF11DF94ED89BEE7B7CEB04255F108051FA02E6090DB74DA548BB1
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 03224BDD
                                                                                          • GetTickCount.KERNEL32 ref: 03224BEC
                                                                                          • Sleep.KERNEL32(00000000,?,?,?,0361E084,032250F2), ref: 03224BF9
                                                                                          • InterlockedExchange.KERNEL32(0361E078,00000001), ref: 03224C02
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 2207858713-0
                                                                                          • Opcode ID: 9f5d4f3746b598b0e51ec7d02ab10e8c83af6137a6b36ebc37f00ea8ef6f958a
                                                                                          • Instruction ID: 4200c0e565b320468c285a7da0953746a5face2846d495f017e80050ad69face
                                                                                          • Opcode Fuzzy Hash: 9f5d4f3746b598b0e51ec7d02ab10e8c83af6137a6b36ebc37f00ea8ef6f958a
                                                                                          • Instruction Fuzzy Hash: 2EE07D3371022437C70072BF7C88FDA7B5CDB45262F068072F70AC2140C992E48041B1
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 03224E9E
                                                                                          • GetTickCount.KERNEL32 ref: 03224EAD
                                                                                          • Sleep.KERNEL32(0000000A,?,00000001), ref: 03224EBA
                                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 03224EC3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 2207858713-0
                                                                                          • Opcode ID: 26c4a2bf402f4202a09d7a5e34a36354800673e503854d77ed20a22a8d511992
                                                                                          • Instruction ID: 3f5aecc744148ef2a8c23eb5526626fc295d46f2de3e9ad8a8e8dc57b991d5d1
                                                                                          • Opcode Fuzzy Hash: 26c4a2bf402f4202a09d7a5e34a36354800673e503854d77ed20a22a8d511992
                                                                                          • Instruction Fuzzy Hash: DEE07D3331022437E60072BFFC88F9A7B4D9B45270F014172F70AC2144C596D48205F1
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 0322A4D1
                                                                                          • GetTickCount.KERNEL32 ref: 0322A4E4
                                                                                          • Sleep.KERNEL32(00000000,?,0322C2E9,0322C4E0,00000000,localcfg,?,0322C4E0,03233588,03228810), ref: 0322A4F1
                                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 0322A4FA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 2207858713-0
                                                                                          • Opcode ID: 72712b7fbc92dccd72e1f8b608ce961c8925c9bace070de7b95b3b7a77c1ec44
                                                                                          • Instruction ID: edf1d3e3f1efd789533288a206291ab002d696765e75aebdb84bf5ac59c805c7
                                                                                          • Opcode Fuzzy Hash: 72712b7fbc92dccd72e1f8b608ce961c8925c9bace070de7b95b3b7a77c1ec44
                                                                                          • Instruction Fuzzy Hash: 1DE026332102256BC600A7A9BD88FAB3B9CAB4D661F058061FA05D3540DA56E48181B2
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 03223103
                                                                                          • GetTickCount.KERNEL32 ref: 0322310F
                                                                                          • Sleep.KERNEL32(00000000), ref: 0322311C
                                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 03223128
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 2207858713-0
                                                                                          • Opcode ID: 009bdbc93ab3f489e2a376b86cbcae55cc14d825d1fcb97968a9fb50981c6503
                                                                                          • Instruction ID: f310eeadf84ccb91a235db2387aeefa12b8f5f88f899f0d5c661d796d46abcf7
                                                                                          • Opcode Fuzzy Hash: 009bdbc93ab3f489e2a376b86cbcae55cc14d825d1fcb97968a9fb50981c6503
                                                                                          • Instruction Fuzzy Hash: 20E0C23A620235BBDB00FB7ABD48B896E5EEF84B61F018071F702E2094C6A488408971
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 536389180-1857712256
                                                                                          • Opcode ID: f1957ab502f868e9ab46b572ab83d9d439713fb2ee254f7040e737e4f453be0e
                                                                                          • Instruction ID: 447773bf3f6c084a7e6d1c8c45b9d87c8d573b8fb07ef7f224a50ad7956f9f9f
                                                                                          • Opcode Fuzzy Hash: f1957ab502f868e9ab46b572ab83d9d439713fb2ee254f7040e737e4f453be0e
                                                                                          • Instruction Fuzzy Hash: 4D21B437A30626BFDB10DF78EC955AABFB9FB20251B2D8059D401DB511CB74E988CB50
