Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
6foBmRMlDy.exe

Overview

General Information

Sample name:6foBmRMlDy.exe
renamed because original name is a hash value
Original sample name:e4352f63724267bed81e8c199bd8ca0f.exe
Analysis ID:1531711
MD5:e4352f63724267bed81e8c199bd8ca0f
SHA1:ce9c69ca36920f076fe1369be4d9001085ca8602
SHA256:5ffda142aa321a2b5546c426a28403d7f19b51b88985c8617f11c04411489e30
Tags:32exe
Infos:

Detection

Tofsee
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Yara detected Tofsee
AI detected suspicious sample
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious New Service Creation
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
One or more processes crash
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: Windows Defender Exclusions Added - Registry
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • 6foBmRMlDy.exe (PID: 3180 cmdline: "C:\Users\user\Desktop\6foBmRMlDy.exe" MD5: E4352F63724267BED81E8C199BD8CA0F)
    • cmd.exe (PID: 5480 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gqbqwogt\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2924 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\lnmlavab.exe" C:\Windows\SysWOW64\gqbqwogt\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 5644 cmdline: "C:\Windows\System32\sc.exe" create gqbqwogt binPath= "C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exe /d\"C:\Users\user\Desktop\6foBmRMlDy.exe\"" type= own start= auto DisplayName= "wifi support" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 2016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 3916 cmdline: "C:\Windows\System32\sc.exe" description gqbqwogt "wifi internet conection" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 3224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 3472 cmdline: "C:\Windows\System32\sc.exe" start gqbqwogt MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 2268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 1808 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 3132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 5424 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 772 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • lnmlavab.exe (PID: 5840 cmdline: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exe /d"C:\Users\user\Desktop\6foBmRMlDy.exe" MD5: 415D8A2F273DA3EB07A38C1E95C0BB82)
    • svchost.exe (PID: 6812 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
    • WerFault.exe (PID: 6852 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5840 -s 568 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 3984 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 5440 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5840 -ip 5840 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 712 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3180 -ip 3180 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 6932 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
TofseeAccording to PCrisk, Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various account credentials, updating itself, and more.Cyber criminals mainly use this program as an email-oriented tool (they target users' email accounts), however, having Tofsee installed can also lead to many other problems.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee
{"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
SourceRuleDescriptionAuthorStrings
0000000C.00000002.2130408783.0000000000DD0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
    0000000C.00000002.2130408783.0000000000DD0000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
    • 0x2544:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
    • 0xee95:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
    0000000C.00000002.2130408783.0000000000DD0000.00000004.00001000.00020000.00000000.sdmpMALWARE_Win_TofseeDetects TofseeditekSHen
    • 0x1123e:$s1: n%systemroot%\system32\cmd.exe
    • 0x10310:$s2: loader_id
    • 0x10340:$s3: start_srv
    • 0x10370:$s4: lid_file_upd
    • 0x10364:$s5: localcfg
    • 0x10a94:$s6: Incorrect respons
    • 0x10b74:$s7: mx connect error
    • 0x10af0:$s8: Error sending command (sent = %d/%d)
    • 0x10c28:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
    00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
      00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
      • 0x2544:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
      • 0xee95:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
      Click to see the 24 entries
      SourceRuleDescriptionAuthorStrings
      0.3.6foBmRMlDy.exe.630000.0.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
      • 0xd44:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
      • 0xd695:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
      0.3.6foBmRMlDy.exe.630000.0.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
      • 0xe110:$s2: loader_id
      • 0xe140:$s3: start_srv
      • 0xe170:$s4: lid_file_upd
      • 0xe164:$s5: localcfg
      • 0xe894:$s6: Incorrect respons
      12.2.lnmlavab.exe.dd0000.2.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
        12.2.lnmlavab.exe.dd0000.2.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
        • 0x1944:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
        • 0xe295:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
        12.2.lnmlavab.exe.dd0000.2.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
        • 0xfc3e:$s1: n%systemroot%\system32\cmd.exe
        • 0xed10:$s2: loader_id
        • 0xed40:$s3: start_srv
        • 0xed70:$s4: lid_file_upd
        • 0xed64:$s5: localcfg
        • 0xf494:$s6: Incorrect respons
        • 0xf574:$s7: mx connect error
        • 0xf4f0:$s8: Error sending command (sent = %d/%d)
        • 0xf628:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
        Click to see the 39 entries

        System Summary

        barindex
        Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exe /d"C:\Users\user\Desktop\6foBmRMlDy.exe", ParentImage: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exe, ParentProcessId: 5840, ParentProcessName: lnmlavab.exe, ProcessCommandLine: svchost.exe, ProcessId: 6812, ProcessName: svchost.exe
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\sc.exe" create gqbqwogt binPath= "C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exe /d\"C:\Users\user\Desktop\6foBmRMlDy.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create gqbqwogt binPath= "C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exe /d\"C:\Users\user\Desktop\6foBmRMlDy.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\6foBmRMlDy.exe", ParentImage: C:\Users\user\Desktop\6foBmRMlDy.exe, ParentProcessId: 3180, ParentProcessName: 6foBmRMlDy.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create gqbqwogt binPath= "C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exe /d\"C:\Users\user\Desktop\6foBmRMlDy.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 5644, ProcessName: sc.exe
        Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 52.101.11.0, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\SysWOW64\svchost.exe, Initiated: true, ProcessId: 6812, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49711
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exe /d"C:\Users\user\Desktop\6foBmRMlDy.exe", ParentImage: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exe, ParentProcessId: 5840, ParentProcessName: lnmlavab.exe, ProcessCommandLine: svchost.exe, ProcessId: 6812, ProcessName: svchost.exe
        Source: Registry Key setAuthor: Christian Burkard (Nextron Systems): Data: Details: 0, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 6812, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\gqbqwogt
        Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\sc.exe" create gqbqwogt binPath= "C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exe /d\"C:\Users\user\Desktop\6foBmRMlDy.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create gqbqwogt binPath= "C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exe /d\"C:\Users\user\Desktop\6foBmRMlDy.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\6foBmRMlDy.exe", ParentImage: C:\Users\user\Desktop\6foBmRMlDy.exe, ParentProcessId: 3180, ParentProcessName: 6foBmRMlDy.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create gqbqwogt binPath= "C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exe /d\"C:\Users\user\Desktop\6foBmRMlDy.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 5644, ProcessName: sc.exe
        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 3984, ProcessName: svchost.exe
        No Suricata rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: 6foBmRMlDy.exeAvira: detected
        Source: C:\Users\user\AppData\Local\Temp\lnmlavab.exeAvira: detection malicious, Label: HEUR/AGEN.1307867
        Source: 12.3.lnmlavab.exe.d90000.0.raw.unpackMalware Configuration Extractor: Tofsee {"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
        Source: C:\Users\user\AppData\Local\Temp\lnmlavab.exeJoe Sandbox ML: detected
        Source: 6foBmRMlDy.exeJoe Sandbox ML: detected

        Compliance

        barindex
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeUnpacked PE file: 0.2.6foBmRMlDy.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeUnpacked PE file: 12.2.lnmlavab.exe.400000.0.unpack
        Source: 6foBmRMlDy.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

        Change of critical system settings

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\gqbqwogtJump to behavior

        Networking

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 74.125.71.27 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.228.106 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 185.228.234.180 443Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 217.69.139.150 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.11.0 25Jump to behavior
        Source: Malware configuration extractorURLs: vanaheim.cn:443
        Source: Malware configuration extractorURLs: jotunheim.name:443
        Source: Joe Sandbox ViewIP Address: 52.101.11.0 52.101.11.0
        Source: Joe Sandbox ViewIP Address: 67.195.228.106 67.195.228.106
        Source: Joe Sandbox ViewIP Address: 217.69.139.150 217.69.139.150
        Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
        Source: Joe Sandbox ViewASN Name: YAHOO-GQ1US YAHOO-GQ1US
        Source: Joe Sandbox ViewASN Name: ITOS-ASRU ITOS-ASRU
        Source: Joe Sandbox ViewASN Name: MAILRU-ASMailRuRU MAILRU-ASMailRuRU
        Source: global trafficTCP traffic: 192.168.2.6:49711 -> 52.101.11.0:25
        Source: global trafficTCP traffic: 192.168.2.6:61283 -> 67.195.228.106:25
        Source: global trafficTCP traffic: 192.168.2.6:61403 -> 74.125.71.27:25
        Source: global trafficTCP traffic: 192.168.2.6:61476 -> 217.69.139.150:25
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCode function: 0_2_00402A62 GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,socket,htons,select,recv,htons,htons,htons,GetProcessHeap,HeapAlloc,htons,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree,0_2_00402A62
        Source: global trafficDNS traffic detected: DNS query: microsoft-com.mail.protection.outlook.com
        Source: global trafficDNS traffic detected: DNS query: vanaheim.cn
        Source: global trafficDNS traffic detected: DNS query: yahoo.com
        Source: global trafficDNS traffic detected: DNS query: mta5.am0.yahoodns.net
        Source: global trafficDNS traffic detected: DNS query: google.com
        Source: global trafficDNS traffic detected: DNS query: smtp.google.com
        Source: global trafficDNS traffic detected: DNS query: mail.ru
        Source: global trafficDNS traffic detected: DNS query: mxs.mail.ru
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61424
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61479
        Source: unknownNetwork traffic detected: HTTP traffic on port 61479 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 61424 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713

        Spam, unwanted Advertisements and Ransom Demands

        barindex
        Source: Yara matchFile source: 12.2.lnmlavab.exe.dd0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.6foBmRMlDy.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.lnmlavab.exe.dd0000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.6foBmRMlDy.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.lnmlavab.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.6foBmRMlDy.exe.600e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.6foBmRMlDy.exe.630000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.lnmlavab.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.lnmlavab.exe.d70e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.svchost.exe.2be0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.lnmlavab.exe.d90000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.svchost.exe.2be0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000C.00000002.2130408783.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.2096533476.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.2127071237.0000000000D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 6foBmRMlDy.exe PID: 3180, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: lnmlavab.exe PID: 5840, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6812, type: MEMORYSTR

        System Summary

        barindex
        Source: 0.3.6foBmRMlDy.exe.630000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.6foBmRMlDy.exe.630000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.lnmlavab.exe.dd0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.lnmlavab.exe.dd0000.2.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.6foBmRMlDy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.6foBmRMlDy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.6foBmRMlDy.exe.600e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.6foBmRMlDy.exe.600e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.lnmlavab.exe.d70e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.lnmlavab.exe.d70e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.lnmlavab.exe.dd0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.lnmlavab.exe.dd0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.6foBmRMlDy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.6foBmRMlDy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.lnmlavab.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.lnmlavab.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.6foBmRMlDy.exe.600e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.6foBmRMlDy.exe.600e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.3.6foBmRMlDy.exe.630000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.6foBmRMlDy.exe.630000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.lnmlavab.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.lnmlavab.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.lnmlavab.exe.d70e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.lnmlavab.exe.d70e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.3.lnmlavab.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.3.lnmlavab.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 13.2.svchost.exe.2be0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 13.2.svchost.exe.2be0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.3.lnmlavab.exe.d90000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.3.lnmlavab.exe.d90000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 13.2.svchost.exe.2be0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 13.2.svchost.exe.2be0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000002.2130408783.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000002.2130408783.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000003.2096533476.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000003.2096533476.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000003.2127071237.0000000000D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000003.2127071237.0000000000D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000002.2130315965.000000000072D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000002.2133585534.00000000006A2000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCode function: 0_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,0_2_00408E26
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCode function: 0_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,0_2_00401280
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\gqbqwogt\Jump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCode function: 0_2_0040C9130_2_0040C913
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCode function: 0_2_00445C780_2_00445C78
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCode function: 0_2_0044780B0_2_0044780B
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCode function: 0_2_00447D4F0_2_00447D4F
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCode function: 0_2_0043F5CB0_2_0043F5CB
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCode function: 0_2_004491A80_2_004491A8
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCode function: 0_2_004472C70_2_004472C7
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeCode function: 12_2_0040C91312_2_0040C913
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeCode function: 12_2_00445C7812_2_00445C78
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeCode function: 12_2_0044780B12_2_0044780B
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeCode function: 12_2_00447D4F12_2_00447D4F
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeCode function: 12_2_0043F5CB12_2_0043F5CB
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeCode function: 12_2_004491A812_2_004491A8
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeCode function: 12_2_004472C712_2_004472C7
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_02BEC91313_2_02BEC913
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeCode function: String function: 0043FB94 appears 36 times
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCode function: String function: 0040EE2A appears 40 times
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCode function: String function: 00402544 appears 53 times
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCode function: String function: 006027AB appears 35 times
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCode function: String function: 0043FB94 appears 36 times
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5840 -ip 5840
        Source: 6foBmRMlDy.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: 0.3.6foBmRMlDy.exe.630000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.6foBmRMlDy.exe.630000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.lnmlavab.exe.dd0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.lnmlavab.exe.dd0000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.6foBmRMlDy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.6foBmRMlDy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.6foBmRMlDy.exe.600e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.6foBmRMlDy.exe.600e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.lnmlavab.exe.d70e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.lnmlavab.exe.d70e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.lnmlavab.exe.dd0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.lnmlavab.exe.dd0000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.6foBmRMlDy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.6foBmRMlDy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.lnmlavab.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.lnmlavab.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.6foBmRMlDy.exe.600e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.6foBmRMlDy.exe.600e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.3.6foBmRMlDy.exe.630000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.6foBmRMlDy.exe.630000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.lnmlavab.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.lnmlavab.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.lnmlavab.exe.d70e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.lnmlavab.exe.d70e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.3.lnmlavab.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.3.lnmlavab.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 13.2.svchost.exe.2be0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 13.2.svchost.exe.2be0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.3.lnmlavab.exe.d90000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.3.lnmlavab.exe.d90000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 13.2.svchost.exe.2be0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 13.2.svchost.exe.2be0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000002.2130408783.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000002.2130408783.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000003.2096533476.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000003.2096533476.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000003.2127071237.0000000000D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000003.2127071237.0000000000D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000002.2130315965.000000000072D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000002.2133585534.00000000006A2000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 6foBmRMlDy.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: classification engineClassification label: mal100.troj.evad.winEXE@32/3@9/5
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCode function: 0_2_00406A60 lstrcatA,CreateFileA,GetDiskFreeSpaceA,GetLastError,CloseHandle,CloseHandle,CloseHandle,GetLastError,CloseHandle,DeleteFileA,GetLastError,0_2_00406A60
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCode function: 0_2_006B1DC3 CreateToolhelp32Snapshot,Module32First,0_2_006B1DC3
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeCode function: 12_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,12_2_00409A6B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_02BE9A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,13_2_02BE9A6B
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:712:64:WilError_03
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:5440:64:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3132:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4388:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2328:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2016:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2268:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3224:120:WilError_03
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeFile created: C:\Users\user\AppData\Local\Temp\lnmlavab.exeJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCommand line argument: k\`0_2_0043B240
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCommand line argument: ^ohJ0_2_0043B240
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCommand line argument: ?zEo0_2_0043B240
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCommand line argument: k3nU0_2_0043B240
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCommand line argument: 0ugV0_2_0043B240
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCommand line argument: IfoB0_2_0043B240
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCommand line argument: Z1S90_2_0043B240
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCommand line argument: $&s0_2_0043B240
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCommand line argument: p7~0_2_0043B240
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCommand line argument: /H;+0_2_0043B240
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCommand line argument: C:7C0_2_0043B240
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCommand line argument: kd@90_2_0043B240
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCommand line argument: agYU0_2_0043B240
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCommand line argument: |%FH0_2_0043B240
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeCommand line argument: k\`12_2_0043B240
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeCommand line argument: ^ohJ12_2_0043B240
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeCommand line argument: ?zEo12_2_0043B240
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeCommand line argument: k3nU12_2_0043B240
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeCommand line argument: 0ugV12_2_0043B240
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeCommand line argument: IfoB12_2_0043B240
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeCommand line argument: Z1S912_2_0043B240
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeCommand line argument: $&s12_2_0043B240
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeCommand line argument: p7~12_2_0043B240
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeCommand line argument: /H;+12_2_0043B240
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeCommand line argument: C:7C12_2_0043B240
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeCommand line argument: kd@912_2_0043B240
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeCommand line argument: agYU12_2_0043B240
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeCommand line argument: |%FH12_2_0043B240
        Source: 6foBmRMlDy.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeFile read: C:\Users\user\Desktop\6foBmRMlDy.exeJump to behavior
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_12-21867
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_0-21759
        Source: unknownProcess created: C:\Users\user\Desktop\6foBmRMlDy.exe "C:\Users\user\Desktop\6foBmRMlDy.exe"
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gqbqwogt\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\lnmlavab.exe" C:\Windows\SysWOW64\gqbqwogt\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create gqbqwogt binPath= "C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exe /d\"C:\Users\user\Desktop\6foBmRMlDy.exe\"" type= own start= auto DisplayName= "wifi support"
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description gqbqwogt "wifi internet conection"
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start gqbqwogt
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exe C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exe /d"C:\Users\user\Desktop\6foBmRMlDy.exe"
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5840 -ip 5840
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5840 -s 568
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3180 -ip 3180
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 772
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gqbqwogt\Jump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\lnmlavab.exe" C:\Windows\SysWOW64\gqbqwogt\Jump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create gqbqwogt binPath= "C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exe /d\"C:\Users\user\Desktop\6foBmRMlDy.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description gqbqwogt "wifi internet conection"Jump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start gqbqwogtJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5840 -ip 5840Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5840 -s 568Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3180 -ip 3180Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 772Jump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeSection loaded: msvcr100.dllJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeSection loaded: slc.dllJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeSection loaded: msvcr100.dllJump to behavior
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: napinsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wshbth.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winrnr.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
        Source: 6foBmRMlDy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
        Source: 6foBmRMlDy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
        Source: 6foBmRMlDy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
        Source: 6foBmRMlDy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: 6foBmRMlDy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
        Source: 6foBmRMlDy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
        Source: 6foBmRMlDy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

        Data Obfuscation

        barindex
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeUnpacked PE file: 0.2.6foBmRMlDy.exe.400000.0.unpack .text:ER;.data:W;.tuh:R;.kovaxe:R;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeUnpacked PE file: 12.2.lnmlavab.exe.400000.0.unpack .text:ER;.data:W;.tuh:R;.kovaxe:R;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeUnpacked PE file: 0.2.6foBmRMlDy.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeUnpacked PE file: 12.2.lnmlavab.exe.400000.0.unpack
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
        Source: 6foBmRMlDy.exeStatic PE information: section name: .tuh
        Source: 6foBmRMlDy.exeStatic PE information: section name: .kovaxe
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCode function: 0_2_0043D4C3 push ecx; ret 0_2_0043D4D6
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCode function: 0_2_0043FBD9 push ecx; ret 0_2_0043FBEC
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeCode function: 12_2_0043D4C3 push ecx; ret 12_2_0043D4D6
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeCode function: 12_2_0043FBD9 push ecx; ret 12_2_0043FBEC
        Source: 6foBmRMlDy.exeStatic PE information: section name: .text entropy: 7.003526634718541

        Persistence and Installation Behavior

        barindex
        Source: unknownExecutable created and started: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exe
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exe (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeFile created: C:\Users\user\AppData\Local\Temp\lnmlavab.exeJump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exe (copy)Jump to dropped file
        Source: C:\Windows\SysWOW64\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gqbqwogtJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create gqbqwogt binPath= "C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exe /d\"C:\Users\user\Desktop\6foBmRMlDy.exe\"" type= own start= auto DisplayName= "wifi support"

        Hooking and other Techniques for Hiding and Protection

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeFile deleted: c:\users\user\desktop\6fobmrmldy.exeJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00401000
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeCode function: inet_addr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetBestInterface,GetProcessHeap,HeapAlloc,GetAdaptersInfo,HeapReAlloc,GetAdaptersInfo,HeapFree,FreeLibrary,FreeLibrary,13_2_02BE199C
        Source: C:\Windows\SysWOW64\svchost.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_13-7595
        Source: C:\Windows\SysWOW64\svchost.exeEvaded block: after key decisiongraph_13-6131
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_13-7318
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-21774
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_12-21882
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeAPI coverage: 5.6 %
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeAPI coverage: 4.2 %
        Source: C:\Windows\SysWOW64\svchost.exe TID: 4876Thread sleep count: 41 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exe TID: 4876Thread sleep time: -41000s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCode function: 0_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,0_2_00401D96
        Source: svchost.exe, 0000000D.00000002.3361932502.0000000003200000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeAPI call chain: ExitProcess graph end nodegraph_0-22230
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeAPI call chain: ExitProcess graph end nodegraph_12-22173

        Anti Debugging

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_13-7483
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCode function: 0_2_0060092B mov eax, dword ptr fs:[00000030h]0_2_0060092B
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCode function: 0_2_00600D90 mov eax, dword ptr fs:[00000030h]0_2_00600D90
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCode function: 0_2_006B16A0 push dword ptr fs:[00000030h]0_2_006B16A0
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeCode function: 12_2_0073C628 push dword ptr fs:[00000030h]12_2_0073C628
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeCode function: 12_2_00D70D90 mov eax, dword ptr fs:[00000030h]12_2_00D70D90
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeCode function: 12_2_00D7092B mov eax, dword ptr fs:[00000030h]12_2_00D7092B
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCode function: 0_2_0040EBCC GetProcessHeap,RtlAllocateHeap,0_2_0040EBCC
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeCode function: 12_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,12_2_00409A6B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_02BE9A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,13_2_02BE9A6B

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 74.125.71.27 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.228.106 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 185.228.234.180 443Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 217.69.139.150 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.11.0 25Jump to behavior
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 2BE0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2BE0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2BE0000Jump to behavior
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2CC3008Jump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gqbqwogt\Jump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\lnmlavab.exe" C:\Windows\SysWOW64\gqbqwogt\Jump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create gqbqwogt binPath= "C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exe /d\"C:\Users\user\Desktop\6foBmRMlDy.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description gqbqwogt "wifi internet conection"Jump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start gqbqwogtJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5840 -ip 5840Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5840 -s 568Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3180 -ip 3180Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 772Jump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCode function: 0_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00406EDD
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCode function: 0_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,0_2_0040405E
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCode function: 0_2_0040EC54 GetSystemTimeAsFileTime,GetVolumeInformationA,GetTickCount,0_2_0040EC54
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCode function: 0_2_0040B211 FileTimeToSystemTime,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,SystemTimeToFileTime,FileTimeToSystemTime,GetTimeZoneInformation,wsprintfA,0_2_0040B211
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCode function: 0_2_00409326 GetVersionExA,GetModuleHandleA,GetModuleFileNameA,wsprintfA,wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,0_2_00409326

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: 12.2.lnmlavab.exe.dd0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.6foBmRMlDy.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.lnmlavab.exe.dd0000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.6foBmRMlDy.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.lnmlavab.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.6foBmRMlDy.exe.600e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.6foBmRMlDy.exe.630000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.lnmlavab.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.lnmlavab.exe.d70e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.svchost.exe.2be0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.lnmlavab.exe.d90000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.svchost.exe.2be0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000C.00000002.2130408783.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.2096533476.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.2127071237.0000000000D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 6foBmRMlDy.exe PID: 3180, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: lnmlavab.exe PID: 5840, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6812, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Source: Yara matchFile source: 12.2.lnmlavab.exe.dd0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.6foBmRMlDy.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.lnmlavab.exe.dd0000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.6foBmRMlDy.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.lnmlavab.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.6foBmRMlDy.exe.600e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.6foBmRMlDy.exe.630000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.lnmlavab.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.lnmlavab.exe.d70e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.svchost.exe.2be0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.lnmlavab.exe.d90000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.svchost.exe.2be0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000C.00000002.2130408783.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.2096533476.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.2127071237.0000000000D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 6foBmRMlDy.exe PID: 3180, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: lnmlavab.exe PID: 5840, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6812, type: MEMORYSTR
        Source: C:\Users\user\Desktop\6foBmRMlDy.exeCode function: 0_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,0_2_004088B0
        Source: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exeCode function: 12_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,12_2_004088B0
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_02BE88B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,13_2_02BE88B0
        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire Infrastructure1
        Valid Accounts
        41
        Native API
        1
        DLL Side-Loading
        1
        DLL Side-Loading
        3
        Disable or Modify Tools
        OS Credential Dumping2
        System Time Discovery
        Remote Services1
        Archive Collected Data
        1
        Ingress Tool Transfer
        Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts3
        Command and Scripting Interpreter
        1
        Valid Accounts
        1
        Valid Accounts
        1
        Deobfuscate/Decode Files or Information
        LSASS Memory1
        Account Discovery
        Remote Desktop ProtocolData from Removable Media12
        Encrypted Channel
        Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts3
        Service Execution
        14
        Windows Service
        1
        Access Token Manipulation
        3
        Obfuscated Files or Information
        Security Account Manager1
        File and Directory Discovery
        SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Application Layer Protocol
        Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook14
        Windows Service
        22
        Software Packing
        NTDS15
        System Information Discovery
        Distributed Component Object ModelInput Capture112
        Application Layer Protocol
        Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script412
        Process Injection
        1
        DLL Side-Loading
        LSA Secrets111
        Security Software Discovery
        SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        File Deletion
        Cached Domain Credentials11
        Virtualization/Sandbox Evasion
        VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
        Masquerading
        DCSync1
        Process Discovery
        Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        Valid Accounts
        Proc Filesystem1
        System Owner/User Discovery
        Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
        Virtualization/Sandbox Evasion
        /etc/passwd and /etc/shadow1
        System Network Configuration Discovery
        Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
        Access Token Manipulation
        Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd412
        Process Injection
        Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1531711 Sample: 6foBmRMlDy.exe Startdate: 11/10/2024 Architecture: WINDOWS Score: 100 53 yahoo.com 2->53 55 vanaheim.cn 2->55 57 6 other IPs or domains 2->57 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 Antivirus detection for dropped file 2->69 71 9 other signatures 2->71 8 lnmlavab.exe 2->8         started        11 6foBmRMlDy.exe 2 2->11         started        14 svchost.exe 6 6 2->14         started        16 svchost.exe 2->16         started        signatures3 process4 file5 81 Detected unpacking (changes PE section rights) 8->81 83 Detected unpacking (overwrites its own PE header) 8->83 85 Writes to foreign memory regions 8->85 91 2 other signatures 8->91 18 svchost.exe 1 8->18         started        22 WerFault.exe 2 8->22         started        51 C:\Users\user\AppData\Local\...\lnmlavab.exe, PE32 11->51 dropped 87 Uses netsh to modify the Windows network and firewall settings 11->87 89 Modifies the windows firewall 11->89 24 cmd.exe 1 11->24         started        27 netsh.exe 2 11->27         started        29 cmd.exe 2 11->29         started        35 4 other processes 11->35 31 WerFault.exe 2 14->31         started        33 WerFault.exe 2 14->33         started        signatures6 process7 dnsIp8 59 mta5.am0.yahoodns.net 67.195.228.106, 25 YAHOO-GQ1US United States 18->59 61 microsoft-com.mail.protection.outlook.com 52.101.11.0, 25 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 18->61 63 3 other IPs or domains 18->63 73 System process connects to network (likely due to code injection or exploit) 18->73 75 Found API chain indicative of debugger detection 18->75 77 Deletes itself after installation 18->77 79 Adds extensions / path to Windows Defender exclusion list (Registry) 18->79 49 C:\Windows\SysWOW64\...\lnmlavab.exe (copy), PE32 24->49 dropped 37 conhost.exe 24->37         started        39 conhost.exe 27->39         started        41 conhost.exe 29->41         started        43 conhost.exe 35->43         started        45 conhost.exe 35->45         started        47 conhost.exe 35->47         started        file9 signatures10 process11

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand
        SourceDetectionScannerLabelLink
        6foBmRMlDy.exe100%AviraHEUR/AGEN.1307867
        6foBmRMlDy.exe100%Joe Sandbox ML
        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\lnmlavab.exe100%AviraHEUR/AGEN.1307867
        C:\Users\user\AppData\Local\Temp\lnmlavab.exe100%Joe Sandbox ML
        No Antivirus matches
        No Antivirus matches
        No Antivirus matches
        NameIPActiveMaliciousAntivirus DetectionReputation
        mxs.mail.ru
        217.69.139.150
        truetrue
          unknown
          mta5.am0.yahoodns.net
          67.195.228.106
          truetrue
            unknown
            microsoft-com.mail.protection.outlook.com
            52.101.11.0
            truetrue
              unknown
              vanaheim.cn
              185.228.234.180
              truetrue
                unknown
                smtp.google.com
                74.125.71.27
                truefalse
                  unknown
                  google.com
                  unknown
                  unknowntrue
                    unknown
                    yahoo.com
                    unknown
                    unknowntrue
                      unknown
                      mail.ru
                      unknown
                      unknowntrue
                        unknown
                        NameMaliciousAntivirus DetectionReputation
                        vanaheim.cn:443true
                          unknown
                          jotunheim.name:443true
                            unknown
                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs
                            IPDomainCountryFlagASNASN NameMalicious
                            52.101.11.0
                            microsoft-com.mail.protection.outlook.comUnited States
                            8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                            74.125.71.27
                            smtp.google.comUnited States
                            15169GOOGLEUSfalse
                            67.195.228.106
                            mta5.am0.yahoodns.netUnited States
                            36647YAHOO-GQ1UStrue
                            185.228.234.180
                            vanaheim.cnRussian Federation
                            64439ITOS-ASRUtrue
                            217.69.139.150
                            mxs.mail.ruRussian Federation
                            47764MAILRU-ASMailRuRUtrue
                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1531711
                            Start date and time:2024-10-11 16:35:09 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 5m 36s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:26
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:6foBmRMlDy.exe
                            renamed because original name is a hash value
                            Original Sample Name:e4352f63724267bed81e8c199bd8ca0f.exe
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@32/3@9/5
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 71
                            • Number of non-executed functions: 268
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                            • Excluded IPs from analysis (whitelisted): 20.112.250.133, 20.231.239.246, 20.236.44.162, 20.76.201.171, 20.70.246.20
                            • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, microsoft.com, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtEnumerateKey calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • VT rate limit hit for: 6foBmRMlDy.exe
                            TimeTypeDescription
                            10:36:45API Interceptor14x Sleep call for process: svchost.exe modified
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            52.101.11.0rXTqHar5Ud.exeGet hashmaliciousTofseeBrowse
                              RSno9EH0K9.exeGet hashmaliciousTofseeBrowse
                                ODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                                  knkduwqg.exeGet hashmaliciousTofseeBrowse
                                    bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                      SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                        vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                          AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                            DWoKcG581L.exeGet hashmaliciousTofseeBrowse
                                              kPl1mZTpru.exeGet hashmaliciousTofseeBrowse
                                                67.195.228.106SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                  file.exeGet hashmaliciousPhorpiexBrowse
                                                    newtpp.exeGet hashmaliciousPhorpiexBrowse
                                                      gEkl9O5tiu.exeGet hashmaliciousPhorpiexBrowse
                                                        l3Qj8QhTYZ.exeGet hashmaliciousPhorpiexBrowse
                                                          Update-KB6734-x86.exeGet hashmaliciousUnknownBrowse
                                                            Update-KB78-x86.exeGet hashmaliciousUnknownBrowse
                                                              DWVByMCYL8.exeGet hashmaliciousRaccoon RedLine SmokeLoader Tofsee XmrigBrowse
                                                                HsWJJz7nq4.exeGet hashmaliciousTofsee XmrigBrowse
                                                                  ac492e6a204784df07ef3841b3ae1f8a68b349db90a34.exeGet hashmaliciousRaccoon RedLine SmokeLoader Tofsee XmrigBrowse
                                                                    217.69.139.150rXTqHar5Ud.exeGet hashmaliciousTofseeBrowse
                                                                      874A7cigvX.exeGet hashmaliciousTofseeBrowse
                                                                        RSno9EH0K9.exeGet hashmaliciousTofseeBrowse
                                                                          ODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                                                                            Uc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                              knkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                  bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                    Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                      SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        microsoft-com.mail.protection.outlook.comOPgjjiInNK.exeGet hashmaliciousTofseeBrowse
                                                                                        • 52.101.42.0
                                                                                        rXTqHar5Ud.exeGet hashmaliciousTofseeBrowse
                                                                                        • 52.101.11.0
                                                                                        2IFYYPRUgO.exeGet hashmaliciousTofseeBrowse
                                                                                        • 52.101.8.49
                                                                                        H3nfKrgQbi.exeGet hashmaliciousTofseeBrowse
                                                                                        • 52.101.42.0
                                                                                        2FnvReiPU6.exeGet hashmaliciousTofseeBrowse
                                                                                        • 52.101.11.9
                                                                                        874A7cigvX.exeGet hashmaliciousTofseeBrowse
                                                                                        • 52.101.42.0
                                                                                        RSno9EH0K9.exeGet hashmaliciousTofseeBrowse
                                                                                        • 52.101.8.49
                                                                                        ODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                                                                                        • 52.101.11.0
                                                                                        Uc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                                        • 52.101.8.49
                                                                                        qkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                                                        • 52.101.42.0
                                                                                        mxs.mail.ruOPgjjiInNK.exeGet hashmaliciousTofseeBrowse
                                                                                        • 94.100.180.31
                                                                                        rXTqHar5Ud.exeGet hashmaliciousTofseeBrowse
                                                                                        • 217.69.139.150
                                                                                        2IFYYPRUgO.exeGet hashmaliciousTofseeBrowse
                                                                                        • 94.100.180.31
                                                                                        H3nfKrgQbi.exeGet hashmaliciousTofseeBrowse
                                                                                        • 94.100.180.31
                                                                                        2FnvReiPU6.exeGet hashmaliciousTofseeBrowse
                                                                                        • 94.100.180.31
                                                                                        874A7cigvX.exeGet hashmaliciousTofseeBrowse
                                                                                        • 217.69.139.150
                                                                                        RSno9EH0K9.exeGet hashmaliciousTofseeBrowse
                                                                                        • 217.69.139.150
                                                                                        ODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                                                                                        • 217.69.139.150
                                                                                        Uc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                                        • 217.69.139.150
                                                                                        qkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                                                        • 94.100.180.31
                                                                                        mta5.am0.yahoodns.netrXTqHar5Ud.exeGet hashmaliciousTofseeBrowse
                                                                                        • 98.136.96.74
                                                                                        H3nfKrgQbi.exeGet hashmaliciousTofseeBrowse
                                                                                        • 67.195.204.79
                                                                                        ODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                                                                                        • 67.195.228.109
                                                                                        igvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                                        • 67.195.228.110
                                                                                        fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                        • 67.195.228.94
                                                                                        SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeGet hashmaliciousTofseeBrowse
                                                                                        • 98.136.96.91
                                                                                        vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                                                                        • 67.195.204.72
                                                                                        lYWiDKe1In.exeGet hashmaliciousTofseeBrowse
                                                                                        • 98.136.96.91
                                                                                        I7ldmFS13W.exeGet hashmaliciousPhorpiexBrowse
                                                                                        • 67.195.204.73
                                                                                        file.exeGet hashmaliciousPhorpiexBrowse
                                                                                        • 67.195.228.110
                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        MAILRU-ASMailRuRUhttps://ok.me/KtdI1Get hashmaliciousUnknownBrowse
                                                                                        • 217.20.155.6
                                                                                        https://ok.me/KtdI1Get hashmaliciousUnknownBrowse
                                                                                        • 217.20.156.11
                                                                                        http://bk.ruGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 217.69.141.181
                                                                                        OPgjjiInNK.exeGet hashmaliciousTofseeBrowse
                                                                                        • 94.100.180.31
                                                                                        rXTqHar5Ud.exeGet hashmaliciousTofseeBrowse
                                                                                        • 217.69.139.150
                                                                                        2IFYYPRUgO.exeGet hashmaliciousTofseeBrowse
                                                                                        • 94.100.180.31
                                                                                        H3nfKrgQbi.exeGet hashmaliciousTofseeBrowse
                                                                                        • 94.100.180.31
                                                                                        8zzBr1gT31.elfGet hashmaliciousMiraiBrowse
                                                                                        • 5.61.23.57
                                                                                        2FnvReiPU6.exeGet hashmaliciousTofseeBrowse
                                                                                        • 94.100.180.31
                                                                                        OuZGkt7xKK.exeGet hashmaliciousCoinhive, XmrigBrowse
                                                                                        • 178.237.20.50
                                                                                        MICROSOFT-CORP-MSN-AS-BLOCKUSphish_alert_sp2_2.0.0.0.emlGet hashmaliciousUnknownBrowse
                                                                                        • 52.113.194.132
                                                                                        https://tzr7wtjq.r.us-east-1.awstrack.me/L0/https:%2F%2Fclickproxy.retailrocket.net%2F%3Furl=https%253A%252F%252Fneamunit.ro%2F%2Fwinners%2F%2Fnatalie.gilbert%2FbmF0YWxpZS5naWxiZXJ0QGJlbm5ldHRzLmNvLnVr/1/010001927b41f2f4-541067bc-8926-4dcb-8f02-24fcf186dd1a-000000/pqvbHhvZKuWAqkc2J1BWoU1pciA=395Get hashmaliciousHTMLPhisherBrowse
                                                                                        • 13.107.253.45
                                                                                        kamilia.kaszowski-401(k) Statement-emailCapstonelogistics.emlGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 20.44.10.122
                                                                                        https://tzr7wtjq.r.us-east-1.awstrack.me/L0/https:%2F%2Fclickproxy.retailrocket.net%2F%3Furl=https%253A%252F%252Fneamunit.ro%2F%2Fwinners%2F%2Fnatalie.gilbert%2FbmF0YWxpZS5naWxiZXJ0QGJlbm5ldHRzLmNvLnVr/1/010001927b41f2f4-541067bc-8926-4dcb-8f02-24fcf186dd1a-000000/pqvbHhvZKuWAqkc2J1BWoU1pciA=395Get hashmaliciousHTMLPhisherBrowse
                                                                                        • 52.98.243.50
                                                                                        https://tzr7wtjq.r.us-east-1.awstrack.me/L0/https:%2F%2Fclickproxy.retailrocket.net%2F%3Furl=https%253A%252F%252Fneamunit.ro%2F%2Fwinners%2F%2Fnatalie.gilbert%2FbmF0YWxpZS5naWxiZXJ0QGJlbm5ldHRzLmNvLnVr/1/010001927b41f2f4-541067bc-8926-4dcb-8f02-24fcf186dd1a-000000/pqvbHhvZKuWAqkc2J1BWoU1pciA=395Get hashmaliciousHTMLPhisherBrowse
                                                                                        • 40.126.32.68
                                                                                        bostonbeer.com 4343988690.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 13.107.246.45
                                                                                        Mobile_App_Project_Details.xlsmGet hashmaliciousUnknownBrowse
                                                                                        • 13.107.246.60
                                                                                        https://linklock.titanhq.com/analyse?url=https%3A%2F%2Fwww.hudl.com%2Fnotifications-tracking%2Ftracker%2FBulkDownloadReady-6151bba290ef2e043c74df7a-6040b153-3f06-4375-9d9d-2976d6f1ac3e-11012597%2Femail%2Flanding%3Fforward%3Dhttps%3A%2F%2Fwww.google.com.sg%2Furl%3Fq%3Damp%2Fs%2Fhosxxrs.com%2F.drogo&data=eJxkkEGL3CAUgH-NcygY9Gl0hKZ0S2qZwy6l0_vyjCYja3RqEjL99yVLoYfeHu87vO99Q2ccBH2WmipgikqtkBrnJQUX8IxaCuHcyXcfTnP3UWnWniWEhmuGDIA1KI1yjVH-fH3--f3y8vrU91_71-fL9Xp5-fZ5fjRTKVMKzVDmT6eli3ksRLIB73FNAWuOeTrYqXZ-rZiJZG6LyYcJ39dbd1vX-0LEEwFLwO773tw2nw5IwOayxjEOuMaSF7pWHN5ingjY9zFUAvbLlt76sudU0P8I6H9TxVvuHIJhYYTApBi09KNGqphkjreCivFIIXRLjTeegtHKq5HjIALlnHFojSZgw4wxEbAJsz_OCjuWumP1RPT_a_8L0SyH4lYTEfYXET3OdwJ2IWBvZXk86vL3u8bXMpU_AQAA___Ij4KF#ask.gcr@zendesk.comGet hashmaliciousUnknownBrowse
                                                                                        • 150.171.27.10
                                                                                        na.elfGet hashmaliciousMiraiBrowse
                                                                                        • 20.108.4.35
                                                                                        7hmGbJQzp5.xlamGet hashmaliciousHidden Macro 4.0Browse
                                                                                        • 13.107.246.60
                                                                                        YAHOO-GQ1USna.elfGet hashmaliciousMiraiBrowse
                                                                                        • 98.137.186.231
                                                                                        na.elfGet hashmaliciousUnknownBrowse
                                                                                        • 98.139.117.51
                                                                                        na.elfGet hashmaliciousMiraiBrowse
                                                                                        • 98.137.77.120
                                                                                        Remittance_Regulvar.htmGet hashmaliciousUnknownBrowse
                                                                                        • 74.6.160.106
                                                                                        phish_alert_sp2_2.0.0.0.emlGet hashmaliciousPhisherBrowse
                                                                                        • 98.137.11.164
                                                                                        DocuSign-Docx.pdfGet hashmaliciousUnknownBrowse
                                                                                        • 98.137.11.164
                                                                                        27987136e29b3032ad40982c8b7c2e168112c9601e08da806119dcba615524b5.htmlGet hashmaliciousUnknownBrowse
                                                                                        • 98.137.11.163
                                                                                        https://www.evernote.com/shard/s683/sh/202c4f3c-3650-93fd-8370-eaca4fc7cbbc/9PDECUYIIdOn7uDMCJfJSDfeqawh-oxMdulb3egg-jZJLZIoB686GWk5jgGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 98.137.11.164
                                                                                        Audio_Msg..00299229202324Transcript.htmlGet hashmaliciousUnknownBrowse
                                                                                        • 98.137.11.163
                                                                                        https://content.app-us1.com/kd4oo8/2024/09/26/7d3453ba-0845-4df1-80a7-42d15e30f736.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 98.137.11.164
                                                                                        ITOS-ASRUSecuriteInfo.com.PUA.Tool.InstSrv.3.16098.13705.exeGet hashmaliciousUnknownBrowse
                                                                                        • 185.228.233.50
                                                                                        SecuriteInfo.com.PUA.Tool.InstSrv.3.16098.13705.exeGet hashmaliciousUnknownBrowse
                                                                                        • 185.228.233.50
                                                                                        81zBpBAWwc.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                        • 185.228.233.50
                                                                                        PcWanHBSjp.exeGet hashmaliciousRaccoon Stealer v2Browse
                                                                                        • 193.187.174.250
                                                                                        Setup.exeGet hashmaliciousGo Injector, StealcBrowse
                                                                                        • 193.187.173.86
                                                                                        Setup.exeGet hashmaliciousGo Injector, StealcBrowse
                                                                                        • 193.187.173.86
                                                                                        Setup.exeGet hashmaliciousGo Injector, StealcBrowse
                                                                                        • 193.187.173.86
                                                                                        iVLDo46ao5.exeGet hashmaliciousDCRatBrowse
                                                                                        • 193.187.172.13
                                                                                        Cheat.Lab.2.7.0.msiGet hashmaliciousUnknownBrowse
                                                                                        • 185.159.129.244
                                                                                        file.exeGet hashmaliciousRedLineBrowse
                                                                                        • 185.159.129.168
                                                                                        No context
                                                                                        No context
                                                                                        Process:C:\Users\user\Desktop\6foBmRMlDy.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):12737536
                                                                                        Entropy (8bit):3.8795853374092077
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:s/IcJg7uMwZi9VaiI2PLP7zIyMDWVYvVtKHpA6PYYNp/GG7Ig7LRACfij5+U/p49:uH0uMvGiI2PLgW4upRfJGuLmHsU
                                                                                        MD5:415D8A2F273DA3EB07A38C1E95C0BB82
                                                                                        SHA1:5623B0E9CB62A2F4D010AC199696CDFA39F4EB6A
                                                                                        SHA-256:CE0247F5EF96C5172A41BB6C20601B5A659976C8E916D43B49D1453F0730460C
                                                                                        SHA-512:03415DFAB3E50FB503CB0F8D8FDABBBF966FD4A6C0E4CF3DCB356836ABB06C68570015953AC955E7937702E1CCD948F8585A7765F76CED894DACD25834FD514E
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8.[.Y...Y...Y.......Y.......Y.......Y......Y...Y..cY.......Y.......Y.......Y..Rich.Y..........PE..L....Uhd..........................................@..........................p..........................................................`^...................P..........................................@............................................text.............................. ..`.data............`..................@....tuh................................@..@.kovaxe.............................@..@.rsrc...`^.......`..................@..@.reloc.......P.......d..............@..B................................................................................................................................................................................................................................................................................................
                                                                                        Process:C:\Windows\SysWOW64\cmd.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):12737536
                                                                                        Entropy (8bit):3.8795853374092077
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:s/IcJg7uMwZi9VaiI2PLP7zIyMDWVYvVtKHpA6PYYNp/GG7Ig7LRACfij5+U/p49:uH0uMvGiI2PLgW4upRfJGuLmHsU
                                                                                        MD5:415D8A2F273DA3EB07A38C1E95C0BB82
                                                                                        SHA1:5623B0E9CB62A2F4D010AC199696CDFA39F4EB6A
                                                                                        SHA-256:CE0247F5EF96C5172A41BB6C20601B5A659976C8E916D43B49D1453F0730460C
                                                                                        SHA-512:03415DFAB3E50FB503CB0F8D8FDABBBF966FD4A6C0E4CF3DCB356836ABB06C68570015953AC955E7937702E1CCD948F8585A7765F76CED894DACD25834FD514E
                                                                                        Malicious:true
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8.[.Y...Y...Y.......Y.......Y.......Y......Y...Y..cY.......Y.......Y.......Y..Rich.Y..........PE..L....Uhd..........................................@..........................p..........................................................`^...................P..........................................@............................................text.............................. ..`.data............`..................@....tuh................................@..@.kovaxe.............................@..@.rsrc...`^.......`..................@..@.reloc.......P.......d..............@..B................................................................................................................................................................................................................................................................................................
                                                                                        Process:C:\Windows\SysWOW64\netsh.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):3773
                                                                                        Entropy (8bit):4.7109073551842435
                                                                                        Encrypted:false
                                                                                        SSDEEP:48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
                                                                                        MD5:DA3247A302D70819F10BCEEBAF400503
                                                                                        SHA1:2857AA198EE76C86FC929CC3388A56D5FD051844
                                                                                        SHA-256:5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
                                                                                        SHA-512:48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
                                                                                        Malicious:false
                                                                                        Preview:..A specified value is not valid.....Usage: add rule name=<string>.. dir=in|out.. action=allow|block|bypass.. [program=<program path>].. [service=<service short name>|any].. [description=<string>].. [enable=yes|no (default=yes)].. [profile=public|private|domain|any[,...]].. [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|.. <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)].. [remoteport=0-65535|<port range>[,...]|any (default=any)].. [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|.. tcp|udp|any (default=any)].. [interfacetype=wireless|lan|ras|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes|deferapp|deferuser|no (default=no)].. [security=authenticate|authenc|authdynenc|authnoencap|
                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Entropy (8bit):6.461963871651088
                                                                                        TrID:
                                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                        File name:6foBmRMlDy.exe
                                                                                        File size:426'496 bytes
                                                                                        MD5:e4352f63724267bed81e8c199bd8ca0f
                                                                                        SHA1:ce9c69ca36920f076fe1369be4d9001085ca8602
                                                                                        SHA256:5ffda142aa321a2b5546c426a28403d7f19b51b88985c8617f11c04411489e30
                                                                                        SHA512:afe8786dade10b520aeee40fc661d0f86b370e2c0272be3a462033cdc4b9cf91ddf8a2f2f6628c478da8736dbd7704d8da3b577c5afeb053db79dad1556c8bc4
                                                                                        SSDEEP:3072://IcJg7uMwZi9VaiI2PLP7zIyMDWVYvVtKHpA6PYYNp/GG7Ig7LRACfij5+U/p49:HH0uMvGiI2PLgW4upRfJGuLmHsU
                                                                                        TLSH:5394C012A2F1BC60D9268672CE1AF7F8762DF9308D59B75B330A672F18701E2D267351
                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8.[.Y...Y...Y.......Y.......Y.......Y.......Y...Y..cY.......Y.......Y.......Y..Rich.Y..........PE..L....Uhd...................
                                                                                        Icon Hash:452145655545610d
                                                                                        Entrypoint:0x43d001
                                                                                        Entrypoint Section:.text
                                                                                        Digitally signed:false
                                                                                        Imagebase:0x400000
                                                                                        Subsystem:windows gui
                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                        DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                        Time Stamp:0x6468550F [Sat May 20 05:05:19 2023 UTC]
                                                                                        TLS Callbacks:
                                                                                        CLR (.Net) Version:
                                                                                        OS Version Major:5
                                                                                        OS Version Minor:0
                                                                                        File Version Major:5
                                                                                        File Version Minor:0
                                                                                        Subsystem Version Major:5
                                                                                        Subsystem Version Minor:0
                                                                                        Import Hash:2a922b568f49098a9b670af5a77dc13f
                                                                                        Instruction
                                                                                        call 00007FB01D03CCE8h
                                                                                        jmp 00007FB01D037F7Eh
                                                                                        mov edi, edi
                                                                                        push ebp
                                                                                        mov ebp, esp
                                                                                        sub esp, 20h
                                                                                        mov eax, dword ptr [ebp+08h]
                                                                                        push esi
                                                                                        push edi
                                                                                        push 00000008h
                                                                                        pop ecx
                                                                                        mov esi, 004012FCh
                                                                                        lea edi, dword ptr [ebp-20h]
                                                                                        rep movsd
                                                                                        mov dword ptr [ebp-08h], eax
                                                                                        mov eax, dword ptr [ebp+0Ch]
                                                                                        pop edi
                                                                                        mov dword ptr [ebp-04h], eax
                                                                                        pop esi
                                                                                        test eax, eax
                                                                                        je 00007FB01D03810Eh
                                                                                        test byte ptr [eax], 00000008h
                                                                                        je 00007FB01D038109h
                                                                                        mov dword ptr [ebp-0Ch], 01994000h
                                                                                        lea eax, dword ptr [ebp-0Ch]
                                                                                        push eax
                                                                                        push dword ptr [ebp-10h]
                                                                                        push dword ptr [ebp-1Ch]
                                                                                        push dword ptr [ebp-20h]
                                                                                        call dword ptr [0040112Ch]
                                                                                        leave
                                                                                        retn 0008h
                                                                                        mov edi, edi
                                                                                        push ebp
                                                                                        mov ebp, esp
                                                                                        push ecx
                                                                                        push ebx
                                                                                        mov eax, dword ptr [ebp+0Ch]
                                                                                        add eax, 0Ch
                                                                                        mov dword ptr [ebp-04h], eax
                                                                                        mov ebx, dword ptr fs:[00000000h]
                                                                                        mov eax, dword ptr [ebx]
                                                                                        mov dword ptr fs:[00000000h], eax
                                                                                        mov eax, dword ptr [ebp+08h]
                                                                                        mov ebx, dword ptr [ebp+0Ch]
                                                                                        mov ebp, dword ptr [ebp-04h]
                                                                                        mov esp, dword ptr [ebx-04h]
                                                                                        jmp eax
                                                                                        pop ebx
                                                                                        leave
                                                                                        retn 0008h
                                                                                        pop eax
                                                                                        pop ecx
                                                                                        xchg dword ptr [esp], eax
                                                                                        jmp eax
                                                                                        pop eax
                                                                                        pop ecx
                                                                                        xchg dword ptr [esp], eax
                                                                                        jmp eax
                                                                                        pop eax
                                                                                        pop ecx
                                                                                        xchg dword ptr [esp], eax
                                                                                        jmp eax
                                                                                        mov edi, edi
                                                                                        push ebp
                                                                                        mov ebp, esp
                                                                                        push ecx
                                                                                        push ecx
                                                                                        push ebx
                                                                                        push esi
                                                                                        push edi
                                                                                        mov esi, dword ptr fs:[00000000h]
                                                                                        mov dword ptr [ebp-04h], esi
                                                                                        mov dword ptr [ebp-08h], 0043D0C9h
                                                                                        push 00000000h
                                                                                        push dword ptr [ebp+0Ch]
                                                                                        push dword ptr [ebp-08h]
                                                                                        push dword ptr [ebp+08h]
                                                                                        call 00007FB01D04448Ah
                                                                                        Programming Language:
                                                                                        • [ASM] VS2008 build 21022
                                                                                        • [ C ] VS2008 build 21022
                                                                                        • [C++] VS2008 build 21022
                                                                                        • [IMP] VS2005 build 50727
                                                                                        • [RES] VS2008 build 21022
                                                                                        • [LNK] VS2008 build 21022
                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x49cf80x8c.text
                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x5f0000x15e60.rsrc
                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x750000xd10.reloc
                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x49d840x1c.text
                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x3a6b80x40.text
                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x10000x20c.text
                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                        .text0x10000x498ee0x49a0026f8f05186a7c73dd67ec955846d31eeFalse0.7278822686757216data7.003526634718541IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                        .data0x4b0000x119b80x6000695085632ed5424d7fc7eb362c2702abFalse0.08304850260416667data0.9867858225859076IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                        .tuh0x5d0000x4000x4000f343b0931126a20f133d67c2b018a3bFalse0.0166015625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                        .kovaxe0x5e0000xd60x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                        .rsrc0x5f0000x15e600x16000126d04f38160694f408843d78c780868False0.44062943892045453data4.960422625060359IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                        .reloc0x750000x1c8e0x1e00744ce1cba9490ef09b39366b352f3b48False0.36940104166666665data3.7499768141825527IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                        RT_CURSOR0x720700x330Device independent bitmap graphic, 48 x 96 x 1, image size 00.1948529411764706
                                                                                        RT_CURSOR0x723a00x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.33223684210526316
                                                                                        RT_CURSOR0x724f80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.2953091684434968
                                                                                        RT_CURSOR0x733a00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.46705776173285196
                                                                                        RT_CURSOR0x73c480x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.5361271676300579
                                                                                        RT_ICON0x5f7f00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilIndia0.36886993603411516
                                                                                        RT_ICON0x5f7f00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilSri Lanka0.36886993603411516
                                                                                        RT_ICON0x606980x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilIndia0.4548736462093863
                                                                                        RT_ICON0x606980x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilSri Lanka0.4548736462093863
                                                                                        RT_ICON0x60f400x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilIndia0.4596774193548387
                                                                                        RT_ICON0x60f400x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilSri Lanka0.4596774193548387
                                                                                        RT_ICON0x616080x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilIndia0.46315028901734107
                                                                                        RT_ICON0x616080x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilSri Lanka0.46315028901734107
                                                                                        RT_ICON0x61b700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilIndia0.26991701244813276
                                                                                        RT_ICON0x61b700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilSri Lanka0.26991701244813276
                                                                                        RT_ICON0x641180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilIndia0.31121013133208253
                                                                                        RT_ICON0x641180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilSri Lanka0.31121013133208253
                                                                                        RT_ICON0x651c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilIndia0.35904255319148937
                                                                                        RT_ICON0x651c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilSri Lanka0.35904255319148937
                                                                                        RT_ICON0x656900xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilIndia0.5652985074626866
                                                                                        RT_ICON0x656900xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilSri Lanka0.5652985074626866
                                                                                        RT_ICON0x665380x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilIndia0.5473826714801444
                                                                                        RT_ICON0x665380x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilSri Lanka0.5473826714801444
                                                                                        RT_ICON0x66de00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilIndia0.6242774566473989
                                                                                        RT_ICON0x66de00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilSri Lanka0.6242774566473989
                                                                                        RT_ICON0x673480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilIndia0.4616182572614108
                                                                                        RT_ICON0x673480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilSri Lanka0.4616182572614108
                                                                                        RT_ICON0x698f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilIndia0.48592870544090055
                                                                                        RT_ICON0x698f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilSri Lanka0.48592870544090055
                                                                                        RT_ICON0x6a9980x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilIndia0.49426229508196723
                                                                                        RT_ICON0x6a9980x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilSri Lanka0.49426229508196723
                                                                                        RT_ICON0x6b3200x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilIndia0.4530141843971631
                                                                                        RT_ICON0x6b3200x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilSri Lanka0.4530141843971631
                                                                                        RT_ICON0x6b7f00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTamilIndia0.3752665245202559
                                                                                        RT_ICON0x6b7f00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTamilSri Lanka0.3752665245202559
                                                                                        RT_ICON0x6c6980x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTamilIndia0.5185018050541517
                                                                                        RT_ICON0x6c6980x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTamilSri Lanka0.5185018050541517
                                                                                        RT_ICON0x6cf400x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilIndia0.6048387096774194
                                                                                        RT_ICON0x6cf400x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilSri Lanka0.6048387096774194
                                                                                        RT_ICON0x6d6080x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTamilIndia0.6553468208092486
                                                                                        RT_ICON0x6d6080x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTamilSri Lanka0.6553468208092486
                                                                                        RT_ICON0x6db700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600TamilIndia0.4841286307053942
                                                                                        RT_ICON0x6db700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600TamilSri Lanka0.4841286307053942
                                                                                        RT_ICON0x701180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224TamilIndia0.5035178236397748
                                                                                        RT_ICON0x701180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224TamilSri Lanka0.5035178236397748
                                                                                        RT_ICON0x711c00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400TamilIndia0.48114754098360657
                                                                                        RT_ICON0x711c00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400TamilSri Lanka0.48114754098360657
                                                                                        RT_ICON0x71b480x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088TamilIndia0.5372340425531915
                                                                                        RT_ICON0x71b480x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088TamilSri Lanka0.5372340425531915
                                                                                        RT_DIALOG0x744480x58data0.8977272727272727
                                                                                        RT_STRING0x744a00x26edataTamilIndia0.5016077170418006
                                                                                        RT_STRING0x744a00x26edataTamilSri Lanka0.5016077170418006
                                                                                        RT_STRING0x747100x29cdataTamilIndia0.4865269461077844
                                                                                        RT_STRING0x747100x29cdataTamilSri Lanka0.4865269461077844
                                                                                        RT_STRING0x749b00x4b0dataTamilIndia0.455
                                                                                        RT_STRING0x749b00x4b0dataTamilSri Lanka0.455
                                                                                        RT_ACCELERATOR0x720280x48dataTamilIndia0.8472222222222222
                                                                                        RT_ACCELERATOR0x720280x48dataTamilSri Lanka0.8472222222222222
                                                                                        RT_GROUP_CURSOR0x724d00x22data1.0294117647058822
                                                                                        RT_GROUP_CURSOR0x741b00x30data0.9375
                                                                                        RT_GROUP_ICON0x6b7880x68dataTamilIndia0.7019230769230769
                                                                                        RT_GROUP_ICON0x6b7880x68dataTamilSri Lanka0.7019230769230769
                                                                                        RT_GROUP_ICON0x656280x68dataTamilIndia0.6826923076923077
                                                                                        RT_GROUP_ICON0x656280x68dataTamilSri Lanka0.6826923076923077
                                                                                        RT_GROUP_ICON0x71fb00x76dataTamilIndia0.6779661016949152
                                                                                        RT_GROUP_ICON0x71fb00x76dataTamilSri Lanka0.6779661016949152
                                                                                        RT_VERSION0x741e00x264data0.5392156862745098
                                                                                        DLLImport
                                                                                        KERNEL32.dllEnumCalendarInfoW, InterlockedDecrement, GetCurrentProcess, GetLogicalDriveStringsW, SetComputerNameW, SetVolumeMountPointW, GetTimeFormatA, GetTickCount, CreateNamedPipeW, GetNumberFormatA, ClearCommBreak, GetConsoleAliasExesW, TlsSetValue, GetEnvironmentStrings, LoadLibraryW, GetLocaleInfoW, _hread, GetCalendarInfoW, SetVolumeMountPointA, GetVersionExW, EnumSystemCodePagesA, CreateSemaphoreA, GetFileAttributesW, CreateActCtxA, GetShortPathNameA, CreateJobObjectA, VerifyVersionInfoW, CreateProcessW, GetLastError, GetCurrentDirectoryW, GetProcAddress, SetFileAttributesA, DefineDosDeviceA, GlobalFree, FindClose, LoadLibraryA, LocalAlloc, CreateHardLinkW, GetNumberFormatW, FoldStringW, SetEnvironmentVariableA, GetModuleFileNameA, EnumDateFormatsA, GlobalUnWire, OpenEventW, GetShortPathNameW, SetFileShortNameA, GetDiskFreeSpaceExA, ReadConsoleInputW, DebugBreak, GetTempPathA, LocalFree, LCMapStringW, CommConfigDialogW, SetFilePointer, EnumCalendarInfoA, InterlockedExchange, GetComputerNameA, CloseHandle, CreateFileA, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, GetModuleHandleA, MultiByteToWideChar, HeapFree, UnhandledExceptionFilter, SetUnhandledExceptionFilter, HeapReAlloc, HeapAlloc, GetStartupInfoW, RaiseException, RtlUnwind, TerminateProcess, IsDebuggerPresent, GetCPInfo, InterlockedIncrement, GetACP, GetOEMCP, IsValidCodePage, GetModuleHandleW, TlsGetValue, TlsAlloc, TlsFree, SetLastError, GetCurrentThreadId, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, Sleep, HeapSize, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, LCMapStringA, WideCharToMultiByte, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, InitializeCriticalSectionAndSpinCount, SetStdHandle, GetConsoleCP, GetConsoleMode, FlushFileBuffers
                                                                                        GDI32.dllCreateDCA, GetCharWidth32A, GetCharWidthI
                                                                                        SHELL32.dllFindExecutableA
                                                                                        ole32.dllCoSuspendClassObjects
                                                                                        WINHTTP.dllWinHttpSetDefaultProxyConfiguration, WinHttpOpen
                                                                                        MSIMG32.dllAlphaBlend
                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                        TamilIndia
                                                                                        TamilSri Lanka
                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Oct 11, 2024 16:36:02.817156076 CEST4971125192.168.2.652.101.11.0
                                                                                        Oct 11, 2024 16:36:03.801642895 CEST4971125192.168.2.652.101.11.0
                                                                                        Oct 11, 2024 16:36:05.801702976 CEST4971125192.168.2.652.101.11.0
                                                                                        Oct 11, 2024 16:36:06.151674986 CEST49713443192.168.2.6185.228.234.180
                                                                                        Oct 11, 2024 16:36:06.151726961 CEST44349713185.228.234.180192.168.2.6
                                                                                        Oct 11, 2024 16:36:06.151791096 CEST49713443192.168.2.6185.228.234.180
                                                                                        Oct 11, 2024 16:36:09.801803112 CEST4971125192.168.2.652.101.11.0
                                                                                        Oct 11, 2024 16:36:17.801779032 CEST4971125192.168.2.652.101.11.0
                                                                                        Oct 11, 2024 16:36:22.840190887 CEST6128325192.168.2.667.195.228.106
                                                                                        Oct 11, 2024 16:36:23.848676920 CEST6128325192.168.2.667.195.228.106
                                                                                        Oct 11, 2024 16:36:25.848558903 CEST6128325192.168.2.667.195.228.106
                                                                                        Oct 11, 2024 16:36:29.848582983 CEST6128325192.168.2.667.195.228.106
                                                                                        Oct 11, 2024 16:36:37.848579884 CEST6128325192.168.2.667.195.228.106
                                                                                        Oct 11, 2024 16:36:42.865026951 CEST6140325192.168.2.674.125.71.27
                                                                                        Oct 11, 2024 16:36:43.879933119 CEST6140325192.168.2.674.125.71.27
                                                                                        Oct 11, 2024 16:36:45.895576000 CEST6140325192.168.2.674.125.71.27
                                                                                        Oct 11, 2024 16:36:46.145576954 CEST49713443192.168.2.6185.228.234.180
                                                                                        Oct 11, 2024 16:36:46.145699024 CEST44349713185.228.234.180192.168.2.6
                                                                                        Oct 11, 2024 16:36:46.145766020 CEST49713443192.168.2.6185.228.234.180
                                                                                        Oct 11, 2024 16:36:46.258964062 CEST61424443192.168.2.6185.228.234.180
                                                                                        Oct 11, 2024 16:36:46.259006023 CEST44361424185.228.234.180192.168.2.6
                                                                                        Oct 11, 2024 16:36:46.259067059 CEST61424443192.168.2.6185.228.234.180
                                                                                        Oct 11, 2024 16:36:49.895499945 CEST6140325192.168.2.674.125.71.27
                                                                                        Oct 11, 2024 16:36:57.895538092 CEST6140325192.168.2.674.125.71.27
                                                                                        Oct 11, 2024 16:37:02.887343884 CEST6147625192.168.2.6217.69.139.150
                                                                                        Oct 11, 2024 16:37:03.895478010 CEST6147625192.168.2.6217.69.139.150
                                                                                        Oct 11, 2024 16:37:05.895503044 CEST6147625192.168.2.6217.69.139.150
                                                                                        Oct 11, 2024 16:37:09.895497084 CEST6147625192.168.2.6217.69.139.150
                                                                                        Oct 11, 2024 16:37:17.895587921 CEST6147625192.168.2.6217.69.139.150
                                                                                        Oct 11, 2024 16:37:26.255201101 CEST61424443192.168.2.6185.228.234.180
                                                                                        Oct 11, 2024 16:37:26.255441904 CEST44361424185.228.234.180192.168.2.6
                                                                                        Oct 11, 2024 16:37:26.255553007 CEST61424443192.168.2.6185.228.234.180
                                                                                        Oct 11, 2024 16:37:26.365679026 CEST61479443192.168.2.6185.228.234.180
                                                                                        Oct 11, 2024 16:37:26.365782022 CEST44361479185.228.234.180192.168.2.6
                                                                                        Oct 11, 2024 16:37:26.365938902 CEST61479443192.168.2.6185.228.234.180
                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Oct 11, 2024 16:36:02.784337997 CEST6165453192.168.2.61.1.1.1
                                                                                        Oct 11, 2024 16:36:02.816376925 CEST53616541.1.1.1192.168.2.6
                                                                                        Oct 11, 2024 16:36:05.810204029 CEST5728653192.168.2.61.1.1.1
                                                                                        Oct 11, 2024 16:36:06.151072979 CEST53572861.1.1.1192.168.2.6
                                                                                        Oct 11, 2024 16:36:18.824312925 CEST53637961.1.1.1192.168.2.6
                                                                                        Oct 11, 2024 16:36:22.820123911 CEST5392853192.168.2.61.1.1.1
                                                                                        Oct 11, 2024 16:36:22.829569101 CEST53539281.1.1.1192.168.2.6
                                                                                        Oct 11, 2024 16:36:22.831269979 CEST5583853192.168.2.61.1.1.1
                                                                                        Oct 11, 2024 16:36:22.839654922 CEST53558381.1.1.1192.168.2.6
                                                                                        Oct 11, 2024 16:36:42.849222898 CEST5884353192.168.2.61.1.1.1
                                                                                        Oct 11, 2024 16:36:42.856307030 CEST53588431.1.1.1192.168.2.6
                                                                                        Oct 11, 2024 16:36:42.856949091 CEST6075753192.168.2.61.1.1.1
                                                                                        Oct 11, 2024 16:36:42.864515066 CEST53607571.1.1.1192.168.2.6
                                                                                        Oct 11, 2024 16:37:02.864792109 CEST5656853192.168.2.61.1.1.1
                                                                                        Oct 11, 2024 16:37:02.878443003 CEST53565681.1.1.1192.168.2.6
                                                                                        Oct 11, 2024 16:37:02.879225016 CEST6528753192.168.2.61.1.1.1
                                                                                        Oct 11, 2024 16:37:02.886684895 CEST53652871.1.1.1192.168.2.6
                                                                                        Oct 11, 2024 16:38:05.370997906 CEST6180453192.168.2.61.1.1.1
                                                                                        Oct 11, 2024 16:38:05.405061960 CEST53618041.1.1.1192.168.2.6
                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                        Oct 11, 2024 16:36:02.784337997 CEST192.168.2.61.1.1.10xfc3Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                        Oct 11, 2024 16:36:05.810204029 CEST192.168.2.61.1.1.10xe363Standard query (0)vanaheim.cnA (IP address)IN (0x0001)false
                                                                                        Oct 11, 2024 16:36:22.820123911 CEST192.168.2.61.1.1.10x5722Standard query (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                        Oct 11, 2024 16:36:22.831269979 CEST192.168.2.61.1.1.10x3d2fStandard query (0)mta5.am0.yahoodns.netA (IP address)IN (0x0001)false
                                                                                        Oct 11, 2024 16:36:42.849222898 CEST192.168.2.61.1.1.10xae13Standard query (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                        Oct 11, 2024 16:36:42.856949091 CEST192.168.2.61.1.1.10x4485Standard query (0)smtp.google.comA (IP address)IN (0x0001)false
                                                                                        Oct 11, 2024 16:37:02.864792109 CEST192.168.2.61.1.1.10x86ebStandard query (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                        Oct 11, 2024 16:37:02.879225016 CEST192.168.2.61.1.1.10x95b4Standard query (0)mxs.mail.ruA (IP address)IN (0x0001)false
                                                                                        Oct 11, 2024 16:38:05.370997906 CEST192.168.2.61.1.1.10x385fStandard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                        Oct 11, 2024 16:36:02.816376925 CEST1.1.1.1192.168.2.60xfc3No error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false
                                                                                        Oct 11, 2024 16:36:02.816376925 CEST1.1.1.1192.168.2.60xfc3No error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false
                                                                                        Oct 11, 2024 16:36:02.816376925 CEST1.1.1.1192.168.2.60xfc3No error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false
                                                                                        Oct 11, 2024 16:36:02.816376925 CEST1.1.1.1192.168.2.60xfc3No error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false
                                                                                        Oct 11, 2024 16:36:06.151072979 CEST1.1.1.1192.168.2.60xe363No error (0)vanaheim.cn185.228.234.180A (IP address)IN (0x0001)false
                                                                                        Oct 11, 2024 16:36:22.829569101 CEST1.1.1.1192.168.2.60x5722No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                        Oct 11, 2024 16:36:22.829569101 CEST1.1.1.1192.168.2.60x5722No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                        Oct 11, 2024 16:36:22.829569101 CEST1.1.1.1192.168.2.60x5722No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                        Oct 11, 2024 16:36:22.839654922 CEST1.1.1.1192.168.2.60x3d2fNo error (0)mta5.am0.yahoodns.net67.195.228.106A (IP address)IN (0x0001)false
                                                                                        Oct 11, 2024 16:36:22.839654922 CEST1.1.1.1192.168.2.60x3d2fNo error (0)mta5.am0.yahoodns.net98.136.96.91A (IP address)IN (0x0001)false
                                                                                        Oct 11, 2024 16:36:22.839654922 CEST1.1.1.1192.168.2.60x3d2fNo error (0)mta5.am0.yahoodns.net67.195.204.73A (IP address)IN (0x0001)false
                                                                                        Oct 11, 2024 16:36:22.839654922 CEST1.1.1.1192.168.2.60x3d2fNo error (0)mta5.am0.yahoodns.net98.136.96.77A (IP address)IN (0x0001)false
                                                                                        Oct 11, 2024 16:36:22.839654922 CEST1.1.1.1192.168.2.60x3d2fNo error (0)mta5.am0.yahoodns.net67.195.228.110A (IP address)IN (0x0001)false
                                                                                        Oct 11, 2024 16:36:22.839654922 CEST1.1.1.1192.168.2.60x3d2fNo error (0)mta5.am0.yahoodns.net67.195.228.94A (IP address)IN (0x0001)false
                                                                                        Oct 11, 2024 16:36:22.839654922 CEST1.1.1.1192.168.2.60x3d2fNo error (0)mta5.am0.yahoodns.net98.136.96.76A (IP address)IN (0x0001)false
                                                                                        Oct 11, 2024 16:36:22.839654922 CEST1.1.1.1192.168.2.60x3d2fNo error (0)mta5.am0.yahoodns.net67.195.204.74A (IP address)IN (0x0001)false
                                                                                        Oct 11, 2024 16:36:42.856307030 CEST1.1.1.1192.168.2.60xae13No error (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                        Oct 11, 2024 16:36:42.864515066 CEST1.1.1.1192.168.2.60x4485No error (0)smtp.google.com74.125.71.27A (IP address)IN (0x0001)false
                                                                                        Oct 11, 2024 16:36:42.864515066 CEST1.1.1.1192.168.2.60x4485No error (0)smtp.google.com64.233.167.27A (IP address)IN (0x0001)false
                                                                                        Oct 11, 2024 16:36:42.864515066 CEST1.1.1.1192.168.2.60x4485No error (0)smtp.google.com74.125.71.26A (IP address)IN (0x0001)false
                                                                                        Oct 11, 2024 16:36:42.864515066 CEST1.1.1.1192.168.2.60x4485No error (0)smtp.google.com64.233.166.27A (IP address)IN (0x0001)false
                                                                                        Oct 11, 2024 16:36:42.864515066 CEST1.1.1.1192.168.2.60x4485No error (0)smtp.google.com64.233.166.26A (IP address)IN (0x0001)false
                                                                                        Oct 11, 2024 16:37:02.878443003 CEST1.1.1.1192.168.2.60x86ebNo error (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                        Oct 11, 2024 16:37:02.886684895 CEST1.1.1.1192.168.2.60x95b4No error (0)mxs.mail.ru217.69.139.150A (IP address)IN (0x0001)false
                                                                                        Oct 11, 2024 16:37:02.886684895 CEST1.1.1.1192.168.2.60x95b4No error (0)mxs.mail.ru94.100.180.31A (IP address)IN (0x0001)false
                                                                                        Oct 11, 2024 16:38:05.405061960 CEST1.1.1.1192.168.2.60x385fNo error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false
                                                                                        Oct 11, 2024 16:38:05.405061960 CEST1.1.1.1192.168.2.60x385fNo error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false
                                                                                        Oct 11, 2024 16:38:05.405061960 CEST1.1.1.1192.168.2.60x385fNo error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false
                                                                                        Oct 11, 2024 16:38:05.405061960 CEST1.1.1.1192.168.2.60x385fNo error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false