                                                                                          APIs
                                                                                          Strings
                                                                                          • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0322C057
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTickwsprintf
                                                                                          • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                          • API String ID: 2424974917-1012700906
                                                                                          • Opcode ID: 7ee40c019be66d3e9f18f83254c945a2c4c6baa352d51785e5d58406b5c7a507
                                                                                          • Instruction ID: e582d257fbc2f53fb0c2804d99290aea1579d6cb25b8fdfc74728f86cac53d64
                                                                                          • Opcode Fuzzy Hash: 7ee40c019be66d3e9f18f83254c945a2c4c6baa352d51785e5d58406b5c7a507
                                                                                          • Instruction Fuzzy Hash: C6119772100100FFDB429AA9DD48E567FA6FF88718B34819CF6188E126D633D863EB50
                                                                                          APIs
                                                                                          • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 032226C3
                                                                                          • inet_ntoa.WS2_32(?), ref: 032226E4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: gethostbyaddrinet_ntoa
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 2112563974-1857712256
                                                                                          • Opcode ID: dec033c9d5da556ef2b07957d79c1451fb1e82d50be95ff0b4d79109e37e51d9
                                                                                          • Instruction ID: 09b5f34e1d48028b01ff453813fc266c0a2a1f698048d9568b5c34c9261e9ce8
                                                                                          • Opcode Fuzzy Hash: dec033c9d5da556ef2b07957d79c1451fb1e82d50be95ff0b4d79109e37e51d9
                                                                                          • Instruction Fuzzy Hash: DFF03737268319BFEF04EFA4EC09EAA3B9CDF05650F148465F909DE090DBB1D5809798
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(ntdll.dll,0322EB54,_alldiv,0322F0B7,80000001,00000000,00989680,00000000,?,?,?,0322E342,00000000,75B4EA50,80000001,00000000), ref: 0322EAF2
                                                                                          • GetProcAddress.KERNEL32(77310000,00000000), ref: 0322EB07
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressLibraryLoadProc
                                                                                          • String ID: ntdll.dll
                                                                                          • API String ID: 2574300362-2227199552
                                                                                          • Opcode ID: 3fd822e7af76d8e1da4f9dd550107a5b3056e0a21f40a3d9c06dd1fef967ee85
                                                                                          • Instruction ID: 783bad281795d295aab63c9a7a5b0adf32706804d316ee78ee2a03732a072bd6
                                                                                          • Opcode Fuzzy Hash: 3fd822e7af76d8e1da4f9dd550107a5b3056e0a21f40a3d9c06dd1fef967ee85
                                                                                          • Instruction Fuzzy Hash: 34D0C978A65303AFCF52EF65F94E9597AACBB40A01B40C095B55BC1505E730D494EA14
                                                                                          APIs
                                                                                            • Part of subcall function 03222D21: GetModuleHandleA.KERNEL32(00000000,762323A0,?,00000000,03222F01,?,032220FF,03232000), ref: 03222D3A
                                                                                            • Part of subcall function 03222D21: LoadLibraryA.KERNEL32(?), ref: 03222D4A
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 03222F73
                                                                                          • HeapFree.KERNEL32(00000000), ref: 03222F7A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000010.00000002.3382908601.0000000003220000.00000040.00000400.00020000.00000000.sdmp, Offset: 03220000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_16_2_3220000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                          • String ID:
                                                                                          • API String ID: 1017166417-0
                                                                                          • Opcode ID: 277335bce8bc33e54ba65d6acc3b11c2eedeac00cb1c53596c7e9e704ebdca64
                                                                                          • Instruction ID: 24f569a697c59664d8383c059405ecb2534122272624e4bba826f97c5064b21a
                                                                                          • Opcode Fuzzy Hash: 277335bce8bc33e54ba65d6acc3b11c2eedeac00cb1c53596c7e9e704ebdca64
                                                                                          • Instruction Fuzzy Hash: 9B51C07591022AEFCB01DF64DC889F9BB79FF05300F1485A9ED96D7210E7329A59CB90