                                                                                        Click to jump to process

                                                                                        Click to jump to process

                                                                                        Click to dive into process behavior distribution

                                                                                        Click to jump to process

                                                                                        Target ID:0
                                                                                        Start time:10:35:57
                                                                                        Start date:11/10/2024
                                                                                        Path:C:\Users\user\Desktop\6foBmRMlDy.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\Desktop\6foBmRMlDy.exe"
                                                                                        Imagebase:0x400000
                                                                                        File size:426'496 bytes
                                                                                        MD5 hash:E4352F63724267BED81E8C199BD8CA0F
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                        • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000003.2096533476.0000000000630000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000003.2096533476.0000000000630000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000003.2096533476.0000000000630000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2133585534.00000000006A2000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        Target ID:2
                                                                                        Start time:10:35:57
                                                                                        Start date:11/10/2024
                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gqbqwogt\
                                                                                        Imagebase:0x1c0000
                                                                                        File size:236'544 bytes
                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        Target ID:3
                                                                                        Start time:10:35:57
                                                                                        Start date:11/10/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff66e660000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        Target ID:4
                                                                                        Start time:10:35:58
                                                                                        Start date:11/10/2024
                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\lnmlavab.exe" C:\Windows\SysWOW64\gqbqwogt\
                                                                                        Imagebase:0x1c0000
                                                                                        File size:236'544 bytes
                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        Target ID:5
                                                                                        Start time:10:35:58
                                                                                        Start date:11/10/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff66e660000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        Target ID:6
                                                                                        Start time:10:35:59
                                                                                        Start date:11/10/2024
                                                                                        Path:C:\Windows\SysWOW64\sc.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Windows\System32\sc.exe" create gqbqwogt binPath= "C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exe /d\"C:\Users\user\Desktop\6foBmRMlDy.exe\"" type= own start= auto DisplayName= "wifi support"
                                                                                        Imagebase:0x170000
                                                                                        File size:61'440 bytes
                                                                                        MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:moderate
                                                                                        Has exited:true

                                                                                        Target ID:7
                                                                                        Start time:10:35:59
                                                                                        Start date:11/10/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff66e660000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        Target ID:8
                                                                                        Start time:10:35:59
                                                                                        Start date:11/10/2024
                                                                                        Path:C:\Windows\SysWOW64\sc.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Windows\System32\sc.exe" description gqbqwogt "wifi internet conection"
                                                                                        Imagebase:0x170000
                                                                                        File size:61'440 bytes
                                                                                        MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:moderate
                                                                                        Has exited:true

                                                                                        Target ID:9
                                                                                        Start time:10:35:59
                                                                                        Start date:11/10/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff66e660000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        Target ID:10
                                                                                        Start time:10:36:00
                                                                                        Start date:11/10/2024
                                                                                        Path:C:\Windows\SysWOW64\sc.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Windows\System32\sc.exe" start gqbqwogt
                                                                                        Imagebase:0x170000
                                                                                        File size:61'440 bytes
                                                                                        MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:moderate
                                                                                        Has exited:true

                                                                                        Target ID:11
                                                                                        Start time:10:36:00
                                                                                        Start date:11/10/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff66e660000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        Target ID:12
                                                                                        Start time:10:36:00
                                                                                        Start date:11/10/2024
                                                                                        Path:C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exe /d"C:\Users\user\Desktop\6foBmRMlDy.exe"
                                                                                        Imagebase:0x400000
                                                                                        File size:12'737'536 bytes
                                                                                        MD5 hash:415D8A2F273DA3EB07A38C1E95C0BB82
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2130408783.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2130408783.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000002.2130408783.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000003.2127071237.0000000000D90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000003.2127071237.0000000000D90000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000003.2127071237.0000000000D90000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                        • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000C.00000002.2130315965.000000000072D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: unknown
                                                                                        • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: ditekSHen
                                                                                        Has exited:true

                                                                                        Target ID:13
                                                                                        Start time:10:36:00
                                                                                        Start date:11/10/2024
                                                                                        Path:C:\Windows\SysWOW64\svchost.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:svchost.exe
                                                                                        Imagebase:0xaa0000
                                                                                        File size:46'504 bytes
                                                                                        MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                        Has exited:false

                                                                                        Target ID:14
                                                                                        Start time:10:36:00
                                                                                        Start date:11/10/2024
                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                        Imagebase:0x7ff7403e0000
                                                                                        File size:55'320 bytes
                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        Target ID:15
                                                                                        Start time:10:36:00
                                                                                        Start date:11/10/2024
                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5840 -ip 5840
                                                                                        Imagebase:0x9b0000
                                                                                        File size:483'680 bytes
                                                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        Target ID:16
                                                                                        Start time:10:36:00
                                                                                        Start date:11/10/2024
                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5840 -s 568
                                                                                        Imagebase:0x9b0000
                                                                                        File size:483'680 bytes
                                                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        Target ID:17
                                                                                        Start time:10:36:00
                                                                                        Start date:11/10/2024
                                                                                        Path:C:\Windows\SysWOW64\netsh.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                                        Imagebase:0xa60000
                                                                                        File size:82'432 bytes
                                                                                        MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        Target ID:18
                                                                                        Start time:10:36:00
                                                                                        Start date:11/10/2024
                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3180 -ip 3180
                                                                                        Imagebase:0x9b0000
                                                                                        File size:483'680 bytes
                                                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        Target ID:19
                                                                                        Start time:10:36:00
                                                                                        Start date:11/10/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff66e660000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        Target ID:20
                                                                                        Start time:10:36:01
                                                                                        Start date:11/10/2024
                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 772
                                                                                        Imagebase:0x9b0000
                                                                                        File size:483'680 bytes
                                                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        Target ID:25
                                                                                        Start time:10:36:43
                                                                                        Start date:11/10/2024
                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                        Imagebase:0x7ff7403e0000
                                                                                        File size:55'320 bytes
                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:false

                                                                                        Reset < >

                                                                                          Execution Graph

                                                                                          Execution Coverage:3.8%
                                                                                          Dynamic/Decrypted Code Coverage:23%
                                                                                          Signature Coverage:30.3%
                                                                                          Total number of Nodes:525
                                                                                          Total number of Limit Nodes:44
                                                                                          execution_graph 22186 602265 GetTickCount 22187 607665 17 API calls ___ascii_stricmp 22111 603c67 Sleep 22230 604367 WriteFile GetLastError WaitForSingleObject GetOverlappedResult ExitProcess 22231 40e749 7 API calls 21704 43ea49 21706 43ea55 __freefls@4 21704->21706 21705 43eb57 __freefls@4 21706->21705 21707 43ea6d 21706->21707 21732 43c50b RtlFreeHeap 6 library calls 21706->21732 21708 43ea7b 21707->21708 21733 43c50b RtlFreeHeap 6 library calls 21707->21733 21711 43ea89 21708->21711 21734 43c50b RtlFreeHeap 6 library calls 21708->21734 21713 43ea97 21711->21713 21735 43c50b RtlFreeHeap 6 library calls 21711->21735 21715 43eaa5 21713->21715 21736 43c50b RtlFreeHeap 6 library calls 21713->21736 21716 43eab3 21715->21716 21737 43c50b RtlFreeHeap 6 library calls 21715->21737 21719 43eac1 21716->21719 21738 43c50b RtlFreeHeap 6 library calls 21716->21738 21721 43ead2 21719->21721 21739 43c50b RtlFreeHeap 6 library calls 21719->21739 21723 43f09a __lock RtlFreeHeap 21721->21723 21726 43eada 21723->21726 21724 43eaff __freefls@4 21725 43f09a __lock RtlFreeHeap 21724->21725 21730 43eb13 ___removelocaleref 21725->21730 21726->21724 21740 43c50b RtlFreeHeap 6 library calls 21726->21740 21728 43eb44 __freefls@4 21742 43c50b RtlFreeHeap 6 library calls 21728->21742 21730->21728 21741 43e443 RtlFreeHeap ___free_lconv_mon ___free_lconv_num __freefls@4 ___free_lc_time 21730->21741 21732->21707 21733->21708 21734->21711 21735->21713 21736->21715 21737->21716 21738->21719 21739->21721 21740->21724 21741->21728 21742->21705 22188 605e6c 16 API calls 22190 603e70 10 API calls codecvt 22113 408c51 21 API calls codecvt 22192 60aa71 12 API calls 22114 405453 8 API calls 22115 606074 14 API calls 22116 60c076 8 API calls codecvt 22232 606778 35 API calls 22153 40195b GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 22154 60857b 12 API calls 22155 404960 8 API calls 22118 404861 IsBadWritePtr 22156 409961 43 API calls 21743 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 21861 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 21743->21861 21745 409a95 21746 409aa3 GetModuleHandleA GetModuleFileNameA 21745->21746 21825 40a3c7 21745->21825 21747 409ac4 21746->21747 21750 409afd GetCommandLineA 21747->21750 21748 40a41c CreateThread WSAStartup 22006 40e52e 31 API calls 21748->22006 22109 40405e 51 API calls 21748->22109 21759 409b22 21750->21759 21751 40a406 DeleteFileA 21753 40a40d 21751->21753 21751->21825 21752 40a445 22007 40eaaf 6 API calls 21752->22007 21753->21748 21755 40a3ed GetLastError 21755->21753 21757 40a3f8 Sleep 21755->21757 21756 40a44d 22008 401d96 57 API calls 21756->22008 21757->21751 21762 409c0c 21759->21762 21769 409b47 21759->21769 21760 40a457 22009 4080c9 98 API calls codecvt 21760->22009 21862 4096aa 21762->21862 21763 40a45f CreateThread 22010 405e6c 16 API calls 21763->22010 22108 40877e 308 API calls 21763->22108 21766 40a470 22011 403132 12 API calls 21766->22011 21773 409b96 lstrlenA 21769->21773 21776 409b58 21769->21776 21770 40a1d2 21777 40a1e3 GetCommandLineA 21770->21777 21771 409c39 21774 40a167 GetModuleHandleA GetModuleFileNameA 21771->21774 21868 404280 CreateEventA 21771->21868 21772 40a475 22012 40c125 16 API calls 21772->22012 21773->21776 21775 409c05 ExitProcess 21774->21775 21779 40a189 21774->21779 21776->21775 21783 40675c 21 API calls 21776->21783 21803 40a205 21777->21803 21779->21775 21785 40a1b2 GetDriveTypeA 21779->21785 21781 40a47a 22013 408db1 13 API calls 21781->22013 21786 409be3 21783->21786 21785->21775 21788 40a1c5 21785->21788 21786->21775 21967 406a60 CreateFileA 21786->21967 21787 40a47f Sleep 21794 40a491 21787->21794 22003 409145 11 API calls 21788->22003 21792 40a1cc 21792->21775 21795 40a49f GetTickCount 21794->21795 21797 40a4be Sleep 21794->21797 21802 40a4b7 GetTickCount 21794->21802 22014 40c913 208 API calls codecvt 21794->22014 21795->21794 21795->21797 21797->21794 21799 409ca0 GetTempPathA 21800 409e3e 21799->21800 21801 409cba 21799->21801 21806 409e6b GetEnvironmentVariableA 21800->21806 21810 409e04 21800->21810 21923 4099d2 lstrcpyA 21801->21923 21802->21797 21807 40a285 lstrlenA 21803->21807 21819 40a239 21803->21819 21806->21810 21811 409e7d 21806->21811 21807->21819 21808 40a15d 21808->21774 21808->21775 22002 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 21810->22002 21812 4099d2 16 API calls 21811->21812 21813 409e9d 21812->21813 21813->21810 21818 409eb0 lstrcpyA lstrlenA 21813->21818 21816 409d5f 21986 406cc9 21816->21986 21817 40a3c2 22005 4098f2 41 API calls 21817->22005 21822 409ef4 21818->21822 22004 406ec3 GetUserNameW LookupAccountNameW 21819->22004 21827 406dc2 6 API calls 21822->21827 21829 409f03 21822->21829 21823 40a39d StartServiceCtrlDispatcherA 21823->21817 21825->21748 21825->21751 21825->21753 21825->21755 21826 40a35f 21826->21817 21826->21826 21832 40a37b 21826->21832 21827->21829 21828 409cf6 21930 409326 21828->21930 21830 409f32 RegOpenKeyExA 21829->21830 21831 409f48 RegSetValueExA RegCloseKey 21830->21831 21835 409f70 21830->21835 21831->21835 21832->21823 21841 409f9d GetModuleHandleA GetModuleFileNameA 21835->21841 21836 409e0c DeleteFileA 21836->21800 21837 409dde GetFileAttributesExA 21837->21836 21839 409df7 21837->21839 21839->21810 21840 409dff 21839->21840 21996 4096ff RegOpenKeyExA RegDeleteValueA RegCloseKey 21840->21996 21843 409fc2 21841->21843 21844 40a093 21841->21844 21843->21844 21849 409ff1 GetDriveTypeA 21843->21849 21845 40a103 CreateProcessA 21844->21845 21848 40a0a4 wsprintfA 21844->21848 21846 40a13a 21845->21846 21847 40a12a DeleteFileA 21845->21847 21846->21810 22001 4096ff RegOpenKeyExA RegDeleteValueA RegCloseKey 21846->22001 21847->21846 21997 402544 21848->21997 21849->21844 21851 40a00d 21849->21851 21856 40a02d lstrcatA 21851->21856 21857 40a046 21856->21857 21858 40a052 lstrcatA 21857->21858 21859 40a064 lstrcatA 21857->21859 21858->21859 21859->21844 21860 40a081 lstrcatA 21859->21860 21860->21844 21861->21745 21863 4096b9 21862->21863 22015 4073ff 21863->22015 21865 4096e2 21866 4096f7 21865->21866 22035 40704c 21865->22035 21866->21770 21866->21771 21869 4042a5 21868->21869 21870 40429d 21868->21870 22059 403ecd 6 API calls 21869->22059 21870->21774 21895 40675c 21870->21895 21872 4042b0 22060 404000 21872->22060 21875 4043c1 CloseHandle 21875->21870 21876 4042ce 22066 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 21876->22066 21878 4042eb 22067 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 21878->22067 21880 4042fb 21881 4043ba CloseHandle 21880->21881 21882 404318 21880->21882 21881->21875 22068 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 21882->22068 21884 404331 22069 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 21884->22069 21886 40434a 22070 40ebcc GetProcessHeap RtlAllocateHeap 21886->22070 21890 404389 22074 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 21890->22074 21892 40438f 22075 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 21892->22075 21894 40439f CloseHandle CloseHandle 21894->21870 21896 406784 CreateFileA 21895->21896 21897 40677a SetFileAttributesA 21895->21897 21898 4067a4 CreateFileA 21896->21898 21899 4067b5 21896->21899 21897->21896 21898->21899 21900 4067c5 21899->21900 21901 4067ba SetFileAttributesA 21899->21901 21902 406977 21900->21902 21903 4067cf GetFileSize 21900->21903 21901->21900 21902->21774 21902->21799 21902->21800 21904 4067e5 21903->21904 21922 406965 21903->21922 21905 4067ed ReadFile 21904->21905 21904->21922 21907 406811 SetFilePointer 21905->21907 21905->21922 21906 40696e CloseHandle 21906->21902 21908 40682a ReadFile 21907->21908 21907->21922 21909 406848 SetFilePointer 21908->21909 21908->21922 21910 406867 21909->21910 21909->21922 21911 4068d5 21910->21911 21912 406878 ReadFile 21910->21912 21911->21906 21914 40ebcc 4 API calls 21911->21914 21913 4068d0 21912->21913 21916 406891 21912->21916 21913->21911 21915 4068f8 21914->21915 21917 406900 SetFilePointer 21915->21917 21915->21922 21916->21912 21916->21913 21918 40695a 21917->21918 21919 40690d ReadFile 21917->21919 22079 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 21918->22079 21919->21918 21920 406922 21919->21920 21920->21906 21922->21906 21924 4099eb 21923->21924 21925 409a2f lstrcatA 21924->21925 21926 40ee2a 21925->21926 21927 409a4b lstrcatA 21926->21927 21928 406a60 13 API calls 21927->21928 21929 409a60 21928->21929 21929->21800 21929->21828 21980 406dc2 21929->21980 22080 401910 21930->22080 21933 40934a GetModuleHandleA GetModuleFileNameA 21935 40937f 21933->21935 21936 4093a4 21935->21936 21937 4093d9 21935->21937 21938 4093c3 wsprintfA 21936->21938 21939 409401 wsprintfA 21937->21939 21940 409415 21938->21940 21939->21940 21942 406cc9 5 API calls 21940->21942 21964 4094a0 21940->21964 21948 409439 21942->21948 21943 40962f 21951 409646 21943->21951 22098 401820 17 API calls 21943->22098 21944 4094ac 21944->21943 21945 4094e8 RegOpenKeyExA 21944->21945 21946 409502 21945->21946 21947 4094fb 21945->21947 21952 40951f RegQueryValueExA 21946->21952 21947->21943 21954 40958a 21947->21954 22095 40ef1e lstrlenA 21948->22095 21960 4095d6 21951->21960 22090 4091eb 21951->22090 21955 409530 21952->21955 21956 409539 21952->21956 21954->21951 21958 409593 21954->21958 21959 40956e RegCloseKey 21955->21959 21961 409556 RegQueryValueExA 21956->21961 21957 409462 21962 40947e wsprintfA 21957->21962 21958->21960 22096 40f0e4 lstrlenA SysAllocStringByteLen MultiByteToWideChar 21958->22096 21959->21947 21960->21836 21960->21837 21961->21955 21961->21959 21962->21964 22082 406edd 21964->22082 21965 4095bb 21965->21960 22097 4018e0 26 API calls 21965->22097 21968 406b8c GetLastError 21967->21968 21969 406a8f GetDiskFreeSpaceA 21967->21969 21971 406b86 21968->21971 21970 406ac5 21969->21970 21977 406ad7 21969->21977 22106 40eb0e LoadLibraryA GetProcAddress 21970->22106 21971->21775 21975 406b56 CloseHandle 21975->21971 21979 406b65 GetLastError CloseHandle 21975->21979 21976 406b36 GetLastError CloseHandle 21978 406b7f DeleteFileA 21976->21978 22100 406987 21977->22100 21978->21971 21979->21978 21981 406dd7 21980->21981 21985 406e24 21980->21985 21982 406cc9 5 API calls 21981->21982 21983 406ddc 21982->21983 21983->21983 21984 406e02 GetVolumeInformationA 21983->21984 21983->21985 21984->21985 21985->21816 21987 406cdc GetModuleHandleA GetProcAddress 21986->21987 21988 406dbe lstrcpyA lstrcatA lstrcatA 21986->21988 21989 406d12 GetSystemDirectoryA 21987->21989 21992 406cfd 21987->21992 21988->21828 21990 406d27 GetWindowsDirectoryA 21989->21990 21991 406d1e 21989->21991 21993 406d42 21990->21993 21991->21990 21994 406d8b 21991->21994 21992->21989 21992->21994 22107 40ef1e lstrlenA 21993->22107 21994->21988 21996->21810 21998 402554 lstrcatA 21997->21998 21999 40ee2a 21998->21999 22000 40a0ec lstrcatA 21999->22000 22000->21845 22001->21810 22002->21808 22003->21792 22004->21826 22005->21825 22006->21752 22007->21756 22008->21760 22009->21763 22010->21766 22011->21772 22012->21781 22013->21787 22014->21794 22016 40741b 22015->22016 22017 406dc2 6 API calls 22016->22017 22018 40743f 22017->22018 22019 407469 RegOpenKeyExA 22018->22019 22021 4077f9 22019->22021 22031 407487 ___ascii_stricmp 22019->22031 22020 407703 RegEnumKeyA 22022 407714 RegCloseKey 22020->22022 22020->22031 22021->21865 22022->22021 22023 40f1a5 lstrlenA 22023->22031 22024 4074d2 RegOpenKeyExA 22024->22031 22025 40772c 22027 407742 RegCloseKey 22025->22027 22028 40774b 22025->22028 22026 407521 RegQueryValueExA 22026->22031 22027->22028 22030 4077ec RegCloseKey 22028->22030 22029 4076e4 RegCloseKey 22029->22031 22030->22021 22031->22020 22031->22023 22031->22024 22031->22025 22031->22026 22031->22029 22033 40777e GetFileAttributesExA 22031->22033 22034 407769 22031->22034 22032 4077e3 RegCloseKey 22032->22030 22033->22034 22034->22032 22036 407073 22035->22036 22037 4070b9 RegOpenKeyExA 22036->22037 22038 4070d0 22037->22038 22052 4071b8 22037->22052 22039 406dc2 6 API calls 22038->22039 22042 4070d5 22039->22042 22040 40719b RegEnumValueA 22041 4071af RegCloseKey 22040->22041 22040->22042 22041->22052 22042->22040 22044 4071d0 22042->22044 22058 40f1a5 lstrlenA 22042->22058 22045 407205 RegCloseKey 22044->22045 22046 407227 22044->22046 22045->22052 22047 4072b8 ___ascii_stricmp 22046->22047 22048 40728e RegCloseKey 22046->22048 22049 4072cd RegCloseKey 22047->22049 22050 4072dd 22047->22050 22048->22052 22049->22052 22051 407311 RegCloseKey 22050->22051 22054 407335 22050->22054 22051->22052 22052->21866 22053 4073d5 RegCloseKey 22055 4073e4 22053->22055 22054->22053 22056 40737e GetFileAttributesExA 22054->22056 22057 407397 22054->22057 22056->22057 22057->22053 22058->22042 22059->21872 22061 40400b CreateFileA 22060->22061 22062 40402c GetLastError 22061->22062 22064 404052 22061->22064 22063 404037 22062->22063 22062->22064 22063->22064 22065 404041 Sleep 22063->22065 22064->21870 22064->21875 22064->21876 22065->22061 22065->22064 22066->21878 22067->21880 22068->21884 22069->21886 22076 40eb74 22070->22076 22073 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 22073->21890 22074->21892 22075->21894 22077 40eb7b GetProcessHeap HeapSize 22076->22077 22078 404350 22076->22078 22077->22078 22078->22073 22079->21922 22081 401924 GetVersionExA 22080->22081 22081->21933 22083 406eef AllocateAndInitializeSid 22082->22083 22089 406f55 22082->22089 22084 406f44 22083->22084 22085 406f1c CheckTokenMembership 22083->22085 22084->22089 22099 406e36 GetUserNameW LookupAccountNameW 22084->22099 22086 406f3b FreeSid 22085->22086 22087 406f2e 22085->22087 22086->22084 22087->22086 22089->21944 22091 409308 22090->22091 22093 40920e 22090->22093 22091->21960 22092 4092f1 Sleep 22092->22093 22093->22091 22093->22092 22093->22093 22094 4092bf ShellExecuteA 22093->22094 22094->22091 22094->22093 22095->21957 22096->21965 22097->21960 22098->21951 22099->22089 22102 4069b9 WriteFile 22100->22102 22103 406a3c 22102->22103 22105 4069ff 22102->22105 22103->21975 22103->21976 22104 406a10 WriteFile 22104->22103 22104->22105 22105->22103 22105->22104 22106->21977 22107->21994 22196 60aa4e 13 API calls 22234 40f304 setsockopt setsockopt setsockopt setsockopt setsockopt 22122 405c05 24 API calls 21689 6b1623 21690 6b1632 21689->21690 21693 6b1dc3 21690->21693 21694 6b1dde 21693->21694 21695 6b1de7 CreateToolhelp32Snapshot 21694->21695 21696 6b1e03 Module32First 21694->21696 21695->21694 21695->21696 21697 6b1e12 21696->21697 21699 6b163b 21696->21699 21700 6b1a82 21697->21700 21701 6b1aad 21700->21701 21702 6b1abe VirtualAlloc 21701->21702 21703 6b1af6 21701->21703 21702->21703 22198 405e0d 17 API calls 22235 608330 78 API calls codecvt 22161 406511 53 API calls 22236 408314 21 API calls 22125 603437 14 API calls codecvt 21518 600005 21523 60092b GetPEB 21518->21523 21520 600030 21524 60003c 21520->21524 21523->21520 21525 600049 21524->21525 21539 600e0f SetErrorMode SetErrorMode 21525->21539 21530 600265 21531 6002ce VirtualProtect 21530->21531 21533 60030b 21531->21533 21532 600439 VirtualFree 21534 6005f4 LoadLibraryA 21532->21534 21538 6004be 21532->21538 21533->21532 21537 6008c7 21534->21537 21535 6004e3 LoadLibraryA 21535->21538 21538->21534 21538->21535 21540 600223 21539->21540 21541 600d90 21540->21541 21542 600dad 21541->21542 21543 600dbb GetPEB 21542->21543 21544 600238 VirtualAlloc 21542->21544 21543->21544 21544->21530 22129 60380c Sleep LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 22164 609911 17 API calls 22204 40be31 14 API calls codecvt 22238 60cb11 17 API calls 22165 405d34 13 API calls 22131 609018 10 API calls 22205 60ea1b GetCurrentThreadId Sleep GetCurrentThreadId 22167 6089e5 301 API calls 22132 6044e6 28 API calls codecvt 22168 605deb 17 API calls 22169 609def 23 API calls 22170 43a9d4 RtlFreeHeap ctype 22244 60b809 80 API calls codecvt 22134 6050f9 Sleep 22246 601ffd 45 API calls 22248 601bc2 GetProcessHeap RtlSizeHeap GetProcessHeap HeapFree codecvt 22136 60c8c3 send GetProcessHeap RtlSizeHeap GetProcessHeap RtlAllocateHeap 22172 60c9c4 GetProcessHeap RtlSizeHeap GetProcessHeap RtlAllocateHeap 22173 6071c6 9 API calls 22249 604bc6 8 API calls 22251 609bc8 41 API calls 22252 60d7d0 23 API calls 22139 6060d3 13 API calls 22217 60c2d3 GetTickCount wsprintfA wsprintfA 22219 609e6c 105 API calls codecvt 22140 604ca3 10 API calls codecvt 22141 40f483 WSAStartup 22254 405b84 23 API calls 21545 43ce84 21547 43ce90 __freefls@4 21545->21547 21579 43eeee HeapCreate 21547->21579 21549 43cf03 21581 43eb78 21549->21581 21553 43cf14 __RTC_Initialize 21590 441949 21553->21590 21556 43cf22 21557 43cf2d 21556->21557 21632 43ff2e RtlFreeHeap __FF_MSGBANNER __decode_pointer __NMSG_WRITE 21556->21632 21596 4418ec 21557->21596 21560 43cf3d 21601 44183e 21560->21601 21562 43cf47 21563 43cf52 21562->21563 21633 43ff2e RtlFreeHeap __FF_MSGBANNER __decode_pointer __NMSG_WRITE 21562->21633 21605 44160f 21563->21605 21569 43cf63 21616 43ffed 21569->21616 21570 43cf6a 21572 43cf75 __wwincmdln 21570->21572 21635 43ff2e RtlFreeHeap __FF_MSGBANNER __decode_pointer __NMSG_WRITE 21570->21635 21620 43b240 21572->21620 21575 43cfa4 21637 4401ca RtlFreeHeap _doexit 21575->21637 21578 43cfa9 __freefls@4 21580 43cef7 21579->21580 21580->21549 21630 43ce5b RtlFreeHeap __FF_MSGBANNER _fast_error_exit __NMSG_WRITE 21580->21630 21584 43eb88 __init_pointers __mtinit __decode_pointer __crt_waiting_on_module_handle __encode_pointer 21581->21584 21582 43ecfb 21643 43e892 RtlFreeHeap __decode_pointer __freefls@4 21582->21643 21584->21582 21589 43cf09 21584->21589 21638 43fdc1 21584->21638 21586 43ecbf __decode_pointer 21586->21582 21587 43ece0 21586->21587 21642 43e8cf RtlFreeHeap __lock __mtinit ___addlocaleref __crt_waiting_on_module_handle __freefls@4 21587->21642 21589->21553 21631 43ce5b RtlFreeHeap __FF_MSGBANNER _fast_error_exit __NMSG_WRITE 21589->21631 21591 441955 __freefls@4 21590->21591 21592 43fdc1 __calloc_crt RtlFreeHeap 21591->21592 21593 441976 21592->21593 21594 441a5e ___lock_fhandle __freefls@4 21593->21594 21595 43fdc1 __calloc_crt RtlFreeHeap 21593->21595 21594->21556 21595->21593 21598 4418f5 21596->21598 21597 4418fd 21597->21560 21598->21597 21655 43fd7c RtlFreeHeap _malloc 21598->21655 21600 441922 21600->21560 21602 441864 _wparse_cmdline 21601->21602 21604 4418b6 _wparse_cmdline 21602->21604 21656 43fd7c RtlFreeHeap _malloc 21602->21656 21604->21562 21606 441627 _wcslen 21605->21606 21610 43cf58 21605->21610 21607 43fdc1 __calloc_crt RtlFreeHeap 21606->21607 21615 44164b __invoke_watson _wcslen 21607->21615 21608 4416b0 21658 43c50b RtlFreeHeap 6 library calls 21608->21658 21610->21569 21634 43ff2e RtlFreeHeap __FF_MSGBANNER __decode_pointer __NMSG_WRITE 21610->21634 21611 43fdc1 __calloc_crt RtlFreeHeap 21611->21615 21612 4416d6 21659 43c50b RtlFreeHeap 6 library calls 21612->21659 21615->21608 21615->21610 21615->21611 21615->21612 21657 444f12 RtlFreeHeap __cftoe2_l 21615->21657 21617 43fffb __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 21616->21617 21619 440038 __IsNonwritableInCurrentImage __initterm 21617->21619 21660 43c84f RtlFreeHeap __cinit 21617->21660 21619->21570 21621 43b954 21620->21621 21622 43b90e 21620->21622 21661 43aeb0 21621->21661 21677 43c50b RtlFreeHeap 6 library calls 21622->21677 21624 43b942 21678 43ca60 RtlFreeHeap 10 library calls 21624->21678 21626 43b94c 21679 43cd05 RtlFreeHeap __cftoe2_l _fseek __fseek_nolock __lock_file __freefls@4 21626->21679 21629 43b9e6 21629->21575 21636 44019e RtlFreeHeap _doexit 21629->21636 21630->21549 21631->21553 21632->21557 21633->21563 21634->21569 21635->21572 21636->21575 21637->21578 21640 43fdca 21638->21640 21641 43fe07 21640->21641 21644 443e2d 21640->21644 21641->21586 21642->21589 21643->21589 21645 443e39 __freefls@4 21644->21645 21646 443e51 21645->21646 21648 443e70 _memset ___sbh_alloc_block _malloc __calloc_impl 21645->21648 21651 43d9e4 RtlFreeHeap __getptd_noexit 21646->21651 21650 443e56 __cftoe2_l __freefls@4 21648->21650 21652 43f09a 21648->21652 21650->21640 21651->21650 21653 43f0c2 RtlFreeHeap 21652->21653 21654 43f0af __mtinitlocknum __amsg_exit 21652->21654 21653->21648 21654->21653 21655->21600 21656->21604 21657->21615 21658->21610 21659->21610 21660->21619 21664 43aee0 _strlen 21661->21664 21662 43afdf 21680 43ade0 21662->21680 21664->21662 21683 43bbd0 RtlFreeHeap _memcpy_s std::_String_base::_Xlen std::runtime_error::runtime_error 21664->21683 21666 43afb6 21684 43c3b5 RtlFreeHeap __cftoe2_l 21666->21684 21668 43afbf 21685 43c866 RtlFreeHeap __wcstoi64 21668->21685 21669 43b036 21669->21629 21671 43afc8 21686 43c87c RtlFreeHeap __wcstoi64_l 21671->21686 21673 43afd2 21687 43c39e RtlFreeHeap __mbstrnlen_l 21673->21687 21675 43afd9 21688 43c84f RtlFreeHeap __cinit 21675->21688 21677->21624 21678->21626 21679->21621 21681 43adf1 VirtualProtect 21680->21681 21681->21669 21683->21666 21684->21668 21685->21671 21686->21673 21687->21675 21688->21662 22177 609da9 22 API calls 22178 60e9b0 GetCurrentThreadId Sleep GetCurrentThreadId lstrcmp 22222 404e92 GetTickCount GetTickCount Sleep InterlockedExchange 22180 60adb8 lstrcpyn 22225 608eb8 19 API calls codecvt 22144 405099 GetTickCount GetTickCount Sleep InterlockedExchange 22145 60b809 80 API calls codecvt 22182 4035a5 8 API calls 22149 60908d GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 22184 60b809 89 API calls codecvt 22259 60e795 25 API calls 22260 603399 9 API calls 22261 605f9b 10 API calls 22262 60b79c 79 API calls codecvt
                                                                                          APIs
                                                                                          • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                          • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                            • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                            • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                            • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                          • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                          • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                          • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                          • ExitProcess.KERNEL32 ref: 00409C06
                                                                                          • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                          • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                          • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                          • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                          • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                          • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                          • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                          • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                          • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                          • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                          • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                          • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                          • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                          • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                          • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                          • wsprintfA.USER32 ref: 0040A0B6
                                                                                          • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                          • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                          • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                          • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                          • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                          • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                          • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                          • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                            • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                            • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                            • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                          • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                          • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                          • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                          • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                          • DeleteFileA.KERNEL32(004133D8), ref: 0040A407
                                                                                          • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                          • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                          • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                          • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                          • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                          • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                          • Sleep.KERNEL32(00001838), ref: 0040A4C3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                          • String ID: "$"$"$%X%08X$D$P$PromptOnSecureDesktop$\
                                                                                          • API String ID: 2089075347-2824936573
                                                                                          • Opcode ID: b37934571552078ddbfaab47005c7767904b914e0070efdbfd13cf5a9cdf07b2
                                                                                          • Instruction ID: bd119e6c4087cb98d252ff90c2b4564d186cc4371c54d2626973292121ed4095
                                                                                          • Opcode Fuzzy Hash: b37934571552078ddbfaab47005c7767904b914e0070efdbfd13cf5a9cdf07b2
                                                                                          • Instruction Fuzzy Hash: 0B52A1B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 264 43b240-43b90c 265 43b972-43b97e 264->265 266 43b90e-43b96f call 43c50b call 43ca60 call 43cd05 call 43c200 264->266 267 43b980-43b99b 265->267 266->265 275 43b9a6-43b9ae 267->275 276 43b99d-43b9a4 267->276 277 43b9b0-43b9b6 275->277 276->267 276->275 280 43b9c4-43b9ca 277->280 281 43b9b8 277->281 283 43b9d5-43b9e1 call 43aeb0 280->283 284 43b9cc-43b9d3 280->284 281->280 288 43b9e6-43b9f1 283->288 284->277 284->283 290 43b9f6-43b9fc 288->290 292 43ba0a-43ba0d 290->292 293 43b9fe-43ba06 290->293 292->290 295 43ba0f-43ba17 292->295 293->292
                                                                                          APIs
                                                                                            • Part of subcall function 0043C50B: __lock.LIBCMT ref: 0043C529
                                                                                            • Part of subcall function 0043C50B: ___sbh_find_block.LIBCMT ref: 0043C534
                                                                                            • Part of subcall function 0043C50B: ___sbh_free_block.LIBCMT ref: 0043C543
                                                                                          • _realloc.LIBCMT ref: 0043B947
                                                                                            • Part of subcall function 0043CA60: _malloc.LIBCMT ref: 0043CA76
                                                                                          • _fseek.LIBCMT ref: 0043B94F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133178272.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_415000_6foBmRMlDy.jbxd
                                                                                          Similarity
                                                                                          • API ID: ___sbh_find_block___sbh_free_block__lock_fseek_malloc_realloc
                                                                                          • String ID: $&s$/H;+$0ugV$?zEo$C:7C$Z1S9$agYU$cg P$k3nU$kd@9$p7~$|%FH
                                                                                          • API String ID: 3289479739-3763514964
                                                                                          • Opcode ID: 7dcdd3eaea46ffe2a30c8f0310ea7705a34f69824791a8e454ba313e888b229a
                                                                                          • Instruction ID: d87394b33d7e6c5c910dd0271f55276661a3dd12386dfd98f108e32f406b15c8
                                                                                          • Opcode Fuzzy Hash: 7dcdd3eaea46ffe2a30c8f0310ea7705a34f69824791a8e454ba313e888b229a
                                                                                          • Instruction Fuzzy Hash: 8902FCB5609380DFD2708F6AC489B8EFBE4BF85314F40891DE69A9B610D7709885CF97

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 529 409326-409348 call 401910 GetVersionExA 532 409358-40935c 529->532 533 40934a-409356 529->533 534 409360-40937d GetModuleHandleA GetModuleFileNameA 532->534 533->534 535 409385-4093a2 534->535 536 40937f 534->536 537 4093a4-4093d7 call 402544 wsprintfA 535->537 538 4093d9-409412 call 402544 wsprintfA 535->538 536->535 543 409415-40942c call 40ee2a 537->543 538->543 546 4094a3-4094b3 call 406edd 543->546 547 40942e-409432 543->547 552 4094b9-4094f9 call 402544 RegOpenKeyExA 546->552 553 40962f-409632 546->553 547->546 549 409434-4094a0 call 406cc9 call 40ef00 call 402544 call 40ef1e call 402544 wsprintfA call 40ee2a 547->549 549->546 562 409502-40952e call 402544 RegQueryValueExA 552->562 563 4094fb-409500 552->563 556 409634-409637 553->556 559 409639-40964a call 401820 556->559 560 40967b-409682 556->560 572 40964c-409662 559->572 573 40966d-409679 559->573 565 409683 call 4091eb 560->565 581 409530-409537 562->581 582 409539-409565 call 402544 RegQueryValueExA 562->582 567 40957a-40957f 563->567 576 409688-409690 565->576 577 409581-409584 567->577 578 40958a-40958d 567->578 579 409664-40966b 572->579 580 40962b-40962d 572->580 573->565 584 409692 576->584 585 409698-4096a0 576->585 577->556 577->578 578->560 586 409593-40959a 578->586 579->580 590 4096a2-4096a9 580->590 587 40956e-409577 RegCloseKey 581->587 582->587 598 409567 582->598 584->585 585->590 591 40961a-40961f 586->591 592 40959c-4095a1 586->592 587->567 595 409625 591->595 592->591 596 4095a3-4095c0 call 40f0e4 592->596 595->580 602 4095c2-4095db call 4018e0 596->602 603 40960c-409618 596->603 598->587 602->590 606 4095e1-4095f9 602->606 603->595 606->590 607 4095ff-409607 606->607 607->590
                                                                                          APIs
                                                                                          • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                          • wsprintfA.USER32 ref: 004093CE
                                                                                          • wsprintfA.USER32 ref: 0040940C
                                                                                          • wsprintfA.USER32 ref: 0040948D
                                                                                          • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                          • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                          • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                          • String ID: PromptOnSecureDesktop$runas
                                                                                          • API String ID: 3696105349-2220793183
                                                                                          • Opcode ID: dd8323cc3663becab7e2967d3efa69540a9c24c17e68938a9fe8f8f1d062e2db
                                                                                          • Instruction ID: 06034c09a380b67456f64a6cc71bbc1075b83f40537ea60a42ab4a6d8e407b0f
                                                                                          • Opcode Fuzzy Hash: dd8323cc3663becab7e2967d3efa69540a9c24c17e68938a9fe8f8f1d062e2db
                                                                                          • Instruction Fuzzy Hash: 3AA181B2540208BBEB21DFA1CC45FDF3BACEB44344F104437FA05A6192D7B999948FA9

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 646 406a60-406a89 CreateFileA 647 406b8c-406ba1 GetLastError 646->647 648 406a8f-406ac3 GetDiskFreeSpaceA 646->648 651 406ba3-406ba6 647->651 649 406ac5-406adc call 40eb0e 648->649 650 406b1d-406b34 call 406987 648->650 649->650 658 406ade 649->658 656 406b56-406b63 CloseHandle 650->656 657 406b36-406b54 GetLastError CloseHandle 650->657 660 406b65-406b7d GetLastError CloseHandle 656->660 661 406b86-406b8a 656->661 659 406b7f-406b80 DeleteFileA 657->659 662 406ae0-406ae5 658->662 663 406ae7-406afb call 40eca5 658->663 659->661 660->659 661->651 662->663 664 406afd-406aff 662->664 663->650 664->650 667 406b01 664->667 668 406b03-406b08 667->668 669 406b0a-406b17 call 40eca5 667->669 668->650 668->669 669->650
                                                                                          APIs
                                                                                          • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,76228A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                          • GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                          • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                          • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                          • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 3188212458-2980165447
                                                                                          • Opcode ID: f90c53903c5e7bc53eced6da245d78f0497ab651d24c434d9efbd75cec7a0e65
                                                                                          • Instruction ID: 39f8afa0f9c16d59a54efa000c115c62b3535d7a3470d06cdb9238e0f04a129a
                                                                                          • Opcode Fuzzy Hash: f90c53903c5e7bc53eced6da245d78f0497ab651d24c434d9efbd75cec7a0e65
                                                                                          • Instruction Fuzzy Hash: C531E0B2900108BFDB01DFA09D44ADF7F78AF48314F158076E112F7291D778A9648F69

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                          • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                          • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Time$CountFileInformationSystemTickVolume
                                                                                          • String ID:
                                                                                          • API String ID: 1209300637-0
                                                                                          • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                          • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                          • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                          • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 929 6b1dc3-6b1ddc 930 6b1dde-6b1de0 929->930 931 6b1de2 930->931 932 6b1de7-6b1df3 CreateToolhelp32Snapshot 930->932 931->932 933 6b1e03-6b1e10 Module32First 932->933 934 6b1df5-6b1dfb 932->934 935 6b1e19-6b1e21 933->935 936 6b1e12-6b1e13 call 6b1a82 933->936 934->933 939 6b1dfd-6b1e01 934->939 940 6b1e18 936->940 939->930 939->933 940->935
                                                                                          APIs
                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 006B1DEB
                                                                                          • Module32First.KERNEL32(00000000,00000224), ref: 006B1E0B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133585534.00000000006A2000.00000040.00000020.00020000.00000000.sdmp, Offset: 006A2000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6a2000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                          • String ID:
                                                                                          • API String ID: 3833638111-0
                                                                                          • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                          • Instruction ID: 696289c74a8974d4652e780d3c056231e4a97f0d5f035470289b066480fe4ea3
                                                                                          • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                          • Instruction Fuzzy Hash: 1DF0F6722003117FD7203BF9989DBEE73EDAF4A325F500128E642951C0DB70ED864BA1
                                                                                          APIs
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                          • RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                            • Part of subcall function 0040EB74: GetProcessHeap.KERNEL32(00000000,00000000,0040EC28,00000000,?,0040DB55,7FFF0001), ref: 0040EB81
                                                                                            • Part of subcall function 0040EB74: HeapSize.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EB88
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$Process$AllocateSize
                                                                                          • String ID:
                                                                                          • API String ID: 2559512979-0
                                                                                          • Opcode ID: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                          • Instruction ID: 42103369b453d960252fa070f8f6fdc0a0ffae9c693debdf4c74a5c852f77059
                                                                                          • Opcode Fuzzy Hash: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                          • Instruction Fuzzy Hash: 54C0803210422077C60127A57C0CEDA3E74DF04352F084425F505C1160CB794880879D

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 296 4073ff-407419 297 40741b 296->297 298 40741d-407422 296->298 297->298 299 407424 298->299 300 407426-40742b 298->300 299->300 301 407430-407435 300->301 302 40742d 300->302 303 407437 301->303 304 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 301->304 302->301 303->304 309 407487-40749d call 40ee2a 304->309 310 4077f9-4077fe call 40ee2a 304->310 315 407703-40770e RegEnumKeyA 309->315 316 407801 310->316 317 4074a2-4074b1 call 406cad 315->317 318 407714-40771d RegCloseKey 315->318 319 407804-407808 316->319 322 4074b7-4074cc call 40f1a5 317->322 323 4076ed-407700 317->323 318->316 322->323 326 4074d2-4074f8 RegOpenKeyExA 322->326 323->315 327 407727-40772a 326->327 328 4074fe-407530 call 402544 RegQueryValueExA 326->328 329 407755-407764 call 40ee2a 327->329 330 40772c-407740 call 40ef00 327->330 328->327 337 407536-40753c 328->337 338 4076df-4076e2 329->338 339 407742-407745 RegCloseKey 330->339 340 40774b-40774e 330->340 341 40753f-407544 337->341 338->323 342 4076e4-4076e7 RegCloseKey 338->342 339->340 344 4077ec-4077f7 RegCloseKey 340->344 341->341 343 407546-40754b 341->343 342->323 343->329 345 407551-40756b call 40ee95 343->345 344->319 345->329 348 407571-407593 call 402544 call 40ee95 345->348 353 407753 348->353 354 407599-4075a0 348->354 353->329 355 4075a2-4075c6 call 40ef00 call 40ed03 354->355 356 4075c8-4075d7 call 40ed03 354->356 362 4075d8-4075da 355->362 356->362 364 4075dc 362->364 365 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 362->365 364->365 374 407626-40762b 365->374 374->374 375 40762d-407634 374->375 376 407637-40763c 375->376 376->376 377 40763e-407642 376->377 378 407644-407656 call 40ed77 377->378 379 40765c-407673 call 40ed23 377->379 378->379 384 407769-40777c call 40ef00 378->384 385 407680 379->385 386 407675-40767e 379->386 391 4077e3-4077e6 RegCloseKey 384->391 388 407683-40768e call 406cad 385->388 386->388 393 407722-407725 388->393 394 407694-4076bf call 40f1a5 call 406c96 388->394 391->344 395 4076dd 393->395 400 4076c1-4076c7 394->400 401 4076d8 394->401 395->338 400->401 402 4076c9-4076d2 400->402 401->395 402->401 403 40777e-407797 GetFileAttributesExA 402->403 404 407799 403->404 405 40779a-40779f 403->405 404->405 406 4077a1 405->406 407 4077a3-4077a8 405->407 406->407 408 4077c4-4077c8 407->408 409 4077aa-4077c0 call 40ee08 407->409 411 4077d7-4077dc 408->411 412 4077ca-4077d6 call 40ef00 408->412 409->408 413 4077e0-4077e2 411->413 414 4077de 411->414 412->411 413->391 414->413
                                                                                          APIs
                                                                                          • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,76230F10,00000000), ref: 00407472
                                                                                          • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00000101,?,?,?,?,?,?,?,76230F10,00000000), ref: 004074F0
                                                                                          • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,76230F10,00000000), ref: 00407528
                                                                                          • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,76230F10,00000000), ref: 004076E7
                                                                                          • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                          • RegCloseKey.KERNELBASE(00000000,?,?,?,?,?,?,76230F10,00000000), ref: 00407717
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,76230F10,00000000), ref: 00407745
                                                                                          • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,76230F10,00000000), ref: 004077EF
                                                                                            • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                          • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 004077E6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                          • String ID: "$PromptOnSecureDesktop
                                                                                          • API String ID: 3433985886-3108538426
                                                                                          • Opcode ID: 573530a394494cd252acd85827aa24eb1d86e5d70ab511f0ce4f94472402c086
                                                                                          • Instruction ID: 197d4fc66f8e4192ef9d41e029ea27591e600de1538a1216c66efdd274428ce7
                                                                                          • Opcode Fuzzy Hash: 573530a394494cd252acd85827aa24eb1d86e5d70ab511f0ce4f94472402c086
                                                                                          • Instruction Fuzzy Hash: F8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 418 40704c-407071 419 407073 418->419 420 407075-40707a 418->420 419->420 421 40707c 420->421 422 40707e-407083 420->422 421->422 423 407085 422->423 424 407087-40708c 422->424 423->424 425 407090-4070ca call 402544 RegOpenKeyExA 424->425 426 40708e 424->426 429 4070d0-4070f6 call 406dc2 425->429 430 4071b8-4071c8 call 40ee2a 425->430 426->425 436 40719b-4071a9 RegEnumValueA 429->436 435 4071cb-4071cf 430->435 437 4070fb-4070fd 436->437 438 4071af-4071b2 RegCloseKey 436->438 439 40716e-407194 437->439 440 4070ff-407102 437->440 438->430 439->436 440->439 441 407104-407107 440->441 441->439 442 407109-40710d 441->442 442->439 443 40710f-407133 call 402544 call 40eed1 442->443 448 4071d0-407203 call 402544 call 40ee95 call 40ee2a 443->448 449 407139-407145 call 406cad 443->449 464 407205-407212 RegCloseKey 448->464 465 407227-40722e 448->465 455 407147-40715c call 40f1a5 449->455 456 40715e-40716b call 40ee2a 449->456 455->448 455->456 456->439 468 407222-407225 464->468 469 407214-407221 call 40ef00 464->469 466 407230-407256 call 40ef00 call 40ed23 465->466 467 40725b-40728c call 402544 call 40ee95 call 40ee2a 465->467 466->467 480 407258 466->480 483 4072b8-4072cb call 40ed77 467->483 484 40728e-40729a RegCloseKey 467->484 468->435 469->468 480->467 491 4072dd-4072f4 call 40ed23 483->491 492 4072cd-4072d8 RegCloseKey 483->492 486 4072aa-4072b3 484->486 487 40729c-4072a9 call 40ef00 484->487 486->435 487->486 495 407301 491->495 496 4072f6-4072ff 491->496 492->435 497 407304-40730f call 406cad 495->497 496->497 500 407311-40731d RegCloseKey 497->500 501 407335-40735d call 406c96 497->501 502 40732d-407330 500->502 503 40731f-40732c call 40ef00 500->503 508 4073d5-4073e2 RegCloseKey 501->508 509 40735f-407365 501->509 502->486 503->502 511 4073f2-4073f7 508->511 512 4073e4-4073f1 call 40ef00 508->512 509->508 510 407367-407370 509->510 510->508 513 407372-40737c 510->513 512->511 515 40739d-4073a2 513->515 516 40737e-407395 GetFileAttributesExA 513->516 519 4073a4 515->519 520 4073a6-4073a9 515->520 516->515 518 407397 516->518 518->515 519->520 521 4073b9-4073bc 520->521 522 4073ab-4073b8 call 40ef00 520->522 524 4073cb-4073cd 521->524 525 4073be-4073ca call 40ef00 521->525 522->521 524->508 525->524
                                                                                          APIs
                                                                                          • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000101,76230F10,?,76230F10,00000000), ref: 004070C2
                                                                                          • RegEnumValueA.KERNELBASE(76230F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,76230F10,00000000), ref: 0040719E
                                                                                          • RegCloseKey.KERNELBASE(76230F10,?,76230F10,00000000), ref: 004071B2
                                                                                          • RegCloseKey.ADVAPI32(76230F10), ref: 00407208
                                                                                          • RegCloseKey.ADVAPI32(76230F10), ref: 00407291
                                                                                          • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                          • RegCloseKey.ADVAPI32(76230F10), ref: 004072D0
                                                                                          • RegCloseKey.ADVAPI32(76230F10), ref: 00407314
                                                                                          • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                          • RegCloseKey.ADVAPI32(76230F10), ref: 004073D8
                                                                                            • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                          • String ID: $"$PromptOnSecureDesktop
                                                                                          • API String ID: 4293430545-98143240
                                                                                          • Opcode ID: 3f864b9e64e2f7a1d4d97f78ecf1fd3725cd2b03a8b023efc5a10220ad7d3397
                                                                                          • Instruction ID: 7765b981cd58ee1688e4c4772d4ab21dab1833365f63e39a1c5bd68b3cda8b0b
                                                                                          • Opcode Fuzzy Hash: 3f864b9e64e2f7a1d4d97f78ecf1fd3725cd2b03a8b023efc5a10220ad7d3397
                                                                                          • Instruction Fuzzy Hash: E2B17071D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 608 40675c-406778 609 406784-4067a2 CreateFileA 608->609 610 40677a-40677e SetFileAttributesA 608->610 611 4067a4-4067b2 CreateFileA 609->611 612 4067b5-4067b8 609->612 610->609 611->612 613 4067c5-4067c9 612->613 614 4067ba-4067bf SetFileAttributesA 612->614 615 406977-406986 613->615 616 4067cf-4067df GetFileSize 613->616 614->613 617 4067e5-4067e7 616->617 618 40696b 616->618 617->618 619 4067ed-40680b ReadFile 617->619 620 40696e-406971 CloseHandle 618->620 619->618 621 406811-406824 SetFilePointer 619->621 620->615 621->618 622 40682a-406842 ReadFile 621->622 622->618 623 406848-406861 SetFilePointer 622->623 623->618 624 406867-406876 623->624 625 4068d5-4068df 624->625 626 406878-40688f ReadFile 624->626 625->620 627 4068e5-4068eb 625->627 628 406891-40689e 626->628 629 4068d2 626->629 630 4068f0-4068fe call 40ebcc 627->630 631 4068ed 627->631 632 4068a0-4068b5 628->632 633 4068b7-4068ba 628->633 629->625 630->618 639 406900-40690b SetFilePointer 630->639 631->630 635 4068bd-4068c3 632->635 633->635 637 4068c5 635->637 638 4068c8-4068ce 635->638 637->638 638->626 640 4068d0 638->640 641 40695a-406969 call 40ec2e 639->641 642 40690d-406920 ReadFile 639->642 640->625 641->620 642->641 643 406922-406958 642->643 643->620
                                                                                          APIs
                                                                                          • SetFileAttributesA.KERNEL32(?,00000080,?,76230F10,00000000), ref: 0040677E
                                                                                          • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,76230F10,00000000), ref: 0040679A
                                                                                          • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,76230F10,00000000), ref: 004067B0
                                                                                          • SetFileAttributesA.KERNEL32(?,00000002,?,76230F10,00000000), ref: 004067BF
                                                                                          • GetFileSize.KERNEL32(000000FF,00000000,?,76230F10,00000000), ref: 004067D3
                                                                                          • ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,76230F10,00000000), ref: 00406807
                                                                                          • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0040681F
                                                                                          • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,76230F10,00000000), ref: 0040683E
                                                                                          • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0040685C
                                                                                          • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,76230F10,00000000), ref: 0040688B
                                                                                          • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,76230F10,00000000), ref: 00406906
                                                                                          • ReadFile.KERNEL32(000000FF,004121A8,00000000,00408244,00000000,?,76230F10,00000000), ref: 0040691C
                                                                                          • CloseHandle.KERNELBASE(000000FF,?,76230F10,00000000), ref: 00406971
                                                                                            • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                            • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                                          • String ID:
                                                                                          • API String ID: 2622201749-0
                                                                                          • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                          • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                          • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                          • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 672 60003c-600047 673 600049 672->673 674 60004c-600263 call 600a3f call 600e0f call 600d90 VirtualAlloc 672->674 673->674 689 600265-600289 call 600a69 674->689 690 60028b-600292 674->690 695 6002ce-6003c2 VirtualProtect call 600cce call 600ce7 689->695 692 6002a1-6002b0 690->692 694 6002b2-6002cc 692->694 692->695 694->692 701 6003d1-6003e0 695->701 702 6003e2-600437 call 600ce7 701->702 703 600439-6004b8 VirtualFree 701->703 702->701 705 6005f4-6005fe 703->705 706 6004be-6004cd 703->706 709 600604-60060d 705->709 710 60077f-600789 705->710 708 6004d3-6004dd 706->708 708->705 714 6004e3-600505 LoadLibraryA 708->714 709->710 715 600613-600637 709->715 712 6007a6-6007b0 710->712 713 60078b-6007a3 710->713 716 6007b6-6007cb 712->716 717 60086e-6008be LoadLibraryA 712->717 713->712 718 600517-600520 714->718 719 600507-600515 714->719 720 60063e-600648 715->720 722 6007d2-6007d5 716->722 726 6008c7-6008f9 717->726 723 600526-600547 718->723 719->723 720->710 721 60064e-60065a 720->721 721->710 725 600660-60066a 721->725 727 600824-600833 722->727 728 6007d7-6007e0 722->728 724 60054d-600550 723->724 731 6005e0-6005ef 724->731 732 600556-60056b 724->732 733 60067a-600689 725->733 735 600902-60091d 726->735 736 6008fb-600901 726->736 734 600839-60083c 727->734 729 6007e2 728->729 730 6007e4-600822 728->730 729->727 730->722 731->708 737 60056d 732->737 738 60056f-60057a 732->738 739 600750-60077a 733->739 740 60068f-6006b2 733->740 734->717 741 60083e-600847 734->741 736->735 737->731 742 60059b-6005bb 738->742 743 60057c-600599 738->743 739->720 744 6006b4-6006ed 740->744 745 6006ef-6006fc 740->745 746 600849 741->746 747 60084b-60086c 741->747 755 6005bd-6005db 742->755 743->755 744->745 749 60074b 745->749 750 6006fe-600748 745->750 746->717 747->734 749->733 750->749 755->724
                                                                                          APIs
                                                                                          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0060024D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID: cess$kernel32.dll
                                                                                          • API String ID: 4275171209-1230238691
                                                                                          • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                          • Instruction ID: bbbf4db3596f4485a88410cc2d3c193017e3a9667bdecbbed5112f2fd1dd1f22
                                                                                          • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                          • Instruction Fuzzy Hash: 02526974A01229DFDB64CF58C985BA9BBB1BF09304F1480E9E54DAB391DB30AE85DF14

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 756 43aeb0-43aedf 757 43aee0-43aee6 756->757 758 43aef4-43aefa 757->758 759 43aee8-43aef0 757->759 760 43af05-43af0f 758->760 761 43aefc-43af03 758->761 759->758 763 43af15-43affc call 43c5a0 call 43bbd0 call 43c3b5 call 43c866 call 43c895 call 43c39e call 43c84f call 43aea0 call 43c9c2 760->763 764 43b00a-43b031 call 43ade0 760->764 761->757 761->760 763->764 836 43affe-43b007 call 43c8a0 763->836 768 43b036-43b03b 764->768 770 43b040-43b049 768->770 773 43b04b-43b051 770->773 775 43b053-43b05f 773->775 776 43b0bc-43b0d0 773->776 779 43b060-43b07f 775->779 778 43b0d3-43b0e1 776->778 780 43b0e3-43b116 778->780 781 43b119-43b122 778->781 782 43b0b3-43b0ba 779->782 783 43b081-43b0ad 779->783 780->781 781->778 785 43b124-43b12d call 43aca0 781->785 782->776 782->779 783->782 792 43b130-43b139 785->792 799 43b13b-43b148 792->799 800 43b14e-43b155 792->800 799->800 800->792 803 43b157-43b169 800->803 805 43b170-43b17a 803->805 807 43b1aa-43b1b1 805->807 808 43b17c-43b1a2 805->808 809 43b1b3-43b1b8 807->809 810 43b1bf-43b1c3 807->810 808->807 809->810 810->805 812 43b1c5-43b238 810->812 836->764
                                                                                          APIs
                                                                                          • _strlen.LIBCMT ref: 0043AFA0
                                                                                          • _feof.LIBCMT ref: 0043AFBA
                                                                                            • Part of subcall function 0043ADE0: VirtualProtect.KERNELBASE(0045A480,0045A9F4,00000020,?), ref: 0043AE8F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133178272.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_415000_6foBmRMlDy.jbxd
                                                                                          Similarity
                                                                                          • API ID: ProtectVirtual_feof_strlen
                                                                                          • String ID: 89A$=<9A$Bq ${
                                                                                          • API String ID: 1251290033-441600927
                                                                                          • Opcode ID: bac7f9505f20d68383763d65345367bdbfa94530caf3835c190cf427977607d5
                                                                                          • Instruction ID: 17c99ab5acc6df25385ed16af596a2251f632a33a78189a9da60bd62079ab192
                                                                                          • Opcode Fuzzy Hash: bac7f9505f20d68383763d65345367bdbfa94530caf3835c190cf427977607d5
                                                                                          • Instruction Fuzzy Hash: 94910371940350AFD710ABA0ED49FAA3B74FB49716F00013AF645B62E2C7B85640CBEE

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                          • lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                          • lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                            • Part of subcall function 00406A60: CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,76228A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                            • Part of subcall function 00406A60: GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                            • Part of subcall function 00406A60: GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                            • Part of subcall function 00406A60: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                            • Part of subcall function 00406A60: DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Filelstrcat$CloseCreateDeleteDiskErrorFreeHandleLastSpacelstrcpy
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 4131120076-2980165447
                                                                                          • Opcode ID: a5c5d522b106040adc57172562e4df723170804bdc8f2d65522e1c605b71199f
                                                                                          • Instruction ID: 19cd972424ac8e8d042cd161df480d49e2af34fc78b4bb0df73037009807ae11
                                                                                          • Opcode Fuzzy Hash: a5c5d522b106040adc57172562e4df723170804bdc8f2d65522e1c605b71199f
                                                                                          • Instruction Fuzzy Hash: 0201847298020877EA112F62AD46F9F3F1DEB54718F00483AF615790D2D9B994709A6C

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 854 404000-404008 855 40400b-40402a CreateFileA 854->855 856 404057 855->856 857 40402c-404035 GetLastError 855->857 858 404059-40405c 856->858 859 404052 857->859 860 404037-40403a 857->860 862 404054-404056 858->862 859->862 860->859 861 40403c-40403f 860->861 861->858 863 404041-404050 Sleep 861->863 863->855 863->859
                                                                                          APIs
                                                                                          • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,PromptOnSecureDesktop,004042B6,00000000,00000001,PromptOnSecureDesktop,00000000,?,004098FD), ref: 00404021
                                                                                          • GetLastError.KERNEL32(?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 0040402C
                                                                                          • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404046
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateErrorFileLastSleep
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 408151869-2980165447
                                                                                          • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                          • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                          • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                          • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 864 406987-4069b7 865 4069e0 864->865 866 4069b9-4069be 864->866 868 4069e4-4069fd WriteFile 865->868 866->865 867 4069c0-4069d0 866->867 869 4069d2 867->869 870 4069d5-4069de 867->870 871 406a4d-406a51 868->871 872 4069ff-406a02 868->872 869->870 870->868 873 406a53-406a56 871->873 874 406a59 871->874 872->871 875 406a04-406a08 872->875 873->874 876 406a5b-406a5f 874->876 877 406a0a-406a0d 875->877 878 406a3c-406a3e 875->878 879 406a10-406a2e WriteFile 877->879 878->876 880 406a40-406a4b 879->880 881 406a30-406a33 879->881 880->876 881->880 882 406a35-406a3a 881->882 882->878 882->879
                                                                                          APIs
                                                                                          • WriteFile.KERNELBASE(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                          • WriteFile.KERNELBASE(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: FileWrite
                                                                                          • String ID: ,k@
                                                                                          • API String ID: 3934441357-1053005162
                                                                                          • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                          • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                          • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                          • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 884 43ade0-43ae98 VirtualProtect
                                                                                          APIs
                                                                                          • VirtualProtect.KERNELBASE(0045A480,0045A9F4,00000020,?), ref: 0043AE8F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133178272.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_415000_6foBmRMlDy.jbxd
                                                                                          Similarity
                                                                                          • API ID: ProtectVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 544645111-3916222277
                                                                                          • Opcode ID: 01f13a5192d663de11e313c2b231697ccad97762487919bd531801ef589a38fb
                                                                                          • Instruction ID: dc8660ecb2c9a0ef57b55d70a2a8dc3997a93980919400bc7a706f5d6ada5fb8
                                                                                          • Opcode Fuzzy Hash: 01f13a5192d663de11e313c2b231697ccad97762487919bd531801ef589a38fb
                                                                                          • Instruction Fuzzy Hash: 08114C746883C0DEE301CB78BD48F563FA55322307F1501B8D484432BBE2B6A658CBBA

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 887 4091eb-409208 888 409308 887->888 889 40920e-40921c call 40ed03 887->889 891 40930b-40930f 888->891 893 40921e-40922c call 40ed03 889->893 894 40923f-409249 889->894 893->894 900 40922e-409230 893->900 896 409250-409270 call 40ee08 894->896 897 40924b 894->897 903 409272-40927f 896->903 904 4092dd-4092e1 896->904 897->896 902 409233-409238 900->902 902->902 907 40923a-40923c 902->907 908 409281-409285 903->908 909 40929b-40929e 903->909 905 4092e3-4092e5 904->905 906 4092e7-4092e8 904->906 905->906 910 4092ea-4092ef 905->910 906->904 907->894 908->908 913 409287 908->913 911 4092a0 909->911 912 40928e-409293 909->912 916 4092f1-4092f6 Sleep 910->916 917 4092fc-409302 910->917 918 4092a8-4092ab 911->918 914 409295-409298 912->914 915 409289-40928c 912->915 913->909 914->918 919 40929a 914->919 915->912 915->919 916->917 917->888 917->889 920 4092a2-4092a5 918->920 921 4092ad-4092b0 918->921 919->909 922 4092b2 920->922 923 4092a7 920->923 921->922 924 4092bd 921->924 925 4092b5-4092b9 922->925 923->918 926 4092bf-4092db ShellExecuteA 924->926 925->925 927 4092bb 925->927 926->904 928 409310-409324 926->928 927->926 928->891
                                                                                          APIs
                                                                                          • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000023,00000000,00000000), ref: 004092CF
                                                                                          • Sleep.KERNELBASE(000001F4,00000000,00000000,000000C8), ref: 004092F6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExecuteShellSleep
                                                                                          • String ID:
                                                                                          • API String ID: 4194306370-0
                                                                                          • Opcode ID: 71381d414eea609956b81229ff7ef55c0a1e20f0b60b179c9f465f11489b4c90
                                                                                          • Instruction ID: 3cca0c38997a8a474aeccf5a0ebcf8f93a8d16d18ff02e9242d6ab16e280a915
                                                                                          • Opcode Fuzzy Hash: 71381d414eea609956b81229ff7ef55c0a1e20f0b60b179c9f465f11489b4c90
                                                                                          • Instruction Fuzzy Hash: C641EE718083497EEB269664988C7E73BA49B52300F2809FFD492B72D3D7BC4D818759
                                                                                          APIs
                                                                                          • SetErrorMode.KERNELBASE(00000400,?,?,00600223,?,?), ref: 00600E19
                                                                                          • SetErrorMode.KERNELBASE(00000000,?,?,00600223,?,?), ref: 00600E1E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorMode
                                                                                          • String ID:
                                                                                          • API String ID: 2340568224-0
                                                                                          • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                          • Instruction ID: 5e5b7fc9be17af52c8aa1593ebc2cf7226538b4808b2ec5a12ddc81c56322646
                                                                                          • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                          • Instruction Fuzzy Hash: 08D0123114512877D7002A94DC09BCE7B1CDF05B62F008411FB0DE9180C770994046E5
                                                                                          APIs
                                                                                            • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                            • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                            • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                            • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                          • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                          • String ID:
                                                                                          • API String ID: 1823874839-0
                                                                                          • Opcode ID: 54bc16a58432e014760a8219cb6401776c0b2f7f4e35f25b0da1a83a0963d2cd
                                                                                          • Instruction ID: 594da891b9e57e87d6aa513f65a0e563028cfc4c29bd5910f078fc56da7159a2
                                                                                          • Opcode Fuzzy Hash: 54bc16a58432e014760a8219cb6401776c0b2f7f4e35f25b0da1a83a0963d2cd
                                                                                          • Instruction Fuzzy Hash: 84F0C2B6104218AFD710DB64EEC4FE77BAED714308F1084B6F286E3141D6B89DA85B6C
                                                                                          APIs
                                                                                          • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0043EF03
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133178272.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_415000_6foBmRMlDy.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateHeap
                                                                                          • String ID:
                                                                                          • API String ID: 10892065-0
                                                                                          • Opcode ID: ba49affe4ba948a0bcfaba6f076b34328c56a29a8243271a74c8c5a257fdd3ef
                                                                                          • Instruction ID: c47c4244610d5876d865f45c43479abe6b0c6b95a462d5fe56188cfb810440df
                                                                                          • Opcode Fuzzy Hash: ba49affe4ba948a0bcfaba6f076b34328c56a29a8243271a74c8c5a257fdd3ef
                                                                                          • Instruction Fuzzy Hash: EED05E765583486EDB105F716C087263BDCA388396F044436B90CC6190E7B5C940C508
                                                                                          APIs
                                                                                          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 006B1AD3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133585534.00000000006A2000.00000040.00000020.00020000.00000000.sdmp, Offset: 006A2000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6a2000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 4275171209-0
                                                                                          • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                          • Instruction ID: a521632b412bdc3f4331fca387d88913c3b07ebd21773b7050d3287afa57c9ba
                                                                                          • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                          • Instruction Fuzzy Hash: 61112D79A00208FFDB01DF98C995E98BBF5AF09351F058094F9489F362D371EA90DB80
                                                                                          APIs
                                                                                          • closesocket.WS2_32(?), ref: 0040CA4E
                                                                                          • closesocket.WS2_32(?), ref: 0040CB63
                                                                                          • GetTempPathA.KERNEL32(00000120,?), ref: 0040CC28
                                                                                          • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040CCB4
                                                                                          • WriteFile.KERNEL32(0040A4B3,?,-000000E8,?,00000000), ref: 0040CCDC
                                                                                          • CloseHandle.KERNEL32(0040A4B3), ref: 0040CCED
                                                                                          • wsprintfA.USER32 ref: 0040CD21
                                                                                          • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040CD77
                                                                                          • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0040CD89
                                                                                          • CloseHandle.KERNEL32(?), ref: 0040CD98
                                                                                          • CloseHandle.KERNEL32(?), ref: 0040CD9D
                                                                                          • DeleteFileA.KERNEL32(?), ref: 0040CDC4
                                                                                          • CloseHandle.KERNEL32(0040A4B3), ref: 0040CDCC
                                                                                          • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040CFB1
                                                                                          • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040CFEF
                                                                                          • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040D033
                                                                                          • lstrcatA.KERNEL32(?,?), ref: 0040D10C
                                                                                          • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040D155
                                                                                          • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0040D171
                                                                                          • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040D195
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0040D19C
                                                                                          • SetFileAttributesA.KERNEL32(?,00000002), ref: 0040D1C8
                                                                                          • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D231
                                                                                          • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D27C
                                                                                          • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D2AB
                                                                                          • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2C7
                                                                                          • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2EB
                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2F2
                                                                                          • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D326
                                                                                          • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D372
                                                                                          • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D3BD
                                                                                          • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D3EC
                                                                                          • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D408
                                                                                          • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D428
                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D42F
                                                                                          • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D45B
                                                                                          • CreateProcessA.KERNEL32(?,00410264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040D4DE
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4F4
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4FC
                                                                                          • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D513
                                                                                          • closesocket.WS2_32(?), ref: 0040D56C
                                                                                          • Sleep.KERNEL32(000003E8), ref: 0040D577
                                                                                          • ExitProcess.KERNEL32 ref: 0040D583
                                                                                          • wsprintfA.USER32 ref: 0040D81F
                                                                                            • Part of subcall function 0040C65C: send.WS2_32(00000000,?,00000000), ref: 0040C74B
                                                                                          • closesocket.WS2_32(?), ref: 0040DAD5
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                          • String ID: .dat$.sys$4$@$PromptOnSecureDesktop$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                          • API String ID: 562065436-3791576231
                                                                                          • Opcode ID: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                                          • Instruction ID: 1bec03d5b3261cfbda03ea9d0ba23ae7472bbf6119f1c93de8fbd0284471d070
                                                                                          • Opcode Fuzzy Hash: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                                          • Instruction Fuzzy Hash: 1BB2B471D00209BBEB209FA4DD85FEA7BB9EB08304F14457BF505B22D1D7789A898B5C
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                          • GetProcAddress.KERNEL32(?,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                          • GetProcAddress.KERNEL32(?,RtlSetLastWin32Error), ref: 004010E1
                                                                                          • GetProcAddress.KERNEL32(?,NtTerminateProcess), ref: 00401101
                                                                                          • GetProcAddress.KERNEL32(?,RtlFreeSid), ref: 00401121
                                                                                          • GetProcAddress.KERNEL32(?,RtlInitUnicodeString), ref: 00401140
                                                                                          • GetProcAddress.KERNEL32(?,NtSetInformationThread), ref: 00401160
                                                                                          • GetProcAddress.KERNEL32(?,NtSetInformationToken), ref: 00401180
                                                                                          • GetProcAddress.KERNEL32(?,RtlNtStatusToDosError), ref: 0040119F
                                                                                          • GetProcAddress.KERNEL32(?,NtClose), ref: 004011BF
                                                                                          • GetProcAddress.KERNEL32(?,NtOpenProcessToken), ref: 004011DF
                                                                                          • GetProcAddress.KERNEL32(?,NtDuplicateToken), ref: 004011FE
                                                                                          • GetProcAddress.KERNEL32(?,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressProc$LibraryLoad
                                                                                          • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                          • API String ID: 2238633743-3228201535
                                                                                          • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                          • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                          • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                          • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                          APIs
                                                                                          • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                          • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                          • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                          • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                          • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                          • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                          • wsprintfA.USER32 ref: 0040B3B7
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                          • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                          • API String ID: 766114626-2976066047
                                                                                          • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                          • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                          • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                          • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                          APIs
                                                                                          • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                          • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                          • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                          • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                          • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                          • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                          • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                          • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                          • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                          • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                          • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                          • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                          • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                          • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                          • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                          • String ID: D
                                                                                          • API String ID: 3722657555-2746444292
                                                                                          • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                          • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                          • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                          • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                          APIs
                                                                                          • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                          • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExecuteShelllstrlen
                                                                                          • String ID: $%systemroot%\system32\cmd.exe$<$@$D$uac$useless$wusa.exe
                                                                                          • API String ID: 1628651668-1839596206
                                                                                          • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                          • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                          • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                          • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                          APIs
                                                                                          • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                          • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                          • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                          • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                          • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                            • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                          • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                          • API String ID: 4207808166-1381319158
                                                                                          • Opcode ID: f83cae532fda0f7b628782386ce8b2feec09b1d0c3fd7cfd61acfb995292e920
                                                                                          • Instruction ID: d6b35303784bc7068dc70d414bcf7f40aad10565f6e4a34c223da57409024e49
                                                                                          • Opcode Fuzzy Hash: f83cae532fda0f7b628782386ce8b2feec09b1d0c3fd7cfd61acfb995292e920
                                                                                          • Instruction Fuzzy Hash: 9651EA705043446FD330AF768C85F67BAECEB84708F00493FF955A2292D7BDA95487A9
                                                                                          APIs
                                                                                          • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7622F380), ref: 00402A83
                                                                                          • HeapAlloc.KERNEL32(00000000,?,7622F380), ref: 00402A86
                                                                                          • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                          • htons.WS2_32(00000000), ref: 00402ADB
                                                                                          • select.WS2_32 ref: 00402B28
                                                                                          • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                          • htons.WS2_32(?), ref: 00402B71
                                                                                          • htons.WS2_32(?), ref: 00402B8C
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                          • String ID:
                                                                                          • API String ID: 1639031587-0
                                                                                          • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                          • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                          • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                          • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                          APIs
                                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                          • ExitProcess.KERNEL32 ref: 00404121
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateEventExitProcess
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 2404124870-2980165447
                                                                                          • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                          • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                          • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                          • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                          APIs
                                                                                          • IsBadReadPtr.KERNEL32(?,00000014), ref: 0040609C
                                                                                          • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                          • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                          • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Read$AddressLibraryLoadProc
                                                                                          • String ID:
                                                                                          • API String ID: 2438460464-0
                                                                                          • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                          • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                          • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                          • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                          APIs
                                                                                          • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                          • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                          • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                          • String ID: *p@
                                                                                          • API String ID: 3429775523-2474123842
                                                                                          • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                          • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                          • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                          • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00000000), ref: 006065F6
                                                                                          • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00606610
                                                                                          • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 00606631
                                                                                          • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 00606652
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                          • String ID:
                                                                                          • API String ID: 1965334864-0
                                                                                          • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                          • Instruction ID: a38fb02cb1b8bdc450920f971ced91a8ab60e08a4a3d40738c7c81e2561d1324
                                                                                          • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                          • Instruction Fuzzy Hash: F711A371640218BFDB259F65DC06FDB3FA9EB047A5F104024F908E7291D7B2DD1086A4
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,?), ref: 0040638F
                                                                                          • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00409816,?), ref: 004063A9
                                                                                          • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                          • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                          • String ID:
                                                                                          • API String ID: 1965334864-0
                                                                                          • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                          • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                          • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                          • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8
                                                                                          APIs
                                                                                          • CreateFileW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000100), ref: 00408E5F
                                                                                          • DeviceIoControl.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00408EAB
                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408EB4
                                                                                            • Part of subcall function 00408DF1: GetSystemTime.KERNEL32(?,004129F8,?,?,00408E8B,?), ref: 00408DFC
                                                                                            • Part of subcall function 00408DF1: SystemTimeToFileTime.KERNEL32(?,00408E8B,?,?,00408E8B,?), ref: 00408E0A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Time$FileSystem$CloseControlCreateDeviceHandle
                                                                                          • String ID:
                                                                                          • API String ID: 3754425949-0
                                                                                          • Opcode ID: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                          • Instruction ID: 6158522553dbc768b3fa764069f531a078bfca64040c8912efb0c234455cb59d
                                                                                          • Opcode Fuzzy Hash: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                          • Instruction Fuzzy Hash: CD11C8726402047BEB115F95CD4EEDB3F6DEB85714F00452AF611B62C1DAB9985087A8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: .$GetProcAddress.$l
                                                                                          • API String ID: 0-2784972518
                                                                                          • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                          • Instruction ID: ca3e0dc928b3eb58f5f920a532e04de175240ee417e0ebceb62b96e15e73e0bb
                                                                                          • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                          • Instruction Fuzzy Hash: 683137B6900609DFEB14CF99C880BAEBBF6FF48324F25504AD441A7351D771EA45CBA4
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                          • Instruction ID: 64893a5cec851924fefc00027ac9d8258265f32e823952a4835c6918c3f2ac29
                                                                                          • Opcode Fuzzy Hash: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                          • Instruction Fuzzy Hash: 59714BB4501B41CFD360CF66D548782BBE0BB54308F10CD6ED5AAAB790DBB86588DF98
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133585534.00000000006A2000.00000040.00000020.00020000.00000000.sdmp, Offset: 006A2000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6a2000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                          • Instruction ID: 286080fffba44842fcef4e8575c94b031553f78ca8775af079a2ca657e5ad825
                                                                                          • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                          • Instruction Fuzzy Hash: 671170B2340100AFD754DF55DCA1EE673EAEB8A360B698165E904CB315E675EC42C760
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                          • Instruction ID: 0d8b75db3329e727e2f298a538b10a5da1ac7c04e1debf53f6a48a6320adb0d8
                                                                                          • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                          • Instruction Fuzzy Hash: FD01A7766406048FEF25CF64C804BEB33E6EF85315F4544E5D506973C2E774A9418B90
                                                                                          APIs
                                                                                          • ExitProcess.KERNEL32 ref: 00609E6D
                                                                                          • lstrcpy.KERNEL32(?,00000000), ref: 00609FE1
                                                                                          • lstrcat.KERNEL32(?,?), ref: 00609FF2
                                                                                          • lstrcat.KERNEL32(?,0041070C), ref: 0060A004
                                                                                          • GetFileAttributesExA.KERNEL32(?,?,?), ref: 0060A054
                                                                                          • DeleteFileA.KERNEL32(?), ref: 0060A09F
                                                                                          • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 0060A0D6
                                                                                          • lstrcpy.KERNEL32 ref: 0060A12F
                                                                                          • lstrlen.KERNEL32(00000022), ref: 0060A13C
                                                                                          • GetTempPathA.KERNEL32(000001F4,?), ref: 00609F13
                                                                                            • Part of subcall function 00607029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 00607081
                                                                                            • Part of subcall function 00606F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\cmxmskcp,00607043), ref: 00606F4E
                                                                                            • Part of subcall function 00606F30: GetProcAddress.KERNEL32(00000000), ref: 00606F55
                                                                                            • Part of subcall function 00606F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00606F7B
                                                                                            • Part of subcall function 00606F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00606F92
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 0060A1A2
                                                                                          • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0060A1C5
                                                                                          • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 0060A214
                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 0060A21B
                                                                                          • GetDriveTypeA.KERNEL32(?), ref: 0060A265
                                                                                          • lstrcat.KERNEL32(?,00000000), ref: 0060A29F
                                                                                          • lstrcat.KERNEL32(?,00410A34), ref: 0060A2C5
                                                                                          • lstrcat.KERNEL32(?,00000022), ref: 0060A2D9
                                                                                          • lstrcat.KERNEL32(?,00410A34), ref: 0060A2F4
                                                                                          • wsprintfA.USER32 ref: 0060A31D
                                                                                          • lstrcat.KERNEL32(?,00000000), ref: 0060A345
                                                                                          • lstrcat.KERNEL32(?,?), ref: 0060A364
                                                                                          • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 0060A387
                                                                                          • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 0060A398
                                                                                          • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0060A1D1
                                                                                            • Part of subcall function 00609966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 0060999D
                                                                                            • Part of subcall function 00609966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 006099BD
                                                                                            • Part of subcall function 00609966: RegCloseKey.ADVAPI32(?), ref: 006099C6
                                                                                          • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 0060A3DB
                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 0060A3E2
                                                                                          • GetDriveTypeA.KERNEL32(00000022), ref: 0060A41D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                          • String ID: "$"$"$D$P$\
                                                                                          • API String ID: 1653845638-2605685093
                                                                                          • Opcode ID: f09d99bef10a707308c08a341eb846df543125ad02325dd00d10b794679eceeb
                                                                                          • Instruction ID: c389e5303b252b28d9cac88e195e444d81f4e4943055c323ee86538f73e6faac
                                                                                          • Opcode Fuzzy Hash: f09d99bef10a707308c08a341eb846df543125ad02325dd00d10b794679eceeb
                                                                                          • Instruction Fuzzy Hash: A8F153B1C8021DAFDF25DBA0CC49EEF7BBDAB08344F1444A9F605E2181E7758A848F65
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 00607D21
                                                                                          • GetUserNameA.ADVAPI32(?,?), ref: 00607D46
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00607D7D
                                                                                          • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 00607DA2
                                                                                          • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 00607DC0
                                                                                          • EqualSid.ADVAPI32(?,?), ref: 00607DD1
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 00607DE5
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00607DF3
                                                                                          • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00607E03
                                                                                          • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 00607E12
                                                                                          • LocalFree.KERNEL32(00000000), ref: 00607E19
                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00607E35
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                          • String ID: D$PromptOnSecureDesktop
                                                                                          • API String ID: 2976863881-1403908072
                                                                                          • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                          • Instruction ID: 6ddb5a849a8e63d4e82f5725ebf9ff1544124760c8226c418f7ac8739cc2ce02
                                                                                          • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                          • Instruction Fuzzy Hash: 8BA14E71D40219AFDB15CFA0DD88FEFBBB9FB08300F148469E506E6290DB759A85CB64
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                          • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,004133B0,?), ref: 00407B16
                                                                                          • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                          • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                          • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                          • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                          • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                          • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                          • String ID: D$PromptOnSecureDesktop
                                                                                          • API String ID: 2976863881-1403908072
                                                                                          • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                          • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                          • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                          • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                          • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                          • API String ID: 2400214276-165278494
                                                                                          • Opcode ID: 64bdd4d646a522699b5472447b714269db1a1731565c65632a199503b6103360
                                                                                          • Instruction ID: 302e59d67534013c0e033960a005fbe7b570eed1172f45d0d905d428b8e71e1f
                                                                                          • Opcode Fuzzy Hash: 64bdd4d646a522699b5472447b714269db1a1731565c65632a199503b6103360
                                                                                          • Instruction Fuzzy Hash: 87616F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                          APIs
                                                                                          • wsprintfA.USER32 ref: 0040A7FB
                                                                                          • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                          • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                          • wsprintfA.USER32 ref: 0040A8AF
                                                                                          • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                          • wsprintfA.USER32 ref: 0040A8E2
                                                                                          • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                          • wsprintfA.USER32 ref: 0040A9B9
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wsprintf$send$lstrlenrecv
                                                                                          • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                          • API String ID: 3650048968-2394369944
                                                                                          • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                          • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                          • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                          • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                          APIs
                                                                                          • GetUserNameA.ADVAPI32(?,?), ref: 00607A96
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00607ACD
                                                                                          • GetLengthSid.ADVAPI32(?), ref: 00607ADF
                                                                                          • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 00607B01
                                                                                          • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 00607B1F
                                                                                          • EqualSid.ADVAPI32(?,?), ref: 00607B39
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 00607B4A
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00607B58
                                                                                          • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00607B68
                                                                                          • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00607B77
                                                                                          • LocalFree.KERNEL32(00000000), ref: 00607B7E
                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00607B9A
                                                                                          • GetAce.ADVAPI32(?,?,?), ref: 00607BCA
                                                                                          • EqualSid.ADVAPI32(?,?), ref: 00607BF1
                                                                                          • DeleteAce.ADVAPI32(?,?), ref: 00607C0A
                                                                                          • EqualSid.ADVAPI32(?,?), ref: 00607C2C
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 00607CB1
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00607CBF
                                                                                          • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00607CD0
                                                                                          • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00607CE0
                                                                                          • LocalFree.KERNEL32(00000000), ref: 00607CEE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                          • String ID: D
                                                                                          • API String ID: 3722657555-2746444292
                                                                                          • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                          • Instruction ID: f94d7baa27170664f7a7b63508fea508ab7bf58432c4c3f75191f6af49eed310
                                                                                          • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                          • Instruction Fuzzy Hash: F3814D71D4421AAFDB15CFA4DD48FEFBBB9EF08304F04806AE505E6290D775AA41CB64
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                          • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                          • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                          • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Value$CloseOpenQuery
                                                                                          • String ID: PromptOnSecureDesktop$localcfg
                                                                                          • API String ID: 237177642-1678164370
                                                                                          • Opcode ID: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                          • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                          • Opcode Fuzzy Hash: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                          • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                          APIs
                                                                                          • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                          • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                          • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                          • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                          • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                          • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                          • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                          • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                          • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                          • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                          • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                          • API String ID: 835516345-270533642
                                                                                          • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                          • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                          • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                          • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 0060865A
                                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 0060867B
                                                                                          • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 006086A8
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 006086B1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Value$CloseOpenQuery
                                                                                          • String ID: "$PromptOnSecureDesktop
                                                                                          • API String ID: 237177642-3108538426
                                                                                          • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                          • Instruction ID: 90fb4428aaed878ae58cb48a88724d8fe0859b05d5be2d74ccb286e204afa899
                                                                                          • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                          • Instruction Fuzzy Hash: C5C1A271980209BEEB15EBA4DC85EEF7B7EEB04300F144479F541E3191EAB18E948B69
                                                                                          APIs
                                                                                          • ShellExecuteExW.SHELL32(?), ref: 00601601
                                                                                          • lstrlenW.KERNEL32(-00000003), ref: 006017D8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExecuteShelllstrlen
                                                                                          • String ID: $<$@$D
                                                                                          • API String ID: 1628651668-1974347203
                                                                                          • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                          • Instruction ID: 0106f8326c29c87495d64b03651bf441e723d1204bf1639b59ff95524b78e91c
                                                                                          • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                          • Instruction Fuzzy Hash: ECF1ADB15483419FD724CF64C888BABB7E6FB8A304F00892DF6969B390D7B4D944CB56
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 006076D9
                                                                                          • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 00607757
                                                                                          • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 0060778F
                                                                                          • ___ascii_stricmp.LIBCMT ref: 006078B4
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 0060794E
                                                                                          • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0060796D
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 0060797E
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 006079AC
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00607A56
                                                                                            • Part of subcall function 0060F40C: lstrlen.KERNEL32(000000E4,00000000,PromptOnSecureDesktop,000000E4,0060772A,?), ref: 0060F414
                                                                                          • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 006079F6
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00607A4D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                          • String ID: "$PromptOnSecureDesktop
                                                                                          • API String ID: 3433985886-3108538426
                                                                                          • Opcode ID: ee68fc272f5aca9451a2f3cc8bacf15325f24d7edfc7c02b11cb973e6eadd9ed
                                                                                          • Instruction ID: ac1dadede3495783e220f03068f8a22dcffc91644f91668f8c29acb1ebc4ed2a
                                                                                          • Opcode Fuzzy Hash: ee68fc272f5aca9451a2f3cc8bacf15325f24d7edfc7c02b11cb973e6eadd9ed
                                                                                          • Instruction Fuzzy Hash: F5C1D271D84209AFDB299BA4DC45FEF7BBAEF45310F1040A5F504E62D1EB71AE808B64
                                                                                          APIs
                                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 00602CED
                                                                                          • socket.WS2_32(00000002,00000002,00000011), ref: 00602D07
                                                                                          • htons.WS2_32(00000000), ref: 00602D42
                                                                                          • select.WS2_32 ref: 00602D8F
                                                                                          • recv.WS2_32(?,00000000,00001000,00000000), ref: 00602DB1
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00602E62
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                          • String ID:
                                                                                          • API String ID: 127016686-0
                                                                                          • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                          • Instruction ID: 6aa280bc4b535c23eccfb838c3cdfc821fee280d4ed5cc7e2961b9725fb67911
                                                                                          • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                          • Instruction Fuzzy Hash: AB61DF7158430AABC3249F60DC4CBABBBE9EF88341F144819F98496291D7B49C818BA6
                                                                                          APIs
                                                                                          • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                            • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                            • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                            • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                            • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                            • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                            • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                          • wsprintfA.USER32 ref: 0040AEA5
                                                                                            • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                          • wsprintfA.USER32 ref: 0040AE4F
                                                                                          • wsprintfA.USER32 ref: 0040AE5E
                                                                                            • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                            • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                            • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                          • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                          • API String ID: 3631595830-1816598006
                                                                                          • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                          • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                          • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                          • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(iphlpapi.dll,762323A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                          • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                          • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                          • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                          • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                          • htons.WS2_32(00000035), ref: 00402E88
                                                                                          • inet_addr.WS2_32(?), ref: 00402E93
                                                                                          • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                          • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                          • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                          • String ID: GetNetworkParams$iphlpapi.dll
                                                                                          • API String ID: 929413710-2099955842
                                                                                          • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                          • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                          • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                          • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                          APIs
                                                                                          • GetVersionExA.KERNEL32(?), ref: 006095A7
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 006095D5
                                                                                          • GetModuleFileNameA.KERNEL32(00000000), ref: 006095DC
                                                                                          • wsprintfA.USER32 ref: 00609635
                                                                                          • wsprintfA.USER32 ref: 00609673
                                                                                          • wsprintfA.USER32 ref: 006096F4
                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 00609758
                                                                                          • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 0060978D
                                                                                          • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 006097D8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 3696105349-2980165447
                                                                                          • Opcode ID: e35f04148ce3af63e99fbb061a16182ac2415cb778cceb4801d6d6173470cb1c
                                                                                          • Instruction ID: 071045268869b9a7fdff2eb33fc3a93db369cf211225bc15fbbdee1b4a0a4c2c
                                                                                          • Opcode Fuzzy Hash: e35f04148ce3af63e99fbb061a16182ac2415cb778cceb4801d6d6173470cb1c
                                                                                          • Instruction Fuzzy Hash: 5DA163B1980208EFEB29DF90CC45FDB3BAEEB45341F104026F91596292E7B5D984CBA4
                                                                                          APIs
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcmpi
                                                                                          • String ID: 06A$46A$86A$smtp_ban$smtp_herr$smtp_retr
                                                                                          • API String ID: 1586166983-142018493
                                                                                          • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                          • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                          • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                          • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                          APIs
                                                                                          • wsprintfA.USER32 ref: 0040B467
                                                                                            • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                            • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                            • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$wsprintf
                                                                                          • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                          • API String ID: 1220175532-2340906255
                                                                                          • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                          • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                          • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                          • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                          APIs
                                                                                          • GetVersionExA.KERNEL32 ref: 0060202D
                                                                                          • GetSystemInfo.KERNEL32(?), ref: 0060204F
                                                                                          • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 0060206A
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00602071
                                                                                          • GetCurrentProcess.KERNEL32(?), ref: 00602082
                                                                                          • GetTickCount.KERNEL32 ref: 00602230
                                                                                            • Part of subcall function 00601E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 00601E7C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                          • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                                          • API String ID: 4207808166-1391650218
                                                                                          • Opcode ID: 1c05908e8332f2c0f6c33c38143c7fb2cde288243502d8b530b502e0e60caf20
                                                                                          • Instruction ID: d4bbff1380e136dd98fb3418034d05c4493a90962e40df13d55ed5cdf5de5bc5
                                                                                          • Opcode Fuzzy Hash: 1c05908e8332f2c0f6c33c38143c7fb2cde288243502d8b530b502e0e60caf20
                                                                                          • Instruction Fuzzy Hash: A25128B0580344AFE374AF758C8AF67BAEDEF54704F00081DF99682282D7B5A944C769
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 00402078
                                                                                          • GetTickCount.KERNEL32 ref: 004020D4
                                                                                          • GetTickCount.KERNEL32 ref: 004020DB
                                                                                          • GetTickCount.KERNEL32 ref: 0040212B
                                                                                          • GetTickCount.KERNEL32 ref: 00402132
                                                                                          • GetTickCount.KERNEL32 ref: 00402142
                                                                                            • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,75B4EA50,80000001,00000000,0040E513,?,?,?,?,000000E4), ref: 0040F089
                                                                                            • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,75B4EA50,80000001,00000000,0040E513,?,?,?,?,000000E4,000000C8), ref: 0040F093
                                                                                            • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                            • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                            • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                          • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                          • API String ID: 3976553417-1522128867
                                                                                          • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                          • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                          • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                          • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                          APIs
                                                                                          • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                          • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                          • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: closesockethtonssocket
                                                                                          • String ID: time_cfg
                                                                                          • API String ID: 311057483-2401304539
                                                                                          • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                          • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                          • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                          • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                          APIs
                                                                                            • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                            • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                          • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                          • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                          • GetTickCount.KERNEL32 ref: 0040C363
                                                                                          • GetTickCount.KERNEL32 ref: 0040C378
                                                                                          • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                          • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                          • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                          • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 1553760989-1857712256
                                                                                          • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                          • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                          • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                          • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 00603068
                                                                                          • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 00603078
                                                                                          • GetProcAddress.KERNEL32(00000000,00410408), ref: 00603095
                                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 006030B6
                                                                                          • htons.WS2_32(00000035), ref: 006030EF
                                                                                          • inet_addr.WS2_32(?), ref: 006030FA
                                                                                          • gethostbyname.WS2_32(?), ref: 0060310D
                                                                                          • HeapFree.KERNEL32(00000000), ref: 0060314D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                          • String ID: iphlpapi.dll
                                                                                          • API String ID: 2869546040-3565520932
                                                                                          • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                          • Instruction ID: 42dca44393844f7192eea04adf073b8f5a34f3e9ffaa26fe603e657e69aefd8d
                                                                                          • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                          • Instruction Fuzzy Hash: E531E731E40216ABDB159BB49C48AEF777DAF08362F144165E518E33D0DB74DE418B58
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00000000,762323A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                          • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                          • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                          • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                          • String ID: DnsQuery_A$dnsapi.dll
                                                                                          • API String ID: 3560063639-3847274415
                                                                                          • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                          • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                          • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                          • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                          • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                          • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                          • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$PromptOnSecureDesktop$kernel32
                                                                                          • API String ID: 1082366364-2834986871
                                                                                          • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                          • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                          • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                          • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                          APIs
                                                                                          • CreateProcessA.KERNEL32(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,PromptOnSecureDesktop), ref: 004097B1
                                                                                          • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097EB
                                                                                          • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097F9
                                                                                          • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 00409831
                                                                                          • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040984E
                                                                                          • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040985B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                          • String ID: D$PromptOnSecureDesktop
                                                                                          • API String ID: 2981417381-1403908072
                                                                                          • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                          • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                          • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                          • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8
                                                                                          APIs
                                                                                          • IsBadReadPtr.KERNEL32(?,00000008), ref: 006067C3
                                                                                          • htonl.WS2_32(?), ref: 006067DF
                                                                                          • htonl.WS2_32(?), ref: 006067EE
                                                                                          • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 006068F1
                                                                                          • ExitProcess.KERNEL32 ref: 006069BC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Processhtonl$CurrentExitRead
                                                                                          • String ID: except_info$localcfg
                                                                                          • API String ID: 1430491713-3605449297
                                                                                          • Opcode ID: 509986b44764779889ec140751805dc5d86e13b3ca1e1aa93028e23e5d2d1926
                                                                                          • Instruction ID: b23914a89fcd64ab5afc59d3d28c65524e5bfdf9c5397cceab52a480675a0ee5
                                                                                          • Opcode Fuzzy Hash: 509986b44764779889ec140751805dc5d86e13b3ca1e1aa93028e23e5d2d1926
                                                                                          • Instruction Fuzzy Hash: 40617071A40208AFDB649FB4DC45FEA77E9FF08300F14806AF96DD21A1EA759990CF14
                                                                                          APIs
                                                                                          • htons.WS2_32(0060CC84), ref: 0060F5B4
                                                                                          • socket.WS2_32(00000002,00000001,00000000), ref: 0060F5CE
                                                                                          • closesocket.WS2_32(00000000), ref: 0060F5DC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: closesockethtonssocket
                                                                                          • String ID: time_cfg
                                                                                          • API String ID: 311057483-2401304539
                                                                                          • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                          • Instruction ID: 9a46c1aace4caf4b95a5a8e89bcc02224028bef9f85b1d8fc083fc7a80866bdc
                                                                                          • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                          • Instruction Fuzzy Hash: 31318071950118ABDB21DFA5DC85DEF7BBDEF89310F10457AF905D3190E7B08A828BA4
                                                                                          APIs
                                                                                          • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                          • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                          • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                          • wsprintfA.USER32 ref: 00407036
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                          • String ID: /%d$|
                                                                                          • API String ID: 676856371-4124749705
                                                                                          • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                          • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                          • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                          • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(?), ref: 00602FA1
                                                                                          • LoadLibraryA.KERNEL32(?), ref: 00602FB1
                                                                                          • GetProcAddress.KERNEL32(00000000,004103F0), ref: 00602FC8
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00603000
                                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 00603007
                                                                                          • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 00603032
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                          • String ID: dnsapi.dll
                                                                                          • API String ID: 1242400761-3175542204
                                                                                          • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                          • Instruction ID: 4a5fe35d8da6266fa33f8121a628a741460fa3887347c4e7f86384e71e8ab4c9
                                                                                          • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                          • Instruction Fuzzy Hash: 4B21A471981226BBCB229B54DC48AEFFBBDEF08B51F104421F902E7280D7B49E8187D4
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\cmxmskcp,00607043), ref: 00606F4E
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00606F55
                                                                                          • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00606F7B
                                                                                          • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00606F92
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                          • String ID: C:\Windows\SysWOW64\$PromptOnSecureDesktop$\\.\pipe\cmxmskcp
                                                                                          • API String ID: 1082366364-2166947222
                                                                                          • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                          • Instruction ID: 2ce5cd39c038bbeabf50141046d14da8011b659c104837ebcdf801b2ac4791e5
                                                                                          • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                          • Instruction Fuzzy Hash: 4F214661BC434179F3365731AC89FFB2E4E8B52710F0840A9F400D56C1DAD988E682AD
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Code
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 3609698214-2980165447
                                                                                          • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                          • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                          • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                          • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                          APIs
                                                                                          • GetTempPathA.KERNEL32(00000400,?), ref: 006092E2
                                                                                          • wsprintfA.USER32 ref: 00609350
                                                                                          • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00609375
                                                                                          • lstrlen.KERNEL32(?,?,00000000), ref: 00609389
                                                                                          • WriteFile.KERNEL32(00000000,?,00000000), ref: 00609394
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0060939B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 2439722600-2980165447
                                                                                          • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                          • Instruction ID: bfe57a4fc71bc86b956c85f6229a34bf72fae7eaa16dd9e6f9221353b497443a
                                                                                          • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                          • Instruction Fuzzy Hash: 81119AB17801247BE7646731DC0EFEF7A6EDBC4B10F00C569BB05E50D1EEB54A418668
                                                                                          APIs
                                                                                          • GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                          • wsprintfA.USER32 ref: 004090E9
                                                                                          • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                          • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                          • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 2439722600-2980165447
                                                                                          • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                          • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                          • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                          • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                          APIs
                                                                                          • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00609A18
                                                                                          • GetThreadContext.KERNEL32(?,?), ref: 00609A52
                                                                                          • TerminateProcess.KERNEL32(?,00000000), ref: 00609A60
                                                                                          • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00609A98
                                                                                          • SetThreadContext.KERNEL32(?,00010002), ref: 00609AB5
                                                                                          • ResumeThread.KERNEL32(?), ref: 00609AC2
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                          • String ID: D
                                                                                          • API String ID: 2981417381-2746444292
                                                                                          • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                          • Instruction ID: 0de9fae4ea87dd00b72895c5890f947aba1d0ce24201110797387e5d6a0c2a61
                                                                                          • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                          • Instruction Fuzzy Hash: 68213BB1A41219BBDB219BA1DC09EEF7BBDEF04750F404061BA19E1191EB758A44CBA4
                                                                                          APIs
                                                                                          • inet_addr.WS2_32(004102D8), ref: 00601C18
                                                                                          • LoadLibraryA.KERNEL32(004102C8), ref: 00601C26
                                                                                          • GetProcessHeap.KERNEL32 ref: 00601C84
                                                                                          • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 00601C9D
                                                                                          • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 00601CC1
                                                                                          • HeapFree.KERNEL32(?,00000000,00000000), ref: 00601D02
                                                                                          • FreeLibrary.KERNEL32(?), ref: 00601D0B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                          • String ID:
                                                                                          • API String ID: 2324436984-0
                                                                                          • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                          • Instruction ID: 90af031df8a9c33de3c3be54088a5b488752400ea334e28720cc9ca1c1289c7c
                                                                                          • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                          • Instruction Fuzzy Hash: 1D313031D80219BFCB159FE4DC888EFBABAEF46711B24447AE501A7290D7B58E80DB54
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,PromptOnSecureDesktop), ref: 0040E3E6
                                                                                          • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                          • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                          • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                          • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: QueryValue$CloseOpen
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 1586453840-2980165447
                                                                                          • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                          • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                          • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                          • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                          APIs
                                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404290
                                                                                          • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                          • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseHandle$CreateEvent
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 1371578007-2980165447
                                                                                          • Opcode ID: 8d14f0f9d29bb03ce564d9d2efa64e335a6ea708645b73911051f25a1151d1b7
                                                                                          • Instruction ID: 9669132274562be234db05f10d2b02b24c7977acc8fbe0bb4274004673291573
                                                                                          • Opcode Fuzzy Hash: 8d14f0f9d29bb03ce564d9d2efa64e335a6ea708645b73911051f25a1151d1b7
                                                                                          • Instruction Fuzzy Hash: 1A4181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F604B21C1D7389A51DBA4
                                                                                          APIs
                                                                                          • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00606CE4
                                                                                          • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 00606D22
                                                                                          • GetLastError.KERNEL32 ref: 00606DA7
                                                                                          • CloseHandle.KERNEL32(?), ref: 00606DB5
                                                                                          • GetLastError.KERNEL32 ref: 00606DD6
                                                                                          • DeleteFileA.KERNEL32(?), ref: 00606DE7
                                                                                          • GetLastError.KERNEL32 ref: 00606DFD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                          • String ID:
                                                                                          • API String ID: 3873183294-0
                                                                                          • Opcode ID: f90c53903c5e7bc53eced6da245d78f0497ab651d24c434d9efbd75cec7a0e65
                                                                                          • Instruction ID: 89413c475034482a2552d580d678b450cc334111bacd76a74e2ffea366c35948
                                                                                          • Opcode Fuzzy Hash: f90c53903c5e7bc53eced6da245d78f0497ab651d24c434d9efbd75cec7a0e65
                                                                                          • Instruction Fuzzy Hash: 0F31FF72A40249BFCB05AFA4DD48ADF7FBAEF48300F148065F111E3291D7B08AA58B65
                                                                                          APIs
                                                                                          • RegCreateKeyExA.ADVAPI32(80000001,0060E50A,00000000,00000000,00000000,00020106,00000000,0060E50A,00000000,000000E4), ref: 0060E319
                                                                                          • RegSetValueExA.ADVAPI32(0060E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0060E38E
                                                                                          • RegDeleteValueA.ADVAPI32(0060E50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,D`), ref: 0060E3BF
                                                                                          • RegCloseKey.ADVAPI32(0060E50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,D`,0060E50A), ref: 0060E3C8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Value$CloseCreateDelete
                                                                                          • String ID: PromptOnSecureDesktop$D`
                                                                                          • API String ID: 2667537340-1471834828
                                                                                          • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                          • Instruction ID: 7bc02e4fc611f494ae3ed125c91af2b8ca686896b2fb2415832930b5423ef460
                                                                                          • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                          • Instruction Fuzzy Hash: C7215E71A4022DBBDF249FA4EC89EDF7F7AEF08750F048425F904E6191E2728A54D7A0
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 006093C6
                                                                                          • GetModuleFileNameA.KERNEL32(00000000), ref: 006093CD
                                                                                          • CharToOemA.USER32(?,?), ref: 006093DB
                                                                                          • wsprintfA.USER32 ref: 00609410
                                                                                            • Part of subcall function 006092CB: GetTempPathA.KERNEL32(00000400,?), ref: 006092E2
                                                                                            • Part of subcall function 006092CB: wsprintfA.USER32 ref: 00609350
                                                                                            • Part of subcall function 006092CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00609375
                                                                                            • Part of subcall function 006092CB: lstrlen.KERNEL32(?,?,00000000), ref: 00609389
                                                                                            • Part of subcall function 006092CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 00609394
                                                                                            • Part of subcall function 006092CB: CloseHandle.KERNEL32(00000000), ref: 0060939B
                                                                                          • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00609448
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 3857584221-2980165447
                                                                                          • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                          • Instruction ID: 66b840284e6ac0042d9211cabbb99710b4b16d03a2fd9add08b1d61b3065247c
                                                                                          • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                          • Instruction Fuzzy Hash: 64019EF69401187BDB20A7619D8DEDF3B7CDB85701F0000A6BB09E2080EAB49BC58F75
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,PromptOnSecureDesktop), ref: 0040915F
                                                                                          • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                          • CharToOemA.USER32(?,?), ref: 00409174
                                                                                          • wsprintfA.USER32 ref: 004091A9
                                                                                            • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                            • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                            • Part of subcall function 00409064: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                            • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                            • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                            • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                          • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 3857584221-2980165447
                                                                                          • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                          • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                          • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                          • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen
                                                                                          • String ID: $localcfg
                                                                                          • API String ID: 1659193697-2018645984
                                                                                          • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                          • Instruction ID: f5f0e6a239232b3fe66da1deb6423b85db05f87f4e1b174dda9b254ed0a017b1
                                                                                          • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                          • Instruction Fuzzy Hash: 67710971AC0304AAEF398BD4DC85FEF376B9F00385F24416AF905A61D1DB619D84875B
                                                                                          APIs
                                                                                            • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                            • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                            • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                            • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                          • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                          • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                          • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                          • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                          • String ID: flags_upd$localcfg
                                                                                          • API String ID: 204374128-3505511081
                                                                                          • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                          • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                          • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                          • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                          APIs
                                                                                            • Part of subcall function 0060DF6C: GetCurrentThreadId.KERNEL32 ref: 0060DFBA
                                                                                          • lstrcmp.KERNEL32(00410178,00000000), ref: 0060E8FA
                                                                                          • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,00606128), ref: 0060E950
                                                                                          • lstrcmp.KERNEL32(?,00000008), ref: 0060E989
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                          • String ID: A$ A$ A
                                                                                          • API String ID: 2920362961-1846390581
                                                                                          • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                          • Instruction ID: 3e4c2bcf437347e5a11852a900633579aa40974a5cebe1a0052d1ceeec177275
                                                                                          • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                          • Instruction Fuzzy Hash: 9831B0316807259FCB79CF24C884BA77BE6EB15320F108D2EE59687691D372EC80CB85
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Code
                                                                                          • String ID:
                                                                                          • API String ID: 3609698214-0
                                                                                          • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                          • Instruction ID: f552a068977ab52d6fd0c89de7ba5d01b8b6950a3ab35f65c4d26fbfa3e1d134
                                                                                          • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                          • Instruction Fuzzy Hash: E9218E76148219BFDB199B70FC49EDF3FAEDB48360B208425F502D10D1EB719A109678
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                          • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                          • Sleep.KERNEL32(00000000,?,76230F10,?,00000000,0040E538,?,76230F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                          • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 3819781495-0
                                                                                          • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                          • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                          • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                          • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 0060C6B4
                                                                                          • InterlockedIncrement.KERNEL32(0060C74B), ref: 0060C715
                                                                                          • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0060C747), ref: 0060C728
                                                                                          • CloseHandle.KERNEL32(00000000,?,0060C747,00413588,00608A77), ref: 0060C733
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 1026198776-1857712256
                                                                                          • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                          • Instruction ID: 24b3a9bba70c2f48d9bc4b692323ba6ee4716eec93a7a6b4edad37e5182ec2d3
                                                                                          • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                          • Instruction Fuzzy Hash: 97514BB5A40B418FD7788F69C98552BBBEAFB48310B505A3EE18BC7AD0D775F8408B14
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 0040815F
                                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 00408187
                                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 004081BE
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 00408210
                                                                                            • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,76230F10,00000000), ref: 0040677E
                                                                                            • Part of subcall function 0040675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,76230F10,00000000), ref: 0040679A
                                                                                            • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,76230F10,00000000), ref: 004067B0
                                                                                            • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,76230F10,00000000), ref: 004067BF
                                                                                            • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,76230F10,00000000), ref: 004067D3
                                                                                            • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,76230F10,00000000), ref: 00406807
                                                                                            • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0040681F
                                                                                            • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,76230F10,00000000), ref: 0040683E
                                                                                            • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0040685C
                                                                                            • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                            • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 124786226-2980165447
                                                                                          • Opcode ID: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                          • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                          • Opcode Fuzzy Hash: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                          • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                          APIs
                                                                                          • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                          • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                          • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                          • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Value$CloseCreateDelete
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 2667537340-2980165447
                                                                                          • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                          • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                          • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                          • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                          APIs
                                                                                          • GetUserNameA.ADVAPI32(?,?), ref: 006071E1
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00607228
                                                                                          • LocalFree.KERNEL32(?,?,?), ref: 00607286
                                                                                          • wsprintfA.USER32 ref: 0060729D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                          • String ID: |
                                                                                          • API String ID: 2539190677-2343686810
                                                                                          • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                          • Instruction ID: 15166f27ac6bf166ed40f8bab9b90bea49ed4678c15d287df934e8210a9a3d4c
                                                                                          • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                          • Instruction Fuzzy Hash: BF315C72944108BBCB11DFA8DC45ADB3BADEF04314F148066F809DB241EA75E7488BA4
                                                                                          APIs
                                                                                          • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                          • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                          • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                          • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$gethostnamelstrcpy
                                                                                          • String ID: LocalHost
                                                                                          • API String ID: 3695455745-3154191806
                                                                                          • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                          • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                          • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                          • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                          APIs
                                                                                          • GetLocalTime.KERNEL32(?), ref: 0060B51A
                                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0060B529
                                                                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 0060B548
                                                                                          • GetTimeZoneInformation.KERNEL32(?), ref: 0060B590
                                                                                          • wsprintfA.USER32 ref: 0060B61E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                          • String ID:
                                                                                          • API String ID: 4026320513-0
                                                                                          • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                          • Instruction ID: a713c1bd6d55d903456ca7437e11eb71e9fde705e18ef116205fe8ea64178c01
                                                                                          • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                          • Instruction Fuzzy Hash: D4512171D4021CAACF19DFD5D8445EEBBB9BF48304F10816AF501A6150E7B84AC9CF98
                                                                                          APIs
                                                                                          • IsBadReadPtr.KERNEL32(?,00000014), ref: 00606303
                                                                                          • LoadLibraryA.KERNEL32(?), ref: 0060632A
                                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 006063B1
                                                                                          • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 00606405
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Read$AddressLibraryLoadProc
                                                                                          • String ID:
                                                                                          • API String ID: 2438460464-0
                                                                                          • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                          • Instruction ID: 282e4a74672eb40117801d12cc0015738c4229909dbad1e1df50a1187214dd3f
                                                                                          • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                          • Instruction Fuzzy Hash: 4A417C71A40209ABDB1CCF58C894AAAB7B6EF04314F248069F815DB3D0E731ED61CB90
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                          • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                          • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                          • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                          APIs
                                                                                            • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                            • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                            • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                          • lstrcmpA.KERNEL32(76230F18,00000000,?,76230F10,00000000,?,00405EC1), ref: 0040E693
                                                                                          • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,76230F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                          • lstrcmpA.KERNEL32(?,00000008,?,76230F10,00000000,?,00405EC1), ref: 0040E722
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                          • String ID: A$ A
                                                                                          • API String ID: 3343386518-686259309
                                                                                          • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                          • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                          • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                          • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 0040272E
                                                                                          • htons.WS2_32(00000001), ref: 00402752
                                                                                          • htons.WS2_32(0000000F), ref: 004027D5
                                                                                          • htons.WS2_32(00000001), ref: 004027E3
                                                                                          • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                            • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                            • Part of subcall function 0040EBCC: RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                          • String ID:
                                                                                          • API String ID: 1128258776-0
                                                                                          • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                          • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                          • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                          • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                          APIs
                                                                                          • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                          • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                          • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                          • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                          • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: setsockopt
                                                                                          • String ID:
                                                                                          • API String ID: 3981526788-0
                                                                                          • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                          • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                          • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                          • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                          APIs
                                                                                          • __CreateFrameInfo.LIBCMT ref: 00442007
                                                                                            • Part of subcall function 0043D346: __getptd.LIBCMT ref: 0043D354
                                                                                            • Part of subcall function 0043D346: __getptd.LIBCMT ref: 0043D362
                                                                                          • __getptd.LIBCMT ref: 00442011
                                                                                            • Part of subcall function 0043EA2F: __getptd_noexit.LIBCMT ref: 0043EA32
                                                                                            • Part of subcall function 0043EA2F: __amsg_exit.LIBCMT ref: 0043EA3F
                                                                                          • __getptd.LIBCMT ref: 0044201F
                                                                                          • __getptd.LIBCMT ref: 0044202D
                                                                                          • __getptd.LIBCMT ref: 00442038
                                                                                            • Part of subcall function 0043D3EB: __CallSettingFrame@12.LIBCMT ref: 0043D437
                                                                                            • Part of subcall function 00442105: __getptd.LIBCMT ref: 00442114
                                                                                            • Part of subcall function 00442105: __getptd.LIBCMT ref: 00442122
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133178272.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_415000_6foBmRMlDy.jbxd
                                                                                          Similarity
                                                                                          • API ID: __getptd$CallCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                                                          • String ID:
                                                                                          • API String ID: 3282538202-0
                                                                                          • Opcode ID: 82b52318a1209ef730d5319d681579c68b95efd4f15e921cb8a75d79ffafd6a1
                                                                                          • Instruction ID: 1f26d2b162cf52cccfd16e20c8fbb1d915908f5f3995bdd14c1524195890a431
                                                                                          • Opcode Fuzzy Hash: 82b52318a1209ef730d5319d681579c68b95efd4f15e921cb8a75d79ffafd6a1
                                                                                          • Instruction Fuzzy Hash: 8A1107B1D01209DFDB00EFA5D845AEDBBB1FF08314F10906AF814B7292DB789A159F54
                                                                                          APIs
                                                                                          • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                          • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                          • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                          • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$lstrcmpi
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 1808961391-1857712256
                                                                                          • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                          • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                          • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                          • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                          APIs
                                                                                          • WriteFile.KERNEL32(00000001,D`,00000000,00000000,00000000), ref: 0060E470
                                                                                          • CloseHandle.KERNEL32(00000001,00000003), ref: 0060E484
                                                                                            • Part of subcall function 0060E2FC: RegCreateKeyExA.ADVAPI32(80000001,0060E50A,00000000,00000000,00000000,00020106,00000000,0060E50A,00000000,000000E4), ref: 0060E319
                                                                                            • Part of subcall function 0060E2FC: RegSetValueExA.ADVAPI32(0060E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0060E38E
                                                                                            • Part of subcall function 0060E2FC: RegDeleteValueA.ADVAPI32(0060E50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,D`), ref: 0060E3BF
                                                                                            • Part of subcall function 0060E2FC: RegCloseKey.ADVAPI32(0060E50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,D`,0060E50A), ref: 0060E3C8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                          • String ID: PromptOnSecureDesktop$D`
                                                                                          • API String ID: 4151426672-1471834828
                                                                                          • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                          • Instruction ID: f6fe699f9cdd3cf87a807b95288eb787a70031fc33aca5be0b77203851efe956
                                                                                          • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                          • Instruction Fuzzy Hash: AF41EBB2D80224BAEB246F518C46FEF3B6DDF44724F148439F909941D2E7B6CA50D6B4
                                                                                          APIs
                                                                                            • Part of subcall function 0060DF6C: GetCurrentThreadId.KERNEL32 ref: 0060DFBA
                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,00410170,?,00000000,?,0060A6AC), ref: 0060E7BF
                                                                                          • ReadFile.KERNEL32(00000000,004136C4,00000000,?,00000000,?,00410170,?,00000000,?,0060A6AC), ref: 0060E7EA
                                                                                          • CloseHandle.KERNEL32(00000000,?,00410170,?,00000000,?,0060A6AC), ref: 0060E819
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseCurrentHandleReadSizeThread
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 1396056608-2980165447
                                                                                          • Opcode ID: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                          • Instruction ID: e432a3ce8c9f9c32b9940b3ecc10d09fac2078b92ab52525846e53e81574ddcc
                                                                                          • Opcode Fuzzy Hash: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                          • Instruction Fuzzy Hash: 532107B1A803117AE22877719C0BFEB3E0DDF65760F10452CBA09A51D3EA56D45082B9
                                                                                          APIs
                                                                                            • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                            • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                            • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,76230F10,?,00000000,?,0040A445), ref: 0040E558
                                                                                          • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,76230F10,?,00000000,?,0040A445), ref: 0040E583
                                                                                          • CloseHandle.KERNEL32(00000000,?,76230F10,?,00000000,?,0040A445), ref: 0040E5B2
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 3683885500-2980165447
                                                                                          • Opcode ID: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                          • Instruction ID: 336cca8f28a0ae06816d6806ca3c094c6326420f96deeb8fe64773c8e7208e17
                                                                                          • Opcode Fuzzy Hash: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                          • Instruction Fuzzy Hash: F321EAB19402047AE2207B639C0AFAB3D1CDF54758F10093EBA09B11E3E9BDD96082BD
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                          • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressLibraryLoadProc
                                                                                          • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                          • API String ID: 2574300362-1087626847
                                                                                          • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                          • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                          • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                          • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 006076D9
                                                                                          • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0060796D
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 0060797E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseEnumOpen
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 1332880857-2980165447
                                                                                          • Opcode ID: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                          • Instruction ID: 1ca877d0efe0134af19799411b495c83391bbd6071a74882221177d6726408b8
                                                                                          • Opcode Fuzzy Hash: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                          • Instruction Fuzzy Hash: 9211EE70A44109AFDB118FA9DC45FEFBF7AEF82300F140165F512E62D1E6B19E408BA0
                                                                                          APIs
                                                                                            • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                            • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                          • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                          • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                          • String ID: hi_id$localcfg
                                                                                          • API String ID: 2777991786-2393279970
                                                                                          • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                          • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                          • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                          • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 0060999D
                                                                                          • RegDeleteValueA.ADVAPI32(?,00000000), ref: 006099BD
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 006099C6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseDeleteOpenValue
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 849931509-2980165447
                                                                                          • Opcode ID: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                          • Instruction ID: bde14c43a3be25d7fb12ea7c9ba369c4fa591c76792886928569026d6699d854
                                                                                          • Opcode Fuzzy Hash: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                          • Instruction Fuzzy Hash: 6CF096B2680208BBF7116B54EC0BFDB3A2DDB95B14F104075FA05B50D2F6E59E9082BD
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,00000000,PromptOnSecureDesktop,00000000,?,?,0040A14A), ref: 00409736
                                                                                          • RegDeleteValueA.ADVAPI32(0040A14A,00000000,?,?,?,?,?,?,?,?,?,0040A14A), ref: 00409756
                                                                                          • RegCloseKey.ADVAPI32(0040A14A,?,?,?,?,?,?,?,?,?,0040A14A), ref: 0040975F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseDeleteOpenValue
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 849931509-2980165447
                                                                                          • Opcode ID: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                          • Instruction ID: 5e38ed9511aa8cc069582274463af9cddeeab7037fd65aad7bdf8be664a95ff7
                                                                                          • Opcode Fuzzy Hash: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                          • Instruction Fuzzy Hash: 5AF0C8B2680118BBF3106B51AC0BFDF3A2CDB44704F100075F605B50D2E6E55E9082BD
                                                                                          APIs
                                                                                          • ___BuildCatchObject.LIBCMT ref: 0044239F
                                                                                            • Part of subcall function 004422FA: ___BuildCatchObjectHelper.LIBCMT ref: 00442330
                                                                                          • _UnwindNestedFrames.LIBCMT ref: 004423B6
                                                                                          • ___FrameUnwindToState.LIBCMT ref: 004423C4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133178272.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_415000_6foBmRMlDy.jbxd
                                                                                          Similarity
                                                                                          • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                                                                                          • String ID: csm
                                                                                          • API String ID: 2163707966-1018135373
                                                                                          • Opcode ID: 84f9305d874a50c559aacd72def427a465394a76ca2251e82b6bc0fb57543b16
                                                                                          • Instruction ID: 162b1056426cc82c358fe9af72ed69cc294d3496da7099d7d246f226f1b9182b
                                                                                          • Opcode Fuzzy Hash: 84f9305d874a50c559aacd72def427a465394a76ca2251e82b6bc0fb57543b16
                                                                                          • Instruction Fuzzy Hash: 85012471400109BBEF226E62CD45EAA7E7AFF08358F004016BD1815121D7BA99B2EBA8
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: gethostbynameinet_addr
                                                                                          • String ID: time_cfg$u6A
                                                                                          • API String ID: 1594361348-1940331995
                                                                                          • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                          • Instruction ID: 984fcb4d6cca28fd7470b81fb69de835d970889206e9035e18d40a40cab019bc
                                                                                          • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                          • Instruction Fuzzy Hash: FCE0EC346445129FDB509B28F848AD777A6AF4A330F058595F454D72A0C7749CC19654
                                                                                          APIs
                                                                                          • SetFileAttributesA.KERNEL32(?,00000080), ref: 006069E5
                                                                                          • SetFileAttributesA.KERNEL32(?,00000002), ref: 00606A26
                                                                                          • GetFileSize.KERNEL32(000000FF,00000000), ref: 00606A3A
                                                                                          • CloseHandle.KERNEL32(000000FF), ref: 00606BD8
                                                                                            • Part of subcall function 0060EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,00601DCF,?), ref: 0060EEA8
                                                                                            • Part of subcall function 0060EE95: HeapFree.KERNEL32(00000000), ref: 0060EEAF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                          • String ID:
                                                                                          • API String ID: 3384756699-0
                                                                                          • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                          • Instruction ID: 0983866b6ded83c218b6db805dc74890dcb7b5585be94ec93677419446b3fa19
                                                                                          • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                          • Instruction Fuzzy Hash: 917118B194022DEFDB149FA4CC809EEBBBAFB04314F10456AF515E6290E7309EA2DB50
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wsprintf
                                                                                          • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                          • API String ID: 2111968516-120809033
                                                                                          • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                          • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                          • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                          • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133178272.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_415000_6foBmRMlDy.jbxd
                                                                                          Similarity
                                                                                          • API ID: __lock$___addlocaleref__crt_waiting_on_module_handle
                                                                                          • String ID:
                                                                                          • API String ID: 1628550938-0
                                                                                          • Opcode ID: 527085ad0c23569588e8bc56588d9980db29695c3eb2eba31ec3827da0fc121d
                                                                                          • Instruction ID: bc4a548131b22b17b9de46e530637c5985591d8a156a8d0739d64019e8320eaa
                                                                                          • Opcode Fuzzy Hash: 527085ad0c23569588e8bc56588d9980db29695c3eb2eba31ec3827da0fc121d
                                                                                          • Instruction Fuzzy Hash: A7119370901701DAD720AF7BD801B5AB7E0AF08318F10952FE499A76E1CB78A945CF5D
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133178272.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_415000_6foBmRMlDy.jbxd
                                                                                          Similarity
                                                                                          • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                          • String ID:
                                                                                          • API String ID: 3016257755-0
                                                                                          • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                          • Instruction ID: ae282ed6a95cd7186b08dcf145c2bf78d6f0b8c0a9c18ac976c3c7a0e60f1159
                                                                                          • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                          • Instruction Fuzzy Hash: B3114E3240098EBBDF125E85CC41CEE3F23FB18354B588456FE1859132D33AD9B1AB86
                                                                                          APIs
                                                                                          • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 006041AB
                                                                                          • GetLastError.KERNEL32 ref: 006041B5
                                                                                          • WaitForSingleObject.KERNEL32(?,?), ref: 006041C6
                                                                                          • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 006041D9
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3373104450-0
                                                                                          • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                          • Instruction ID: 35c194dc92fd66c5d657cc669647f3dd5e4e6ce986322f5a436c21874c32ee27
                                                                                          • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                          • Instruction Fuzzy Hash: 97014C7651110AAFDF11DF91ED84BEF3B6DEB18355F0040A1FA01E2190EB70DA908BB5
                                                                                          APIs
                                                                                          • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0060421F
                                                                                          • GetLastError.KERNEL32 ref: 00604229
                                                                                          • WaitForSingleObject.KERNEL32(?,?), ref: 0060423A
                                                                                          • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 0060424D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                          • String ID:
                                                                                          • API String ID: 888215731-0
                                                                                          • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                          • Instruction ID: b2267914e453d815d69778275db9367afa04cbca7e7cbd85fe44bfb71cb13173
                                                                                          • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                          • Instruction Fuzzy Hash: C40108B2651109AFDF11DF90ED84BEF7BADEB08355F108061FA01E2190DB70DA648BB6
                                                                                          APIs
                                                                                          • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                          • GetLastError.KERNEL32 ref: 00403F4E
                                                                                          • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                          • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3373104450-0
                                                                                          • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                          • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                          • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                          • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                          APIs
                                                                                          • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                          • GetLastError.KERNEL32 ref: 00403FC2
                                                                                          • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                          • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                          • String ID:
                                                                                          • API String ID: 888215731-0
                                                                                          • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                          • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                          • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                          • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                          APIs
                                                                                          • lstrcmp.KERNEL32(?,80000009), ref: 0060E066
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcmp
                                                                                          • String ID: A$ A$ A
                                                                                          • API String ID: 1534048567-1846390581
                                                                                          • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                          • Instruction ID: 0c2ae73cfe9669cf21beceec8b11ed2fb3762fedbab8fca1a7e1e7ed5c6b57c5
                                                                                          • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                          • Instruction Fuzzy Hash: 65F06871600711DBCB24CF15D8849D3B7EAFF55321B448A2BE155C31A0D3B5A8A4CB51
                                                                                          APIs
                                                                                          • __getptd.LIBCMT ref: 0043E6FE
                                                                                            • Part of subcall function 0043EA2F: __getptd_noexit.LIBCMT ref: 0043EA32
                                                                                            • Part of subcall function 0043EA2F: __amsg_exit.LIBCMT ref: 0043EA3F
                                                                                          • __getptd.LIBCMT ref: 0043E715
                                                                                          • __amsg_exit.LIBCMT ref: 0043E723
                                                                                          • __lock.LIBCMT ref: 0043E733
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133178272.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_415000_6foBmRMlDy.jbxd
                                                                                          Similarity
                                                                                          • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                                                                          • String ID:
                                                                                          • API String ID: 3521780317-0
                                                                                          • Opcode ID: b78ccc7f9f955085c9a3344ba17983f18658971e1009bcac8464a64a30da5490
                                                                                          • Instruction ID: 9113c6c431d65f47a9aeab8c6341431268222f3b6a85bdc93a37d405eae70c95
                                                                                          • Opcode Fuzzy Hash: b78ccc7f9f955085c9a3344ba17983f18658971e1009bcac8464a64a30da5490
                                                                                          • Instruction Fuzzy Hash: BCF01D35A42701DAE620BB77D40274E73A0AB08718F10616FE445672D2CB3CA9058A9A
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                          • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                          • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 2207858713-0
                                                                                          • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                          • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                          • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                          • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                          • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                          • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 2207858713-0
                                                                                          • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                          • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                          • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                          • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                          • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                          • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                          • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 2207858713-0
                                                                                          • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                          • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                          • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                          • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 00403103
                                                                                          • GetTickCount.KERNEL32 ref: 0040310F
                                                                                          • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 2207858713-0
                                                                                          • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                          • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                          • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                          • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                          APIs
                                                                                          • WriteFile.KERNEL32(00000001,0040DAE0,00000000,00000000,00000000), ref: 0040E209
                                                                                          • CloseHandle.KERNEL32(00000001,00000003), ref: 0040E21D
                                                                                            • Part of subcall function 0040E095: RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                            • Part of subcall function 0040E095: RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                            • Part of subcall function 0040E095: RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                            • Part of subcall function 0040E095: RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 4151426672-2980165447
                                                                                          • Opcode ID: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                          • Instruction ID: b34283ca0245a4d5345772c7626065eb71a791ff6ac24fd5689ebe733b27dfc9
                                                                                          • Opcode Fuzzy Hash: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                          • Instruction Fuzzy Hash: 5D41DB71940214BADB205E938C06FDB3F6CEB44754F1084BEFA09B41D2E6B99A60D6BD
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 006083C6
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 00608477
                                                                                            • Part of subcall function 006069C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 006069E5
                                                                                            • Part of subcall function 006069C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 00606A26
                                                                                            • Part of subcall function 006069C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 00606A3A
                                                                                            • Part of subcall function 0060EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,00601DCF,?), ref: 0060EEA8
                                                                                            • Part of subcall function 0060EE95: HeapFree.KERNEL32(00000000), ref: 0060EEAF
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 359188348-2980165447
                                                                                          • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                          • Instruction ID: dc6905d8ed84855177189277f6b5df549201cd8d89e89fdb6cacc4e5cc18cbcc
                                                                                          • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                          • Instruction Fuzzy Hash: 2B4194B298010ABFDB18EBA0DD81DFF77AEEB00300F1444AAF544D7191FAB15E548B65
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,0060E859,00000000,00020119,0060E859,PromptOnSecureDesktop), ref: 0060E64D
                                                                                          • RegCloseKey.ADVAPI32(0060E859,?,?,?,?,000000C8,000000E4), ref: 0060E787
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseOpen
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 47109696-2980165447
                                                                                          • Opcode ID: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                          • Instruction ID: e048254597bc9394ca32861aa3cecaec215f04e1d0411b9ee23e243ba30613e1
                                                                                          • Opcode Fuzzy Hash: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                          • Instruction Fuzzy Hash: F34137B2D4011DBFDF11EF94DC81DEFBBBAEB14304F104466F910A6291E3729A558B60
                                                                                          APIs
                                                                                          • GetLocalTime.KERNEL32(?), ref: 0060AFFF
                                                                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 0060B00D
                                                                                            • Part of subcall function 0060AF6F: gethostname.WS2_32(?,00000080), ref: 0060AF83
                                                                                            • Part of subcall function 0060AF6F: lstrcpy.KERNEL32(?,00410B90), ref: 0060AFE6
                                                                                            • Part of subcall function 0060331C: gethostname.WS2_32(?,00000080), ref: 0060333F
                                                                                            • Part of subcall function 0060331C: gethostbyname.WS2_32(?), ref: 00603349
                                                                                            • Part of subcall function 0060AA0A: inet_ntoa.WS2_32(00000000), ref: 0060AA10
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                          • String ID: %OUTLOOK_BND_
                                                                                          • API String ID: 1981676241-3684217054
                                                                                          • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                          • Instruction ID: f9a88e25c353402b199e5b9d6398c3dad3fb7cd121a6723e123a395fd7d4071b
                                                                                          • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                          • Instruction Fuzzy Hash: F741537294020CABDF69EFA0DC46EEF3B6DFF08304F14442AF92592192EB75D6548B58
                                                                                          APIs
                                                                                          • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 00609536
                                                                                          • Sleep.KERNEL32(000001F4), ref: 0060955D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExecuteShellSleep
                                                                                          • String ID:
                                                                                          • API String ID: 4194306370-3916222277
                                                                                          • Opcode ID: 613737ed03f357cab549a3687ea981c82f12aceb2df9588eb74e5abe8a71fcc2
                                                                                          • Instruction ID: cd3594e48aebd119f322e9e16c43588eeea33a5e37c69adae99acb2114afb12d
                                                                                          • Opcode Fuzzy Hash: 613737ed03f357cab549a3687ea981c82f12aceb2df9588eb74e5abe8a71fcc2
                                                                                          • Instruction Fuzzy Hash: 9F4104718882856EEB3F8A65DC9C7E77BE79B42314F1840A5D082972E3D6744D828731
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 0060B9D9
                                                                                          • InterlockedIncrement.KERNEL32(00413648), ref: 0060BA3A
                                                                                          • InterlockedIncrement.KERNEL32(?), ref: 0060BA94
                                                                                          • GetTickCount.KERNEL32 ref: 0060BB79
                                                                                          • GetTickCount.KERNEL32 ref: 0060BB99
                                                                                          • InterlockedIncrement.KERNEL32(?), ref: 0060BE15
                                                                                          • closesocket.WS2_32(00000000), ref: 0060BEB4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountIncrementInterlockedTick$closesocket
                                                                                          • String ID: %FROM_EMAIL
                                                                                          • API String ID: 1869671989-2903620461
                                                                                          • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                          • Instruction ID: 51670c4b3fddb2ab554a4af19c4c9b1a14cb7032ae75c4ad32b416f5cad987ad
                                                                                          • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                          • Instruction Fuzzy Hash: 92318F71580248DFDF29DFA4DC44AEA77BAEB44740F20805AFA14922D1DB74DA85CF14
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 536389180-1857712256
                                                                                          • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                          • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                                          • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                          • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                                          APIs
                                                                                          Strings
                                                                                          • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTickwsprintf
                                                                                          • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                          • API String ID: 2424974917-1012700906
                                                                                          • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                          • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                          • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                          • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                          APIs
                                                                                            • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                            • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                          • String ID: %FROM_EMAIL
                                                                                          • API String ID: 3716169038-2903620461
                                                                                          • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                          • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                          • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                          • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                          APIs
                                                                                          • GetUserNameW.ADVAPI32(?,?), ref: 006070BC
                                                                                          • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 006070F4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Name$AccountLookupUser
                                                                                          • String ID: |
                                                                                          • API String ID: 2370142434-2343686810
                                                                                          • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                          • Instruction ID: 09141670dc1b5f3f1294f6c112bada7a973cc035d27214df5169462ca0816dab
                                                                                          • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                          • Instruction Fuzzy Hash: 61111872D44118EBDF15CBD4DC84ADFB7BEAB05301F1841A6E501E61D0D670AB998BA0
                                                                                          APIs
                                                                                            • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                            • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                          • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                          • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 2777991786-1857712256
                                                                                          • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                          • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                          • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                          • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                          APIs
                                                                                          • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                          • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: IncrementInterlockedlstrcpyn
                                                                                          • String ID: %FROM_EMAIL
                                                                                          • API String ID: 224340156-2903620461
                                                                                          • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                          • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                          • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                          • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                          APIs
                                                                                          • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                          • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: gethostbyaddrinet_ntoa
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 2112563974-1857712256
                                                                                          • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                          • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                          • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                          • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                          APIs
                                                                                          • __getptd.LIBCMT ref: 00442114
                                                                                            • Part of subcall function 0043EA2F: __getptd_noexit.LIBCMT ref: 0043EA32
                                                                                            • Part of subcall function 0043EA2F: __amsg_exit.LIBCMT ref: 0043EA3F
                                                                                          • __getptd.LIBCMT ref: 00442122
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133178272.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_415000_6foBmRMlDy.jbxd
                                                                                          Similarity
                                                                                          • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                          • String ID: csm
                                                                                          • API String ID: 803148776-1018135373
                                                                                          • Opcode ID: dc06647ed881300172cdfc684aac1163bc2a0f868911a398cd8d5672599b3405
                                                                                          • Instruction ID: 96f6a5e9f7941ab84f0187159e4ce633c560aaca1b25a4ff6305554a5f7d0553
                                                                                          • Opcode Fuzzy Hash: dc06647ed881300172cdfc684aac1163bc2a0f868911a398cd8d5672599b3405
                                                                                          • Instruction Fuzzy Hash: FC018B388002018AEF34AF22D5407AEB3B5BF94311FA4542FF441A63A1CBB89D81CF49
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: gethostbynameinet_addr
                                                                                          • String ID: time_cfg
                                                                                          • API String ID: 1594361348-2401304539
                                                                                          • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                          • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                          • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                          • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,75B4EA50,80000001,00000000), ref: 0040EAF2
                                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 0040EB07
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressLibraryLoadProc
                                                                                          • String ID: ntdll.dll
                                                                                          • API String ID: 2574300362-2227199552
                                                                                          • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                          • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                          • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                          • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                          APIs
                                                                                            • Part of subcall function 00602F88: GetModuleHandleA.KERNEL32(?), ref: 00602FA1
                                                                                            • Part of subcall function 00602F88: LoadLibraryA.KERNEL32(?), ref: 00602FB1
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 006031DA
                                                                                          • HeapFree.KERNEL32(00000000), ref: 006031E1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133397787.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_600000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                          • String ID:
                                                                                          • API String ID: 1017166417-0
                                                                                          • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                          • Instruction ID: a7088c39696391252968a096388e7f24de6d2c6100a61351bc921582b74d4ccd
                                                                                          • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                          • Instruction Fuzzy Hash: FD51DC3194021AAFCB09DF64D8889EAB77AFF09301B1440A8EC9687351E732DB19CB94
                                                                                          APIs
                                                                                            • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,762323A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                            • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                          • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2133127134.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2133127134.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_6foBmRMlDy.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                          • String ID:
                                                                                          • API String ID: 1017166417-0
                                                                                          • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                          • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                          • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                          • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88

                                                                                          Execution Graph

                                                                                          Execution Coverage:3.3%
                                                                                          Dynamic/Decrypted Code Coverage:26.1%
                                                                                          Signature Coverage:0%
                                                                                          Total number of Nodes:459
                                                                                          Total number of Limit Nodes:41
                                                                                          execution_graph 22029 d760d3 13 API calls 22104 d7c2d3 GetTickCount wsprintfA wsprintfA 22148 d7d7d0 23 API calls 22149 40e749 7 API calls 21813 43ea49 21815 43ea55 _fseek 21813->21815 21814 43eb57 _fseek 21815->21814 21816 43ea6d 21815->21816 21841 43c50b RtlFreeHeap 7 library calls 21815->21841 21818 43ea7b 21816->21818 21842 43c50b RtlFreeHeap 7 library calls 21816->21842 21820 43ea89 21818->21820 21843 43c50b RtlFreeHeap 7 library calls 21818->21843 21821 43ea97 21820->21821 21844 43c50b RtlFreeHeap 7 library calls 21820->21844 21824 43eaa5 21821->21824 21845 43c50b RtlFreeHeap 7 library calls 21821->21845 21826 43eab3 21824->21826 21846 43c50b RtlFreeHeap 7 library calls 21824->21846 21828 43eac1 21826->21828 21847 43c50b RtlFreeHeap 7 library calls 21826->21847 21829 43ead2 21828->21829 21848 43c50b RtlFreeHeap 7 library calls 21828->21848 21832 43f09a __lock RtlFreeHeap 21829->21832 21835 43eada 21832->21835 21833 43eaff __freefls@4 21834 43f09a __lock RtlFreeHeap 21833->21834 21839 43eb13 ___removelocaleref 21834->21839 21835->21833 21849 43c50b RtlFreeHeap 7 library calls 21835->21849 21836 43eb44 __freefls@4 21851 43c50b RtlFreeHeap 7 library calls 21836->21851 21839->21836 21850 43e443 RtlFreeHeap __crtLCMapStringA_stat ___free_lconv_mon ___free_lconv_num ___free_lc_time 21839->21850 21841->21816 21842->21818 21843->21820 21844->21821 21845->21824 21846->21826 21847->21828 21848->21829 21849->21833 21850->21836 21851->21814 22031 408c51 21 API calls codecvt 22071 d771c6 9 API calls 22151 d74bc6 8 API calls 22032 405453 8 API calls 22072 d7c9c4 GetProcessHeap RtlSizeHeap GetProcessHeap RtlAllocateHeap 22033 d7c8c3 send GetProcessHeap RtlSizeHeap GetProcessHeap RtlAllocateHeap 22152 d71bc2 GetProcessHeap RtlSizeHeap GetProcessHeap HeapFree codecvt 22074 40195b GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 22153 d79bc8 41 API calls 22075 404960 8 API calls 22154 d7b809 80 API calls codecvt 21520 409961 RegisterServiceCtrlHandlerA 21521 40997d 21520->21521 21522 4099cb 21520->21522 21530 409892 21521->21530 21524 40999a 21525 4099ba 21524->21525 21526 409892 SetServiceStatus 21524->21526 21525->21522 21528 409892 SetServiceStatus 21525->21528 21527 4099aa 21526->21527 21527->21525 21533 4098f2 21527->21533 21528->21522 21531 4098c2 SetServiceStatus 21530->21531 21531->21524 21534 4098f6 21533->21534 21536 409904 Sleep 21534->21536 21539 409917 21534->21539 21541 404280 CreateEventA 21534->21541 21536->21534 21538 409915 21536->21538 21537 409947 21537->21525 21538->21539 21539->21537 21568 40977c 21539->21568 21542 4042a5 21541->21542 21543 40429d 21541->21543 21582 403ecd 21542->21582 21543->21534 21545 4042b0 21586 404000 21545->21586 21548 4043c1 CloseHandle 21548->21543 21549 4042ce 21592 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 21549->21592 21551 4042eb 21593 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 21551->21593 21553 4042fb 21554 4043ba CloseHandle 21553->21554 21555 404318 21553->21555 21554->21548 21594 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 21555->21594 21557 404331 21595 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 21557->21595 21559 40434a 21596 40ebcc GetProcessHeap HeapSize GetProcessHeap HeapAlloc 21559->21596 21561 404350 21597 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 21561->21597 21563 404389 21598 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 21563->21598 21565 40438f 21599 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 21565->21599 21567 40439f CloseHandle CloseHandle 21567->21543 21617 40ee2a 21568->21617 21571 4097bb 21571->21537 21572 4097c2 21573 4097d4 Wow64GetThreadContext 21572->21573 21574 409801 21573->21574 21575 4097f5 21573->21575 21619 40637c 21574->21619 21576 4097f6 TerminateProcess 21575->21576 21576->21571 21578 409816 21578->21576 21579 40981e WriteProcessMemory 21578->21579 21579->21575 21580 40983b Wow64SetThreadContext 21579->21580 21580->21575 21581 409858 ResumeThread 21580->21581 21581->21571 21583 403ee2 21582->21583 21584 403edc 21582->21584 21583->21545 21600 406dc2 21584->21600 21587 40400b CreateFileA 21586->21587 21588 40402c GetLastError 21587->21588 21589 404052 21587->21589 21588->21589 21590 404037 21588->21590 21589->21543 21589->21548 21589->21549 21590->21589 21591 404041 Sleep 21590->21591 21591->21587 21591->21589 21592->21551 21593->21553 21594->21557 21595->21559 21596->21561 21597->21563 21598->21565 21599->21567 21601 406dd7 21600->21601 21605 406e24 21600->21605 21606 406cc9 21601->21606 21603 406ddc 21604 406e02 GetVolumeInformationA 21603->21604 21603->21605 21604->21605 21605->21583 21607 406cdc GetModuleHandleA GetProcAddress 21606->21607 21608 406dbe 21606->21608 21609 406d12 GetSystemDirectoryA 21607->21609 21610 406cfd 21607->21610 21608->21603 21611 406d27 GetWindowsDirectoryA 21609->21611 21612 406d1e 21609->21612 21610->21609 21614 406d8b 21610->21614 21613 406d42 21611->21613 21612->21611 21612->21614 21616 40ef1e lstrlenA 21613->21616 21614->21608 21616->21614 21618 409794 CreateProcessA 21617->21618 21618->21571 21618->21572 21620 406386 21619->21620 21621 40638a GetModuleHandleA VirtualAlloc 21619->21621 21620->21578 21622 4063f5 21621->21622 21623 4063b6 21621->21623 21622->21578 21624 4063be VirtualAllocEx 21623->21624 21624->21622 21625 4063d6 21624->21625 21626 4063df WriteProcessMemory 21625->21626 21626->21622 22034 404861 IsBadWritePtr 22155 d71ffd 45 API calls 21852 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 21969 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 21852->21969 21854 409a95 21855 409aa3 GetModuleHandleA GetModuleFileNameA 21854->21855 21861 40a3c7 21854->21861 21869 409ac4 21855->21869 21856 40a41c CreateThread WSAStartup 21994 40e52e 31 API calls 21856->21994 22027 40405e 51 API calls 21856->22027 21858 409afd GetCommandLineA 21867 409b22 21858->21867 21859 40a406 DeleteFileA 21859->21861 21862 40a40d 21859->21862 21860 40a445 21995 40eaaf 6 API calls 21860->21995 21861->21856 21861->21859 21861->21862 21864 40a3ed GetLastError 21861->21864 21862->21856 21864->21862 21866 40a3f8 Sleep 21864->21866 21865 40a44d 21996 401d96 57 API calls 21865->21996 21866->21859 21872 409c0c 21867->21872 21881 409b47 21867->21881 21869->21858 21870 40a457 21997 4080c9 98 API calls codecvt 21870->21997 21970 4096aa 21872->21970 21873 40a45f CreateThread 21998 405e6c 16 API calls 21873->21998 22028 40877e 308 API calls 21873->22028 21877 40a470 21999 403132 12 API calls 21877->21999 21878 40a1d2 21889 40a1e3 GetCommandLineA 21878->21889 21879 409c39 21882 40a167 GetModuleHandleA GetModuleFileNameA 21879->21882 21887 409c4b 21879->21887 21884 409b96 lstrlenA 21881->21884 21888 409b58 21881->21888 21885 409c05 ExitProcess 21882->21885 21886 40a189 21882->21886 21883 40a475 22000 40c125 16 API calls 21883->22000 21884->21888 21886->21885 21898 40a1b2 GetDriveTypeA 21886->21898 21887->21882 21892 404280 30 API calls 21887->21892 21888->21885 21893 409bd2 21888->21893 21912 40a205 21889->21912 21891 40a47a 22001 408db1 13 API calls 21891->22001 21895 409c5b 21892->21895 21982 40675c 21 API calls codecvt 21893->21982 21895->21882 21984 40675c 21 API calls codecvt 21895->21984 21897 40a47f Sleep 21900 40a491 21897->21900 21898->21885 21901 40a1c5 21898->21901 21899 409be3 21899->21885 21983 406a60 13 API calls 21899->21983 21907 40a49f GetTickCount 21900->21907 21908 40a4be Sleep 21900->21908 21914 40a4b7 GetTickCount 21900->21914 22002 40c913 208 API calls codecvt 21900->22002 21993 409145 11 API calls 21901->21993 21904 409c79 21904->21882 21910 409ca0 GetTempPathA 21904->21910 21911 409e3e 21904->21911 21905 409bff 21905->21885 21907->21900 21907->21908 21908->21900 21910->21911 21913 409cba 21910->21913 21917 409e6b GetEnvironmentVariableA 21911->21917 21921 409e04 21911->21921 21918 40a285 lstrlenA 21912->21918 21928 40a239 21912->21928 21985 4099d2 16 API calls 21913->21985 21914->21908 21917->21921 21922 409e7d 21917->21922 21918->21928 21919 40a15d 21919->21882 21919->21885 21920 409cda 21920->21911 21925 406dc2 6 API calls 21920->21925 21938 409cf6 21920->21938 21992 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 21921->21992 21988 4099d2 16 API calls 21922->21988 21924 409e9d 21924->21921 21930 409eb0 lstrcpyA lstrlenA 21924->21930 21926 409d5f 21925->21926 21931 406cc9 5 API calls 21926->21931 21978 406ec3 21928->21978 21929 40a3c2 21932 4098f2 41 API calls 21929->21932 21933 409ef4 21930->21933 21936 409d72 lstrcpyA lstrcatA lstrcatA 21931->21936 21932->21861 21934 406dc2 6 API calls 21933->21934 21937 409f03 21933->21937 21934->21937 21935 40a39d StartServiceCtrlDispatcherA 21935->21929 21936->21938 21939 409f32 RegOpenKeyExA 21937->21939 21986 409326 51 API calls 21938->21986 21941 409f48 RegSetValueExA RegCloseKey 21939->21941 21944 409f70 21939->21944 21940 40a35f 21940->21929 21940->21935 21941->21944 21943 409dd7 21945 409e0c DeleteFileA 21943->21945 21946 409dde GetFileAttributesExA 21943->21946 21949 409f9d GetModuleHandleA GetModuleFileNameA 21944->21949 21945->21911 21946->21945 21948 409df7 21946->21948 21948->21921 21987 4096ff RegOpenKeyExA RegDeleteValueA RegCloseKey 21948->21987 21951 409fc2 21949->21951 21952 40a093 21949->21952 21951->21952 21958 409ff1 GetDriveTypeA 21951->21958 21953 40a103 CreateProcessA 21952->21953 21956 40a0a4 wsprintfA 21952->21956 21954 40a13a 21953->21954 21955 40a12a DeleteFileA 21953->21955 21954->21921 21991 4096ff RegOpenKeyExA RegDeleteValueA RegCloseKey 21954->21991 21955->21954 21989 402544 21956->21989 21958->21952 21960 40a00d 21958->21960 21964 40a02d lstrcatA 21960->21964 21961 40ee2a 21963 40a0ec lstrcatA 21961->21963 21963->21953 21965 40a046 21964->21965 21966 40a052 lstrcatA 21965->21966 21967 40a064 lstrcatA 21965->21967 21966->21967 21967->21952 21968 40a081 lstrcatA 21967->21968 21968->21952 21969->21854 21971 4096b9 21970->21971 22003 4073ff 21971->22003 21973 4096e2 21974 4096e9 21973->21974 21975 4096fa 21973->21975 22023 40704c 16 API calls ___ascii_stricmp 21974->22023 21975->21878 21975->21879 21977 4096f7 21977->21975 21979 406ed5 21978->21979 21980 406ecc 21978->21980 21979->21940 22024 406e36 GetUserNameW 21980->22024 21982->21899 21983->21905 21984->21904 21985->21920 21986->21943 21987->21921 21988->21924 21990 402554 lstrcatA 21989->21990 21990->21961 21991->21921 21992->21919 21993->21905 21994->21860 21995->21865 21996->21870 21997->21873 21998->21877 21999->21883 22000->21891 22001->21897 22002->21900 22004 40741b 22003->22004 22005 406dc2 6 API calls 22004->22005 22006 40743f 22005->22006 22007 407469 RegOpenKeyExA 22006->22007 22009 4077f9 22007->22009 22019 407487 ___ascii_stricmp 22007->22019 22008 407703 RegEnumKeyA 22010 407714 RegCloseKey 22008->22010 22008->22019 22009->21973 22010->22009 22011 40f1a5 lstrlenA 22011->22019 22012 4074d2 RegOpenKeyExA 22012->22019 22013 40772c 22015 407742 RegCloseKey 22013->22015 22016 40774b 22013->22016 22014 407521 RegQueryValueExA 22014->22019 22015->22016 22017 4077ec RegCloseKey 22016->22017 22017->22009 22018 4076e4 RegCloseKey 22018->22019 22019->22008 22019->22011 22019->22012 22019->22013 22019->22014 22019->22018 22021 40777e GetFileAttributesExA 22019->22021 22022 407769 22019->22022 22020 4077e3 RegCloseKey 22020->22017 22021->22022 22022->22020 22023->21977 22025 406e97 22024->22025 22026 406e5f LookupAccountNameW 22024->22026 22025->21979 22026->22025 22036 d750f9 Sleep 22037 d744e6 28 API calls codecvt 22078 d789e5 301 API calls 22079 d79def 23 API calls 22081 d75deb 17 API calls 22159 d7e795 25 API calls 22160 40f304 setsockopt setsockopt setsockopt setsockopt setsockopt 22040 405c05 24 API calls 22083 d7b809 89 API calls codecvt 22161 d7b79c 79 API calls codecvt 22162 d75f9b 10 API calls 22118 405e0d 17 API calls 22163 d73399 9 API calls 22084 406511 53 API calls 22164 408314 21 API calls 22044 d7908d GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 22085 d7e9b0 GetCurrentThreadId Sleep GetCurrentThreadId lstrcmp 22050 d7b809 80 API calls codecvt 22087 d7adb8 lstrcpyn 22125 d78eb8 19 API calls codecvt 22127 40be31 14 API calls codecvt 22052 d74ca3 10 API calls codecvt 22088 405d34 13 API calls 22128 d79e6c 105 API calls codecvt 22089 d79da9 22 API calls 22090 43a9d4 RtlFreeHeap ctype 22131 d7aa4e 13 API calls 22054 d7c076 8 API calls codecvt 22056 d76074 14 API calls 22135 d7aa71 12 API calls 22136 d73e70 10 API calls codecvt 22093 d7857b 12 API calls 22172 d76778 35 API calls 22059 d73c67 Sleep 22173 d74367 WriteFile GetLastError WaitForSingleObject GetOverlappedResult ExitProcess 22140 d72265 GetTickCount 22141 d77665 17 API calls ___ascii_stricmp 22142 d75e6c 16 API calls 22062 40f483 WSAStartup 22175 405b84 23 API calls 22097 d79911 17 API calls 22176 d7cb11 17 API calls 21654 43ce84 21656 43ce90 _fseek 21654->21656 21688 43eeee HeapCreate 21656->21688 21658 43cf03 21690 43eb78 21658->21690 21662 43cf14 __RTC_Initialize 21699 441949 21662->21699 21665 43cf22 21666 43cf2d 21665->21666 21741 43ff2e RtlFreeHeap __FF_MSGBANNER __decode_pointer __NMSG_WRITE 21665->21741 21705 4418ec 21666->21705 21669 43cf3d 21710 44183e 21669->21710 21671 43cf47 21672 43cf52 21671->21672 21742 43ff2e RtlFreeHeap __FF_MSGBANNER __decode_pointer __NMSG_WRITE 21671->21742 21714 44160f 21672->21714 21676 43cf63 21725 43ffed 21676->21725 21679 43cf6a 21681 43cf75 __wwincmdln 21679->21681 21744 43ff2e RtlFreeHeap __FF_MSGBANNER __decode_pointer __NMSG_WRITE 21679->21744 21729 43b240 21681->21729 21684 43cfa4 21746 4401ca RtlFreeHeap _doexit 21684->21746 21687 43cfa9 _fseek 21689 43cef7 21688->21689 21689->21658 21739 43ce5b RtlFreeHeap __FF_MSGBANNER _doexit __NMSG_WRITE 21689->21739 21694 43eb88 __init_pointers __mtinit __decode_pointer __crt_waiting_on_module_handle __encode_pointer 21690->21694 21691 43ecfb 21752 43e892 RtlFreeHeap __crtLCMapStringA_stat __decode_pointer 21691->21752 21693 43cf09 21693->21662 21740 43ce5b RtlFreeHeap __FF_MSGBANNER _doexit __NMSG_WRITE 21693->21740 21694->21691 21694->21693 21747 43fdc1 21694->21747 21696 43ecbf __decode_pointer 21696->21691 21697 43ece0 21696->21697 21751 43e8cf RtlFreeHeap __lock ___addlocaleref __getptd_noexit _fseek __crt_waiting_on_module_handle 21697->21751 21700 441955 _fseek 21699->21700 21701 43fdc1 __calloc_crt RtlFreeHeap 21700->21701 21703 441976 21701->21703 21702 43fdc1 __calloc_crt RtlFreeHeap 21702->21703 21703->21702 21704 441a5e ___lock_fhandle _fseek 21703->21704 21704->21665 21707 4418f5 21705->21707 21706 4418fd 21706->21669 21707->21706 21764 43fd7c RtlFreeHeap _malloc 21707->21764 21709 441922 21709->21669 21711 441864 _wparse_cmdline 21710->21711 21713 4418b6 _wparse_cmdline 21711->21713 21765 43fd7c RtlFreeHeap _malloc 21711->21765 21713->21671 21715 441627 _wcslen 21714->21715 21719 43cf58 21714->21719 21716 43fdc1 __calloc_crt RtlFreeHeap 21715->21716 21724 44164b __invoke_watson _wcslen 21716->21724 21717 4416b0 21767 43c50b RtlFreeHeap 7 library calls 21717->21767 21719->21676 21743 43ff2e RtlFreeHeap __FF_MSGBANNER __decode_pointer __NMSG_WRITE 21719->21743 21720 43fdc1 __calloc_crt RtlFreeHeap 21720->21724 21721 4416d6 21768 43c50b RtlFreeHeap 7 library calls 21721->21768 21724->21717 21724->21719 21724->21720 21724->21721 21766 444f12 RtlFreeHeap __cftoe2_l 21724->21766 21726 43fffb __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 21725->21726 21728 440038 __IsNonwritableInCurrentImage __initterm 21726->21728 21769 43c84f RtlFreeHeap __cinit 21726->21769 21728->21679 21730 43b954 21729->21730 21731 43b90e 21729->21731 21770 43aeb0 21730->21770 21786 43c50b RtlFreeHeap 7 library calls 21731->21786 21733 43b942 21787 43ca60 RtlFreeHeap 11 library calls 21733->21787 21736 43b94c 21788 43cd05 RtlFreeHeap __cftoe2_l _fseek __fseek_nolock __lock_file 21736->21788 21738 43b9e6 21738->21684 21745 44019e RtlFreeHeap _doexit 21738->21745 21739->21658 21740->21662 21741->21666 21742->21672 21743->21676 21744->21681 21745->21684 21746->21687 21749 43fdca 21747->21749 21750 43fe07 21749->21750 21753 443e2d 21749->21753 21750->21696 21751->21693 21752->21693 21754 443e39 _fseek 21753->21754 21755 443e51 21754->21755 21758 443e70 _memset ___sbh_alloc_block __calloc_impl 21754->21758 21760 43d9e4 RtlFreeHeap __getptd_noexit 21755->21760 21757 443e56 __cftoe2_l _fseek 21757->21749 21758->21757 21761 43f09a 21758->21761 21760->21757 21762 43f0c2 RtlFreeHeap 21761->21762 21763 43f0af __mtinitlocknum __amsg_exit 21761->21763 21762->21758 21763->21762 21764->21709 21765->21713 21766->21724 21767->21719 21768->21719 21769->21728 21772 43aee0 _strlen 21770->21772 21785 43afdf 21772->21785 21792 43bbd0 RtlFreeHeap _memcpy_s std::_String_base::_Xlen std::runtime_error::runtime_error 21772->21792 21773 43b036 21773->21738 21775 43afb6 21793 43c3b5 RtlFreeHeap __cftoe2_l 21775->21793 21777 43afbf 21794 43c866 RtlFreeHeap __wcstoi64 21777->21794 21779 43afc8 21795 43c87c RtlFreeHeap __wcstoi64_l 21779->21795 21781 43afd2 21796 43c39e RtlFreeHeap __mbstrnlen_l 21781->21796 21783 43afd9 21797 43c84f RtlFreeHeap __cinit 21783->21797 21789 43ade0 21785->21789 21786->21733 21787->21736 21788->21730 21790 43adf1 VirtualProtect 21789->21790 21790->21773 21792->21775 21793->21777 21794->21779 21795->21781 21796->21783 21797->21785 22143 d7ea1b GetCurrentThreadId Sleep GetCurrentThreadId 22064 d79018 10 API calls 21627 d70005 21632 d7092b GetPEB 21627->21632 21629 d70030 21633 d7003c 21629->21633 21632->21629 21634 d70049 21633->21634 21648 d70e0f SetErrorMode SetErrorMode 21634->21648 21639 d70265 21640 d702ce VirtualProtect 21639->21640 21642 d7030b 21640->21642 21641 d70439 VirtualFree 21646 d705f4 LoadLibraryA 21641->21646 21647 d704be 21641->21647 21642->21641 21643 d704e3 LoadLibraryA 21643->21647 21645 d708c7 21646->21645 21647->21643 21647->21646 21649 d70223 21648->21649 21650 d70d90 21649->21650 21651 d70dad 21650->21651 21652 d70dbb GetPEB 21651->21652 21653 d70238 VirtualAlloc 21651->21653 21652->21653 21653->21639 22144 404e92 GetTickCount GetTickCount Sleep InterlockedExchange 21798 73c5ab 21799 73c5ba 21798->21799 21802 73cd4b 21799->21802 21803 73cd66 21802->21803 21804 73cd6f CreateToolhelp32Snapshot 21803->21804 21805 73cd8b Module32First 21803->21805 21804->21803 21804->21805 21806 73c5c3 21805->21806 21807 73cd9a 21805->21807 21809 73ca0a 21807->21809 21810 73ca35 21809->21810 21811 73ca7e 21810->21811 21812 73ca46 VirtualAlloc 21810->21812 21811->21811 21812->21811 22065 405099 GetTickCount GetTickCount Sleep InterlockedExchange 22066 d7380c Sleep LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 22067 d73437 14 API calls codecvt 22100 4035a5 8 API calls 22179 d78330 78 API calls codecvt
                                                                                          APIs
                                                                                          • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                          • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                            • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                            • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                            • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                          • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                          • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                          • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                          • ExitProcess.KERNEL32 ref: 00409C06
                                                                                          • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                          • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                          • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                          • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                          • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                          • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                          • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                          • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                          • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                          • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                          • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                          • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                          • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                          • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                          • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                          • wsprintfA.USER32 ref: 0040A0B6
                                                                                          • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                          • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                          • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                          • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                          • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                          • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                          • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                          • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                            • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,004122F8,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                            • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                            • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                          • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                          • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                          • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                          • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                          • DeleteFileA.KERNEL32(C:\Users\user\Desktop\6foBmRMlDy.exe), ref: 0040A407
                                                                                          • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                          • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                          • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                          • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                          • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                          • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                          • Sleep.KERNEL32(00001838), ref: 0040A4C3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                          • String ID: "$"$"$%X%08X$C:\Users\user\Desktop\6foBmRMlDy.exe$C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exe$D$P$\$gqbqwogt
                                                                                          • API String ID: 2089075347-832082967
                                                                                          • Opcode ID: 68b797b8a1a511787d44de11c5faf4c0f38f9e92d064f931bb102e5cd7b1cfad
                                                                                          • Instruction ID: bd119e6c4087cb98d252ff90c2b4564d186cc4371c54d2626973292121ed4095
                                                                                          • Opcode Fuzzy Hash: 68b797b8a1a511787d44de11c5faf4c0f38f9e92d064f931bb102e5cd7b1cfad
                                                                                          • Instruction Fuzzy Hash: 0B52A1B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 264 43b240-43b90c 265 43b972-43b97e 264->265 266 43b90e-43b96f call 43c50b call 43ca60 call 43cd05 call 43c200 264->266 267 43b980-43b99b 265->267 266->265 275 43b9a6-43b9ae 267->275 276 43b99d-43b9a4 267->276 278 43b9b0-43b9b6 275->278 276->267 276->275 280 43b9c4-43b9ca 278->280 281 43b9b8 278->281 282 43b9d5-43b9e1 call 43aeb0 280->282 283 43b9cc-43b9d3 280->283 281->280 288 43b9e6-43b9f1 282->288 283->278 283->282 290 43b9f6-43b9fc 288->290 292 43ba0a-43ba0d 290->292 293 43b9fe-43ba06 290->293 292->290 295 43ba0f-43ba17 292->295 293->292
                                                                                          APIs
                                                                                            • Part of subcall function 0043C50B: __lock.LIBCMT ref: 0043C529
                                                                                            • Part of subcall function 0043C50B: ___sbh_find_block.LIBCMT ref: 0043C534
                                                                                            • Part of subcall function 0043C50B: ___sbh_free_block.LIBCMT ref: 0043C543
                                                                                          • _realloc.LIBCMT ref: 0043B947
                                                                                            • Part of subcall function 0043CA60: _malloc.LIBCMT ref: 0043CA76
                                                                                          • _fseek.LIBCMT ref: 0043B94F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130046316.0000000000415000.00000020.00000001.01000000.00000005.sdmp, Offset: 00415000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_415000_lnmlavab.jbxd
                                                                                          Similarity
                                                                                          • API ID: ___sbh_find_block___sbh_free_block__lock_fseek_malloc_realloc
                                                                                          • String ID: $&s$/H;+$0ugV$?zEo$C:7C$Z1S9$agYU$cg P$k3nU$kd@9$p7~$|%FH
                                                                                          • API String ID: 3289479739-3763514964
                                                                                          • Opcode ID: 7dcdd3eaea46ffe2a30c8f0310ea7705a34f69824791a8e454ba313e888b229a
                                                                                          • Instruction ID: d87394b33d7e6c5c910dd0271f55276661a3dd12386dfd98f108e32f406b15c8
                                                                                          • Opcode Fuzzy Hash: 7dcdd3eaea46ffe2a30c8f0310ea7705a34f69824791a8e454ba313e888b229a
                                                                                          • Instruction Fuzzy Hash: 8902FCB5609380DFD2708F6AC489B8EFBE4BF85314F40891DE69A9B610D7709885CF97

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 637 40637c-406384 638 406386-406389 637->638 639 40638a-4063b4 GetModuleHandleA VirtualAlloc 637->639 640 4063f5-4063f7 639->640 641 4063b6-4063d4 call 40ee08 VirtualAllocEx 639->641 643 40640b-40640f 640->643 641->640 645 4063d6-4063f3 call 4062b7 WriteProcessMemory 641->645 645->640 648 4063f9-40640a 645->648 648->643
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,?), ref: 0040638F
                                                                                          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,00409816,?), ref: 004063A9
                                                                                          • VirtualAllocEx.KERNELBASE(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                          • WriteProcessMemory.KERNELBASE(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                          • String ID:
                                                                                          • API String ID: 1965334864-0
                                                                                          • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                          • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                          • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                          • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 296 4073ff-407419 297 40741b 296->297 298 40741d-407422 296->298 297->298 299 407424 298->299 300 407426-40742b 298->300 299->300 301 407430-407435 300->301 302 40742d 300->302 303 407437 301->303 304 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 301->304 302->301 303->304 309 407487-40749d call 40ee2a 304->309 310 4077f9-4077fe call 40ee2a 304->310 315 407703-40770e RegEnumKeyA 309->315 316 407801 310->316 317 4074a2-4074b1 call 406cad 315->317 318 407714-40771d RegCloseKey 315->318 319 407804-407808 316->319 322 4074b7-4074cc call 40f1a5 317->322 323 4076ed-407700 317->323 318->316 322->323 326 4074d2-4074f8 RegOpenKeyExA 322->326 323->315 327 407727-40772a 326->327 328 4074fe-407530 call 402544 RegQueryValueExA 326->328 329 407755-407764 call 40ee2a 327->329 330 40772c-407740 call 40ef00 327->330 328->327 336 407536-40753c 328->336 341 4076df-4076e2 329->341 338 407742-407745 RegCloseKey 330->338 339 40774b-40774e 330->339 340 40753f-407544 336->340 338->339 343 4077ec-4077f7 RegCloseKey 339->343 340->340 342 407546-40754b 340->342 341->323 344 4076e4-4076e7 RegCloseKey 341->344 342->329 345 407551-40756b call 40ee95 342->345 343->319 344->323 345->329 348 407571-407593 call 402544 call 40ee95 345->348 353 407753 348->353 354 407599-4075a0 348->354 353->329 355 4075a2-4075c6 call 40ef00 call 40ed03 354->355 356 4075c8-4075d7 call 40ed03 354->356 361 4075d8-4075da 355->361 356->361 364 4075dc 361->364 365 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 361->365 364->365 374 407626-40762b 365->374 374->374 375 40762d-407634 374->375 376 407637-40763c 375->376 376->376 377 40763e-407642 376->377 378 407644-407656 call 40ed77 377->378 379 40765c-407673 call 40ed23 377->379 378->379 384 407769-40777c call 40ef00 378->384 385 407680 379->385 386 407675-40767e 379->386 391 4077e3-4077e6 RegCloseKey 384->391 388 407683-40768e call 406cad 385->388 386->388 393 407722-407725 388->393 394 407694-4076bf call 40f1a5 call 406c96 388->394 391->343 395 4076dd 393->395 400 4076c1-4076c7 394->400 401 4076d8 394->401 395->341 400->401 402 4076c9-4076d2 400->402 401->395 402->401 403 40777e-407797 GetFileAttributesExA 402->403 404 407799 403->404 405 40779a-40779f 403->405 404->405 406 4077a1 405->406 407 4077a3-4077a8 405->407 406->407 408 4077c4-4077c8 407->408 409 4077aa-4077c0 call 40ee08 407->409 411 4077d7-4077dc 408->411 412 4077ca-4077d6 call 40ef00 408->412 409->408 415 4077e0-4077e2 411->415 416 4077de 411->416 412->411 415->391 416->415
                                                                                          APIs
                                                                                          • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,76230F10,00000000), ref: 00407472
                                                                                          • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,76230F10,00000000), ref: 004074F0
                                                                                          • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,76230F10,00000000), ref: 00407528
                                                                                          • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,76230F10,00000000), ref: 004076E7
                                                                                          • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                          • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,76230F10,00000000), ref: 00407717
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,76230F10,00000000), ref: 00407745
                                                                                          • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,76230F10,00000000), ref: 004077EF
                                                                                            • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                          • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                          • RegCloseKey.KERNELBASE(?), ref: 004077E6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                          • String ID: "
                                                                                          • API String ID: 3433985886-123907689
                                                                                          • Opcode ID: 573530a394494cd252acd85827aa24eb1d86e5d70ab511f0ce4f94472402c086
                                                                                          • Instruction ID: 197d4fc66f8e4192ef9d41e029ea27591e600de1538a1216c66efdd274428ce7
                                                                                          • Opcode Fuzzy Hash: 573530a394494cd252acd85827aa24eb1d86e5d70ab511f0ce4f94472402c086
                                                                                          • Instruction Fuzzy Hash: F8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 418 d7003c-d70047 419 d7004c-d70263 call d70a3f call d70e0f call d70d90 VirtualAlloc 418->419 420 d70049 418->420 435 d70265-d70289 call d70a69 419->435 436 d7028b-d70292 419->436 420->419 441 d702ce-d703c2 VirtualProtect call d70cce call d70ce7 435->441 438 d702a1-d702b0 436->438 440 d702b2-d702cc 438->440 438->441 440->438 447 d703d1-d703e0 441->447 448 d703e2-d70437 call d70ce7 447->448 449 d70439-d704b8 VirtualFree 447->449 448->447 451 d705f4-d705fe 449->451 452 d704be-d704cd 449->452 455 d70604-d7060d 451->455 456 d7077f-d70789 451->456 454 d704d3-d704dd 452->454 454->451 460 d704e3-d70505 LoadLibraryA 454->460 455->456 461 d70613-d70637 455->461 458 d707a6-d707b0 456->458 459 d7078b-d707a3 456->459 462 d707b6-d707cb 458->462 463 d7086e-d708be LoadLibraryA 458->463 459->458 464 d70517-d70520 460->464 465 d70507-d70515 460->465 466 d7063e-d70648 461->466 467 d707d2-d707d5 462->467 471 d708c7-d708f9 463->471 468 d70526-d70547 464->468 465->468 466->456 469 d7064e-d7065a 466->469 472 d707d7-d707e0 467->472 473 d70824-d70833 467->473 474 d7054d-d70550 468->474 469->456 470 d70660-d7066a 469->470 477 d7067a-d70689 470->477 479 d70902-d7091d 471->479 480 d708fb-d70901 471->480 481 d707e4-d70822 472->481 482 d707e2 472->482 478 d70839-d7083c 473->478 475 d70556-d7056b 474->475 476 d705e0-d705ef 474->476 483 d7056f-d7057a 475->483 484 d7056d 475->484 476->454 485 d70750-d7077a 477->485 486 d7068f-d706b2 477->486 478->463 487 d7083e-d70847 478->487 480->479 481->467 482->473 488 d7057c-d70599 483->488 489 d7059b-d705bb 483->489 484->476 485->466 490 d706b4-d706ed 486->490 491 d706ef-d706fc 486->491 492 d7084b-d7086c 487->492 493 d70849 487->493 501 d705bd-d705db 488->501 489->501 490->491 495 d706fe-d70748 491->495 496 d7074b 491->496 492->478 493->463 495->496 496->477 501->474
                                                                                          APIs
                                                                                          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 00D7024D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_d70000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID: cess$kernel32.dll
                                                                                          • API String ID: 4275171209-1230238691
                                                                                          • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                          • Instruction ID: 378bad5e76836b7b995bf65dfe44e8aaefc7390f33bc4c46cde62e9966ea3d70
                                                                                          • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                          • Instruction Fuzzy Hash: 55526A74A01229DFDB64CF58C985BA8BBB1BF09304F1480D9E54DAB291DB30AE85DF24

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 502 40977c-4097b9 call 40ee2a CreateProcessA 505 4097c2-4097f3 call 40ee2a Wow64GetThreadContext 502->505 506 4097bb-4097bd 502->506 510 409801-40981c call 40637c 505->510 511 4097f5 505->511 507 409864-409866 506->507 512 4097f6-4097ff TerminateProcess 510->512 515 40981e-409839 WriteProcessMemory 510->515 511->512 512->506 515->511 516 40983b-409856 Wow64SetThreadContext 515->516 516->511 517 409858-409863 ResumeThread 516->517 517->507
                                                                                          APIs
                                                                                          • CreateProcessA.KERNELBASE(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,004122F8), ref: 004097B1
                                                                                          • Wow64GetThreadContext.KERNEL32(?,?,?,?,?,?,?,004122F8), ref: 004097EB
                                                                                          • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 004097F9
                                                                                          • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 00409831
                                                                                          • Wow64SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040984E
                                                                                          • ResumeThread.KERNELBASE(?,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040985B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ProcessThread$ContextWow64$CreateMemoryResumeTerminateWrite
                                                                                          • String ID: D
                                                                                          • API String ID: 2098669666-2746444292
                                                                                          • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                          • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                          • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                          • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 518 43aeb0-43aedf 519 43aee0-43aee6 518->519 520 43aef4-43aefa 519->520 521 43aee8-43aef0 519->521 522 43af05-43af0f 520->522 523 43aefc-43af03 520->523 521->520 525 43af15-43affc call 43c5a0 call 43bbd0 call 43c3b5 call 43c866 call 43c895 call 43c39e call 43c84f call 43aea0 call 43c9c2 522->525 526 43b00a-43b031 call 43ade0 522->526 523->519 523->522 525->526 598 43affe-43b007 call 43c8a0 525->598 531 43b036-43b03b 526->531 532 43b040-43b049 531->532 535 43b04b-43b051 532->535 537 43b053-43b05f 535->537 538 43b0bc-43b0d0 535->538 540 43b060-43b07f 537->540 539 43b0d3-43b0e1 538->539 542 43b0e3-43b116 539->542 543 43b119-43b122 539->543 544 43b0b3-43b0ba 540->544 545 43b081-43b0ad 540->545 542->543 543->539 546 43b124-43b12d call 43aca0 543->546 544->538 544->540 545->544 555 43b130-43b139 546->555 560 43b13b-43b148 555->560 561 43b14e-43b155 555->561 560->561 561->555 563 43b157-43b169 561->563 567 43b170-43b17a 563->567 569 43b1aa-43b1b1 567->569 570 43b17c-43b1a2 567->570 571 43b1b3-43b1b8 569->571 572 43b1bf-43b1c3 569->572 570->569 571->572 572->567 574 43b1c5-43b238 572->574 598->526
                                                                                          APIs
                                                                                          • _strlen.LIBCMT ref: 0043AFA0
                                                                                          • _feof.LIBCMT ref: 0043AFBA
                                                                                            • Part of subcall function 0043ADE0: VirtualProtect.KERNELBASE(0045A480,0045A9F4,00000020,?), ref: 0043AE8F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130046316.0000000000415000.00000020.00000001.01000000.00000005.sdmp, Offset: 00415000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_415000_lnmlavab.jbxd
                                                                                          Similarity
                                                                                          • API ID: ProtectVirtual_feof_strlen
                                                                                          • String ID: 89A$=<9A$Bq ${
                                                                                          • API String ID: 1251290033-441600927
                                                                                          • Opcode ID: bac7f9505f20d68383763d65345367bdbfa94530caf3835c190cf427977607d5
                                                                                          • Instruction ID: 17c99ab5acc6df25385ed16af596a2251f632a33a78189a9da60bd62079ab192
                                                                                          • Opcode Fuzzy Hash: bac7f9505f20d68383763d65345367bdbfa94530caf3835c190cf427977607d5
                                                                                          • Instruction Fuzzy Hash: 94910371940350AFD710ABA0ED49FAA3B74FB49716F00013AF645B62E2C7B85640CBEE

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                          • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                          • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseHandle$CreateEvent
                                                                                          • String ID:
                                                                                          • API String ID: 1371578007-0
                                                                                          • Opcode ID: 8d14f0f9d29bb03ce564d9d2efa64e335a6ea708645b73911051f25a1151d1b7
                                                                                          • Instruction ID: 9669132274562be234db05f10d2b02b24c7977acc8fbe0bb4274004673291573
                                                                                          • Opcode Fuzzy Hash: 8d14f0f9d29bb03ce564d9d2efa64e335a6ea708645b73911051f25a1151d1b7
                                                                                          • Instruction Fuzzy Hash: 1A4181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F604B21C1D7389A51DBA4

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 649 404000-404008 650 40400b-40402a CreateFileA 649->650 651 404057 650->651 652 40402c-404035 GetLastError 650->652 655 404059-40405c 651->655 653 404052 652->653 654 404037-40403a 652->654 657 404054-404056 653->657 654->653 656 40403c-40403f 654->656 655->657 656->655 658 404041-404050 Sleep 656->658 658->650 658->653
                                                                                          APIs
                                                                                          • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,004122F8,004042B6,00000000,00000001,004122F8,00000000,?,004098FD), ref: 00404021
                                                                                          • GetLastError.KERNEL32(?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 0040402C
                                                                                          • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404046
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateErrorFileLastSleep
                                                                                          • String ID:
                                                                                          • API String ID: 408151869-0
                                                                                          • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                          • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                          • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                          • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                          • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                          • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Time$CountFileInformationSystemTickVolume
                                                                                          • String ID:
                                                                                          • API String ID: 1209300637-0
                                                                                          • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                          • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                          • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                          • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 660 43ade0-43ae98 VirtualProtect
                                                                                          APIs
                                                                                          • VirtualProtect.KERNELBASE(0045A480,0045A9F4,00000020,?), ref: 0043AE8F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130046316.0000000000415000.00000020.00000001.01000000.00000005.sdmp, Offset: 00415000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_415000_lnmlavab.jbxd
                                                                                          Similarity
                                                                                          • API ID: ProtectVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 544645111-3916222277
                                                                                          • Opcode ID: 01f13a5192d663de11e313c2b231697ccad97762487919bd531801ef589a38fb
                                                                                          • Instruction ID: dc8660ecb2c9a0ef57b55d70a2a8dc3997a93980919400bc7a706f5d6ada5fb8
                                                                                          • Opcode Fuzzy Hash: 01f13a5192d663de11e313c2b231697ccad97762487919bd531801ef589a38fb
                                                                                          • Instruction Fuzzy Hash: 08114C746883C0DEE301CB78BD48F563FA55322307F1501B8D484432BBE2B6A658CBBA

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 663 406e36-406e5d GetUserNameW 664 406ebe-406ec2 663->664 665 406e5f-406e95 LookupAccountNameW 663->665 665->664 666 406e97-406e9b 665->666 667 406ebb-406ebd 666->667 668 406e9d-406ea3 666->668 667->664 668->667 669 406ea5-406eaa 668->669 670 406eb7-406eb9 669->670 671 406eac-406eb0 669->671 670->664 671->667 672 406eb2-406eb5 671->672 672->667 672->670
                                                                                          APIs
                                                                                          • GetUserNameW.ADVAPI32(?,00401FA1), ref: 00406E55
                                                                                          • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,00000000,00000012), ref: 00406E8D
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Name$AccountLookupUser
                                                                                          • String ID:
                                                                                          • API String ID: 2370142434-0
                                                                                          • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                          • Instruction ID: d69833bf2c7126fc9b7bd4b1d5117f4fe90a033eeaed535c4400ab00b2689cfd
                                                                                          • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                          • Instruction Fuzzy Hash: 0211F776900218EBDF21CFD4C884ADFB7BCAB04741F1542B6E502F6290DB749B989BE4

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 673 73cd4b-73cd64 674 73cd66-73cd68 673->674 675 73cd6a 674->675 676 73cd6f-73cd7b CreateToolhelp32Snapshot 674->676 675->676 677 73cd8b-73cd98 Module32First 676->677 678 73cd7d-73cd83 676->678 679 73cda1-73cda9 677->679 680 73cd9a-73cd9b call 73ca0a 677->680 678->677 683 73cd85-73cd89 678->683 684 73cda0 680->684 683->674 683->677 684->679
                                                                                          APIs
                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0073CD73
                                                                                          • Module32First.KERNEL32(00000000,00000224), ref: 0073CD93
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130315965.000000000072D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0072D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_72d000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                          • String ID:
                                                                                          • API String ID: 3833638111-0
                                                                                          • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                          • Instruction ID: e65b464a5c065ac5ba64b70bccdd76dc551b204214777cc43e3f27c432ce6107
                                                                                          • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                          • Instruction Fuzzy Hash: 4AF0C231200710BFE7212BF49C8CB6A7AE8AF49724F100138F646A10C1DA74EC058761

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 686 d70e0f-d70e24 SetErrorMode * 2 687 d70e26 686->687 688 d70e2b-d70e2c 686->688 687->688
                                                                                          APIs
                                                                                          • SetErrorMode.KERNELBASE(00000400,?,?,00D70223,?,?), ref: 00D70E19
                                                                                          • SetErrorMode.KERNELBASE(00000000,?,?,00D70223,?,?), ref: 00D70E1E
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_d70000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorMode
                                                                                          • String ID:
                                                                                          • API String ID: 2340568224-0
                                                                                          • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                          • Instruction ID: 2762a91926a1f5a926c02bf7060ede664ceebc7a5e5fee287f75921d9fd7d195
                                                                                          • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                          • Instruction Fuzzy Hash: D9D01232245228B7DB002A94DC09BCEBF1CDF09BA2F048421FB0DE9080CBB09A4046EA

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 689 406dc2-406dd5 690 406e33-406e35 689->690 691 406dd7-406df1 call 406cc9 call 40ef00 689->691 696 406df4-406df9 691->696 696->696 697 406dfb-406e00 696->697 698 406e02-406e22 GetVolumeInformationA 697->698 699 406e24 697->699 698->699 700 406e2e 698->700 699->700 700->690
                                                                                          APIs
                                                                                            • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                            • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                            • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                            • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                          • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                          • String ID:
                                                                                          • API String ID: 1823874839-0
                                                                                          • Opcode ID: 54bc16a58432e014760a8219cb6401776c0b2f7f4e35f25b0da1a83a0963d2cd
                                                                                          • Instruction ID: 594da891b9e57e87d6aa513f65a0e563028cfc4c29bd5910f078fc56da7159a2
                                                                                          • Opcode Fuzzy Hash: 54bc16a58432e014760a8219cb6401776c0b2f7f4e35f25b0da1a83a0963d2cd
                                                                                          • Instruction Fuzzy Hash: 84F0C2B6104218AFD710DB64EEC4FE77BAED714308F1084B6F286E3141D6B89DA85B6C

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 701 409892-4098c0 702 4098c2-4098c5 701->702 703 4098d9 701->703 702->703 704 4098c7-4098d7 702->704 705 4098e0-4098f1 SetServiceStatus 703->705 704->705
                                                                                          APIs
                                                                                          • SetServiceStatus.SECHOST(00413394), ref: 004098EB
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ServiceStatus
                                                                                          • String ID:
                                                                                          • API String ID: 3969395364-0
                                                                                          • Opcode ID: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                          • Instruction ID: dd676a4af3dd8f9e000b524091363a81fd6157f1888c947a943bd607f736cbf1
                                                                                          • Opcode Fuzzy Hash: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                          • Instruction Fuzzy Hash: 02F0F271514208EFCB18CF14E89869A7BA0F348706B20C83EE82AD2371CB749A80DF0D
                                                                                          APIs
                                                                                          • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0043EF03
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130046316.0000000000415000.00000020.00000001.01000000.00000005.sdmp, Offset: 00415000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_415000_lnmlavab.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateHeap
                                                                                          • String ID:
                                                                                          • API String ID: 10892065-0
                                                                                          • Opcode ID: ba49affe4ba948a0bcfaba6f076b34328c56a29a8243271a74c8c5a257fdd3ef
                                                                                          • Instruction ID: c47c4244610d5876d865f45c43479abe6b0c6b95a462d5fe56188cfb810440df
                                                                                          • Opcode Fuzzy Hash: ba49affe4ba948a0bcfaba6f076b34328c56a29a8243271a74c8c5a257fdd3ef
                                                                                          • Instruction Fuzzy Hash: EED05E765583486EDB105F716C087263BDCA388396F044436B90CC6190E7B5C940C508
                                                                                          APIs
                                                                                          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0073CA5B
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130315965.000000000072D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0072D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_72d000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 4275171209-0
                                                                                          • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                          • Instruction ID: 26e07ffa80174fc54d8b7de4562cf9380a7f7e7ba7da5eeac39c307ba590413a
                                                                                          • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                          • Instruction Fuzzy Hash: 9F112A79A00208EFDB01DF98C985E98BBF5AF08351F1580A4F948AB362D375EA50DB90
                                                                                          APIs
                                                                                            • Part of subcall function 00404280: CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                          • Sleep.KERNEL32(000003E8,00000100,004122F8,0040A3C7), ref: 00409909
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateEventSleep
                                                                                          • String ID:
                                                                                          • API String ID: 3100162736-0
                                                                                          • Opcode ID: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                          • Instruction ID: e56085e6bf9507d1b9c0d1fa6774ae3e34a200a1ca8b69066151cd7271dcc025
                                                                                          • Opcode Fuzzy Hash: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                          • Instruction Fuzzy Hash: 58F05472A81360A6E62226566C07F8F19040B95B24F05417EF744BA2C395E8495141ED
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00000000), ref: 00D765F6
                                                                                          • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00D76610
                                                                                          • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 00D76631
                                                                                          • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 00D76652
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_d70000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                          • String ID:
                                                                                          • API String ID: 1965334864-0
                                                                                          • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                          • Instruction ID: af0589ea6862a97b62c587bb980df2ff119c90bbf06b67c4d232caabbad29e60
                                                                                          • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                          • Instruction Fuzzy Hash: FF115171600218BFDB219F65DC46F9B3FA8EB057A5F148064FA08A7251F6B1DD009AB4
                                                                                          APIs
                                                                                          • ExitProcess.KERNEL32 ref: 00D79E6D
                                                                                          • lstrcpy.KERNEL32(?,00000000), ref: 00D79FE1
                                                                                          • lstrcat.KERNEL32(?,?), ref: 00D79FF2
                                                                                          • lstrcat.KERNEL32(?,0041070C), ref: 00D7A004
                                                                                          • GetFileAttributesExA.KERNEL32(?,?,?), ref: 00D7A054
                                                                                          • DeleteFileA.KERNEL32(?), ref: 00D7A09F
                                                                                          • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00D7A0D6
                                                                                          • lstrcpy.KERNEL32 ref: 00D7A12F
                                                                                          • lstrlen.KERNEL32(00000022), ref: 00D7A13C
                                                                                          • GetTempPathA.KERNEL32(000001F4,?), ref: 00D79F13
                                                                                            • Part of subcall function 00D77029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 00D77081
                                                                                            • Part of subcall function 00D76F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\cmxmskcp,00D77043), ref: 00D76F4E
                                                                                            • Part of subcall function 00D76F30: GetProcAddress.KERNEL32(00000000), ref: 00D76F55
                                                                                            • Part of subcall function 00D76F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00D76F7B
                                                                                            • Part of subcall function 00D76F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00D76F92
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 00D7A1A2
                                                                                          • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 00D7A1C5
                                                                                          • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 00D7A214
                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 00D7A21B
                                                                                          • GetDriveTypeA.KERNEL32(?), ref: 00D7A265
                                                                                          • lstrcat.KERNEL32(?,00000000), ref: 00D7A29F
                                                                                          • lstrcat.KERNEL32(?,00410A34), ref: 00D7A2C5
                                                                                          • lstrcat.KERNEL32(?,00000022), ref: 00D7A2D9
                                                                                          • lstrcat.KERNEL32(?,00410A34), ref: 00D7A2F4
                                                                                          • wsprintfA.USER32 ref: 00D7A31D
                                                                                          • lstrcat.KERNEL32(?,00000000), ref: 00D7A345
                                                                                          • lstrcat.KERNEL32(?,?), ref: 00D7A364
                                                                                          • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 00D7A387
                                                                                          • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 00D7A398
                                                                                          • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 00D7A1D1
                                                                                            • Part of subcall function 00D79966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 00D7999D
                                                                                            • Part of subcall function 00D79966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 00D799BD
                                                                                            • Part of subcall function 00D79966: RegCloseKey.ADVAPI32(?), ref: 00D799C6
                                                                                          • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 00D7A3DB
                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 00D7A3E2
                                                                                          • GetDriveTypeA.KERNEL32(00000022), ref: 00D7A41D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_d70000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                          • String ID: "$"$"$D$P$\
                                                                                          • API String ID: 1653845638-2605685093
                                                                                          • Opcode ID: f09d99bef10a707308c08a341eb846df543125ad02325dd00d10b794679eceeb
                                                                                          • Instruction ID: 28c86946f18af0390c8b3291b3858272d08dbf26d1e14e39f28d07d4078d985a
                                                                                          • Opcode Fuzzy Hash: f09d99bef10a707308c08a341eb846df543125ad02325dd00d10b794679eceeb
                                                                                          • Instruction Fuzzy Hash: 51F133B1D40259AFDF21DBA48C49EEFBBBCAB48300F5484A6F509E2141F7758A848F75
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                          • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                          • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 004010E1
                                                                                          • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 00401101
                                                                                          • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 00401121
                                                                                          • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00401140
                                                                                          • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 00401160
                                                                                          • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 00401180
                                                                                          • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040119F
                                                                                          • GetProcAddress.KERNEL32(00000000,NtClose), ref: 004011BF
                                                                                          • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 004011DF
                                                                                          • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 004011FE
                                                                                          • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressProc$LibraryLoad
                                                                                          • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                          • API String ID: 2238633743-3228201535
                                                                                          • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                          • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                          • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                          • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                          APIs
                                                                                          • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                          • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                          • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                          • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                          • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                          • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                          • wsprintfA.USER32 ref: 0040B3B7
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                          • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                          • API String ID: 766114626-2976066047
                                                                                          • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                          • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                          • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                          • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                          • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,?,?), ref: 00407B16
                                                                                          • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                          • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                          • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                          • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                          • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                          • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                          • String ID: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exe$D
                                                                                          • API String ID: 2976863881-2668765463
                                                                                          • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                          • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                          • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                          • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 00D77D21
                                                                                          • GetUserNameA.ADVAPI32(?,?), ref: 00D77D46
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00D77D7D
                                                                                          • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 00D77DA2
                                                                                          • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 00D77DC0
                                                                                          • EqualSid.ADVAPI32(?,?), ref: 00D77DD1
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 00D77DE5
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00D77DF3
                                                                                          • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00D77E03
                                                                                          • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 00D77E12
                                                                                          • LocalFree.KERNEL32(00000000), ref: 00D77E19
                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00D77E35
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_d70000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                          • String ID: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exe$D
                                                                                          • API String ID: 2976863881-2668765463
                                                                                          • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                          • Instruction ID: 32a309a3117da9000bd3b3b506a30cebafa397025a933bab8edd8e03b72e5ad6
                                                                                          • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                          • Instruction Fuzzy Hash: 55A14D71900259AFDF118FA4DD88FEEBBB9FF08300F14846AF509E6150EB758A85CB64
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                          • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                          • API String ID: 2400214276-165278494
                                                                                          • Opcode ID: 64bdd4d646a522699b5472447b714269db1a1731565c65632a199503b6103360
                                                                                          • Instruction ID: 302e59d67534013c0e033960a005fbe7b570eed1172f45d0d905d428b8e71e1f
                                                                                          • Opcode Fuzzy Hash: 64bdd4d646a522699b5472447b714269db1a1731565c65632a199503b6103360
                                                                                          • Instruction Fuzzy Hash: 87616F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                          APIs
                                                                                          • wsprintfA.USER32 ref: 0040A7FB
                                                                                          • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                          • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                          • wsprintfA.USER32 ref: 0040A8AF
                                                                                          • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                          • wsprintfA.USER32 ref: 0040A8E2
                                                                                          • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                          • wsprintfA.USER32 ref: 0040A9B9
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wsprintf$send$lstrlenrecv
                                                                                          • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                          • API String ID: 3650048968-2394369944
                                                                                          • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                          • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                          • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                          • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                          APIs
                                                                                          • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                          • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                          • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                          • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                          • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                          • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                          • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                          • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                          • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                          • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                          • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                          • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                          • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                          • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                          • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                          • String ID: D
                                                                                          • API String ID: 3722657555-2746444292
                                                                                          • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                          • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                          • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                          • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                          APIs
                                                                                          • GetUserNameA.ADVAPI32(?,?), ref: 00D77A96
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00D77ACD
                                                                                          • GetLengthSid.ADVAPI32(?), ref: 00D77ADF
                                                                                          • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 00D77B01
                                                                                          • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 00D77B1F
                                                                                          • EqualSid.ADVAPI32(?,?), ref: 00D77B39
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 00D77B4A
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00D77B58
                                                                                          • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00D77B68
                                                                                          • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00D77B77
                                                                                          • LocalFree.KERNEL32(00000000), ref: 00D77B7E
                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00D77B9A
                                                                                          • GetAce.ADVAPI32(?,?,?), ref: 00D77BCA
                                                                                          • EqualSid.ADVAPI32(?,?), ref: 00D77BF1
                                                                                          • DeleteAce.ADVAPI32(?,?), ref: 00D77C0A
                                                                                          • EqualSid.ADVAPI32(?,?), ref: 00D77C2C
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 00D77CB1
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00D77CBF
                                                                                          • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00D77CD0
                                                                                          • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00D77CE0
                                                                                          • LocalFree.KERNEL32(00000000), ref: 00D77CEE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_d70000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                          • String ID: D
                                                                                          • API String ID: 3722657555-2746444292
                                                                                          • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                          • Instruction ID: 548678f98bf6af5ee7878ad4a9f47db61d44c7909a2dadae65351f1c2a8d2732
                                                                                          • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                          • Instruction Fuzzy Hash: CB814F71904219AFDB12CFA4DD44FEEBBB8EF0C300F18846AE509E6150E7759A41CBA4
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                          • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                          • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                          • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Value$CloseOpenQuery
                                                                                          • String ID: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exe$localcfg
                                                                                          • API String ID: 237177642-2863267139
                                                                                          • Opcode ID: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                          • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                          • Opcode Fuzzy Hash: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                          • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                          APIs
                                                                                          • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                          • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExecuteShelllstrlen
                                                                                          • String ID: $%systemroot%\system32\cmd.exe$<$@$D$uac$useless$wusa.exe
                                                                                          • API String ID: 1628651668-1839596206
                                                                                          • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                          • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                          • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                          • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                          APIs
                                                                                          • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                          • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                          • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                          • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                          • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                            • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                          • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                          • API String ID: 4207808166-1381319158
                                                                                          • Opcode ID: f83cae532fda0f7b628782386ce8b2feec09b1d0c3fd7cfd61acfb995292e920
                                                                                          • Instruction ID: d6b35303784bc7068dc70d414bcf7f40aad10565f6e4a34c223da57409024e49
                                                                                          • Opcode Fuzzy Hash: f83cae532fda0f7b628782386ce8b2feec09b1d0c3fd7cfd61acfb995292e920
                                                                                          • Instruction Fuzzy Hash: 9651EA705043446FD330AF768C85F67BAECEB84708F00493FF955A2292D7BDA95487A9
                                                                                          APIs
                                                                                          • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                          • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                          • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                          • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                          • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                          • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                          • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                          • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                          • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                          • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                          • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                          • API String ID: 835516345-270533642
                                                                                          • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                          • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                          • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                          • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 00D7865A
                                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 00D7867B
                                                                                          • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 00D786A8
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00D786B1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_d70000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Value$CloseOpenQuery
                                                                                          • String ID: "$C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exe
                                                                                          • API String ID: 237177642-2678118854
                                                                                          • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                          • Instruction ID: c7c58f892ba44053ee145756bc67f5bd77b4fae661e54c241737af15ffee961e
                                                                                          • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                          • Instruction Fuzzy Hash: 55C18471940249BEEB11ABA4DD89EEF7B7DEB04300F188076F609E6051FB704A94AB75
                                                                                          APIs
                                                                                          • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7622F380), ref: 00402A83
                                                                                          • HeapAlloc.KERNEL32(00000000,?,7622F380), ref: 00402A86
                                                                                          • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                          • htons.WS2_32(00000000), ref: 00402ADB
                                                                                          • select.WS2_32 ref: 00402B28
                                                                                          • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                          • htons.WS2_32(?), ref: 00402B71
                                                                                          • htons.WS2_32(?), ref: 00402B8C
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                          • String ID:
                                                                                          • API String ID: 1639031587-0
                                                                                          • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                          • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                          • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                          • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                          APIs
                                                                                          • ShellExecuteExW.SHELL32(?), ref: 00D71601
                                                                                          • lstrlenW.KERNEL32(-00000003), ref: 00D717D8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_d70000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExecuteShelllstrlen
                                                                                          • String ID: $<$@$D
                                                                                          • API String ID: 1628651668-1974347203
                                                                                          • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                          • Instruction ID: 2ce56e4f1902ac4c83f1a00d70adcbea95accc6f8fea1a41ddf3645813bd7f0f
                                                                                          • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                          • Instruction Fuzzy Hash: 72F190B55083419FD720CF68C889BABB7E4FB88300F148A2DF69997290E774D945CB62
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 00D776D9
                                                                                          • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 00D77757
                                                                                          • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 00D7778F
                                                                                          • ___ascii_stricmp.LIBCMT ref: 00D778B4
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00D7794E
                                                                                          • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 00D7796D
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00D7797E
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00D779AC
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00D77A56
                                                                                            • Part of subcall function 00D7F40C: lstrlen.KERNEL32(000000E4,00000000,004122F8,000000E4,00D7772A,?), ref: 00D7F414
                                                                                          • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00D779F6
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00D77A4D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_d70000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                          • String ID: "
                                                                                          • API String ID: 3433985886-123907689
                                                                                          • Opcode ID: ee68fc272f5aca9451a2f3cc8bacf15325f24d7edfc7c02b11cb973e6eadd9ed
                                                                                          • Instruction ID: 0ad9bf5db6b93752658bee5267f527fb58940476b1077d7a7cbdbbf0d7477051
                                                                                          • Opcode Fuzzy Hash: ee68fc272f5aca9451a2f3cc8bacf15325f24d7edfc7c02b11cb973e6eadd9ed
                                                                                          • Instruction Fuzzy Hash: 80C18272904209AFEB21DBA4DC45FEEBBB9EF45310F1484A5F508E6191FB71DA848B70
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,76230F10,?,76230F10,00000000), ref: 004070C2
                                                                                          • RegEnumValueA.ADVAPI32(76230F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,76230F10,00000000), ref: 0040719E
                                                                                          • RegCloseKey.ADVAPI32(76230F10,?,76230F10,00000000), ref: 004071B2
                                                                                          • RegCloseKey.ADVAPI32(76230F10), ref: 00407208
                                                                                          • RegCloseKey.ADVAPI32(76230F10), ref: 00407291
                                                                                          • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                          • RegCloseKey.ADVAPI32(76230F10), ref: 004072D0
                                                                                          • RegCloseKey.ADVAPI32(76230F10), ref: 00407314
                                                                                          • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                          • RegCloseKey.ADVAPI32(76230F10), ref: 004073D8
                                                                                            • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                          • String ID: $"
                                                                                          • API String ID: 4293430545-3817095088
                                                                                          • Opcode ID: 3f864b9e64e2f7a1d4d97f78ecf1fd3725cd2b03a8b023efc5a10220ad7d3397
                                                                                          • Instruction ID: 7765b981cd58ee1688e4c4772d4ab21dab1833365f63e39a1c5bd68b3cda8b0b
                                                                                          • Opcode Fuzzy Hash: 3f864b9e64e2f7a1d4d97f78ecf1fd3725cd2b03a8b023efc5a10220ad7d3397
                                                                                          • Instruction Fuzzy Hash: E2B17071D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69
                                                                                          APIs
                                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 00D72CED
                                                                                          • socket.WS2_32(00000002,00000002,00000011), ref: 00D72D07
                                                                                          • htons.WS2_32(00000000), ref: 00D72D42
                                                                                          • select.WS2_32 ref: 00D72D8F
                                                                                          • recv.WS2_32(?,00000000,00001000,00000000), ref: 00D72DB1
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00D72E62
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_d70000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                          • String ID:
                                                                                          • API String ID: 127016686-0
                                                                                          • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                          • Instruction ID: f981581ceac0e363a9200ae42dc7bbf82f5506728d83e5eb606cb9b07012400d
                                                                                          • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                          • Instruction Fuzzy Hash: B161E071504385ABC3209F65DC48B7BBBF8EF48351F148819F98897251E7B4D8808BB6
                                                                                          APIs
                                                                                          • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                            • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                            • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                            • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                            • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                            • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                            • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                          • wsprintfA.USER32 ref: 0040AEA5
                                                                                            • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                          • wsprintfA.USER32 ref: 0040AE4F
                                                                                          • wsprintfA.USER32 ref: 0040AE5E
                                                                                            • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                            • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                            • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                          • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                          • API String ID: 3631595830-1816598006
                                                                                          • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                          • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                          • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                          • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(iphlpapi.dll,762323A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                          • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                          • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                          • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                          • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                          • htons.WS2_32(00000035), ref: 00402E88
                                                                                          • inet_addr.WS2_32(?), ref: 00402E93
                                                                                          • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                          • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                          • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                          • String ID: GetNetworkParams$iphlpapi.dll
                                                                                          • API String ID: 929413710-2099955842
                                                                                          • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                          • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                          • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                          • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                          APIs
                                                                                          • SetFileAttributesA.KERNEL32(?,00000080,?,76230F10,00000000), ref: 0040677E
                                                                                          • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,76230F10,00000000), ref: 0040679A
                                                                                          • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,76230F10,00000000), ref: 004067B0
                                                                                          • SetFileAttributesA.KERNEL32(?,00000002,?,76230F10,00000000), ref: 004067BF
                                                                                          • GetFileSize.KERNEL32(000000FF,00000000,?,76230F10,00000000), ref: 004067D3
                                                                                          • ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,76230F10,00000000), ref: 00406807
                                                                                          • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0040681F
                                                                                          • ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,76230F10,00000000), ref: 0040683E
                                                                                          • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0040685C
                                                                                          • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,76230F10,00000000), ref: 0040688B
                                                                                          • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000,?,76230F10,00000000), ref: 00406906
                                                                                          • ReadFile.KERNEL32(000000FF,?,00000000,00408244,00000000,?,76230F10,00000000), ref: 0040691C
                                                                                          • CloseHandle.KERNEL32(000000FF,?,76230F10,00000000), ref: 00406971
                                                                                            • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                            • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                                          • String ID:
                                                                                          • API String ID: 2622201749-0
                                                                                          • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                          • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                          • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                          • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54
                                                                                          APIs
                                                                                          • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                          • wsprintfA.USER32 ref: 004093CE
                                                                                          • wsprintfA.USER32 ref: 0040940C
                                                                                          • wsprintfA.USER32 ref: 0040948D
                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                          • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                          • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                          • String ID: runas
                                                                                          • API String ID: 3696105349-4000483414
                                                                                          • Opcode ID: dd8323cc3663becab7e2967d3efa69540a9c24c17e68938a9fe8f8f1d062e2db
                                                                                          • Instruction ID: 06034c09a380b67456f64a6cc71bbc1075b83f40537ea60a42ab4a6d8e407b0f
                                                                                          • Opcode Fuzzy Hash: dd8323cc3663becab7e2967d3efa69540a9c24c17e68938a9fe8f8f1d062e2db
                                                                                          • Instruction Fuzzy Hash: 3AA181B2540208BBEB21DFA1CC45FDF3BACEB44344F104437FA05A6192D7B999948FA9
                                                                                          APIs
                                                                                          • wsprintfA.USER32 ref: 0040B467
                                                                                            • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                            • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                            • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$wsprintf
                                                                                          • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                          • API String ID: 1220175532-2340906255
                                                                                          • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                          • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                          • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                          • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                          APIs
                                                                                          • GetVersionExA.KERNEL32 ref: 00D7202D
                                                                                          • GetSystemInfo.KERNEL32(?), ref: 00D7204F
                                                                                          • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 00D7206A
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00D72071
                                                                                          • GetCurrentProcess.KERNEL32(?), ref: 00D72082
                                                                                          • GetTickCount.KERNEL32 ref: 00D72230
                                                                                            • Part of subcall function 00D71E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 00D71E7C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_d70000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                          • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                                          • API String ID: 4207808166-1391650218
                                                                                          • Opcode ID: 1c05908e8332f2c0f6c33c38143c7fb2cde288243502d8b530b502e0e60caf20
                                                                                          • Instruction ID: df1a970853ae3a683ffb097f151978d6796622a3c37fd500e46dfe72005785bb
                                                                                          • Opcode Fuzzy Hash: 1c05908e8332f2c0f6c33c38143c7fb2cde288243502d8b530b502e0e60caf20
                                                                                          • Instruction Fuzzy Hash: 4E51A4B09003446FE330AF658C86F67BBECEB55704F44892DF99E82142F7B9A9848775
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 00402078
                                                                                          • GetTickCount.KERNEL32 ref: 004020D4
                                                                                          • GetTickCount.KERNEL32 ref: 004020DB
                                                                                          • GetTickCount.KERNEL32 ref: 0040212B
                                                                                          • GetTickCount.KERNEL32 ref: 00402132
                                                                                          • GetTickCount.KERNEL32 ref: 00402142
                                                                                            • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,75B4EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4), ref: 0040F089
                                                                                            • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,75B4EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0040F093
                                                                                            • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                            • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                            • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                          • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                          • API String ID: 3976553417-1522128867
                                                                                          • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                          • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                          • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                          • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                          APIs
                                                                                          • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                          • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                          • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: closesockethtonssocket
                                                                                          • String ID: time_cfg
                                                                                          • API String ID: 311057483-2401304539
                                                                                          • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                          • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                          • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                          • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                          APIs
                                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                          • ExitProcess.KERNEL32 ref: 00404121
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateEventExitProcess
                                                                                          • String ID:
                                                                                          • API String ID: 2404124870-0
                                                                                          • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                          • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                          • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                          • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                          APIs
                                                                                            • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                            • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                          • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                          • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                          • GetTickCount.KERNEL32 ref: 0040C363
                                                                                          • GetTickCount.KERNEL32 ref: 0040C378
                                                                                          • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                          • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                          • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                          • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 1553760989-1857712256
                                                                                          • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                          • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                          • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                          • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 00D73068
                                                                                          • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 00D73078
                                                                                          • GetProcAddress.KERNEL32(00000000,00410408), ref: 00D73095
                                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 00D730B6
                                                                                          • htons.WS2_32(00000035), ref: 00D730EF
                                                                                          • inet_addr.WS2_32(?), ref: 00D730FA
                                                                                          • gethostbyname.WS2_32(?), ref: 00D7310D
                                                                                          • HeapFree.KERNEL32(00000000), ref: 00D7314D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_d70000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                          • String ID: iphlpapi.dll
                                                                                          • API String ID: 2869546040-3565520932
                                                                                          • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                          • Instruction ID: 61ab24285c855f7272049497d0a5810f425d0fab57cfc3983796e6327cc5aef5
                                                                                          • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                          • Instruction Fuzzy Hash: C0319531A00706ABDF119BB49C49AAE7778AF04760F58C125E91CE7290EB74DA419B64
                                                                                          APIs
                                                                                          • GetVersionExA.KERNEL32(?), ref: 00D795A7
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 00D795D5
                                                                                          • GetModuleFileNameA.KERNEL32(00000000), ref: 00D795DC
                                                                                          • wsprintfA.USER32 ref: 00D79635
                                                                                          • wsprintfA.USER32 ref: 00D79673
                                                                                          • wsprintfA.USER32 ref: 00D796F4
                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 00D79758
                                                                                          • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00D7978D
                                                                                          • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00D797D8
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_d70000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                          • String ID:
                                                                                          • API String ID: 3696105349-0
                                                                                          • Opcode ID: e35f04148ce3af63e99fbb061a16182ac2415cb778cceb4801d6d6173470cb1c
                                                                                          • Instruction ID: 9de33349ec8de31ce36edf3988a0711f5d27330ce01af65a0bbc8ffcbd2e6cf1
                                                                                          • Opcode Fuzzy Hash: e35f04148ce3af63e99fbb061a16182ac2415cb778cceb4801d6d6173470cb1c
                                                                                          • Instruction Fuzzy Hash: 8AA18DB2900208AFEB25DFA4CC55FDA7BACEB05300F108026FA09D6151F7B5D984CBB5
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00000000,762323A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                          • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                          • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                          • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                          • String ID: DnsQuery_A$dnsapi.dll
                                                                                          • API String ID: 3560063639-3847274415
                                                                                          • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                          • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                          • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                          • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                          APIs
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcmpi
                                                                                          • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                          • API String ID: 1586166983-1625972887
                                                                                          • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                          • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                          • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                          • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                          APIs
                                                                                          • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,76228A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                          • GetDiskFreeSpaceA.KERNEL32(00409E9D,00409A60,?,?,?,004122F8,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                          • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                          • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                          • String ID:
                                                                                          • API String ID: 3188212458-0
                                                                                          • Opcode ID: f90c53903c5e7bc53eced6da245d78f0497ab651d24c434d9efbd75cec7a0e65
                                                                                          • Instruction ID: 39f8afa0f9c16d59a54efa000c115c62b3535d7a3470d06cdb9238e0f04a129a
                                                                                          • Opcode Fuzzy Hash: f90c53903c5e7bc53eced6da245d78f0497ab651d24c434d9efbd75cec7a0e65
                                                                                          • Instruction Fuzzy Hash: C531E0B2900108BFDB01DFA09D44ADF7F78AF48314F158076E112F7291D778A9648F69
                                                                                          APIs
                                                                                          • IsBadReadPtr.KERNEL32(?,00000008), ref: 00D767C3
                                                                                          • htonl.WS2_32(?), ref: 00D767DF
                                                                                          • htonl.WS2_32(?), ref: 00D767EE
                                                                                          • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 00D768F1
                                                                                          • ExitProcess.KERNEL32 ref: 00D769BC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_d70000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Processhtonl$CurrentExitRead
                                                                                          • String ID: except_info$localcfg
                                                                                          • API String ID: 1430491713-3605449297
                                                                                          • Opcode ID: 509986b44764779889ec140751805dc5d86e13b3ca1e1aa93028e23e5d2d1926
                                                                                          • Instruction ID: 9a7cc3c831fb0917414932bb97dc144081645535a685cfc31f1c629e597d7374
                                                                                          • Opcode Fuzzy Hash: 509986b44764779889ec140751805dc5d86e13b3ca1e1aa93028e23e5d2d1926
                                                                                          • Instruction Fuzzy Hash: 93616E71A40208AFDB609FB4DC45FEA77E9FB08300F248066FA6DD2161EB7599948F64
                                                                                          APIs
                                                                                          • htons.WS2_32(00D7CC84), ref: 00D7F5B4
                                                                                          • socket.WS2_32(00000002,00000001,00000000), ref: 00D7F5CE
                                                                                          • closesocket.WS2_32(00000000), ref: 00D7F5DC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_d70000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: closesockethtonssocket
                                                                                          • String ID: time_cfg
                                                                                          • API String ID: 311057483-2401304539
                                                                                          • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                          • Instruction ID: 04eed95930fafb1e532d556ba6384d4bdd2e6d89feeaecab57dd84be9894af62
                                                                                          • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                          • Instruction Fuzzy Hash: D1316072900118ABDB20DFA5DC85DEF7BBCEF49310F108576F919D3150E7709A818BA4
                                                                                          APIs
                                                                                          • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                          • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                          • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                          • wsprintfA.USER32 ref: 00407036
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                          • String ID: /%d$|
                                                                                          • API String ID: 676856371-4124749705
                                                                                          • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                          • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                          • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                          • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(?), ref: 00D72FA1
                                                                                          • LoadLibraryA.KERNEL32(?), ref: 00D72FB1
                                                                                          • GetProcAddress.KERNEL32(00000000,004103F0), ref: 00D72FC8
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00D73000
                                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 00D73007
                                                                                          • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 00D73032
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_d70000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                          • String ID: dnsapi.dll
                                                                                          • API String ID: 1242400761-3175542204
                                                                                          • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                          • Instruction ID: 54a623e7ca50359f0691b2845bfd538e84fb5044beadbf4ff2fd8300fb1f9659
                                                                                          • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                          • Instruction Fuzzy Hash: 52216071901629BBCB219F65DC49EAEFBB8EF08B50F148421F909E7140E7B49EC197E4
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                          • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                          • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                          • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                          • API String ID: 1082366364-3395550214
                                                                                          • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                          • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                          • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                          • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                          APIs
                                                                                          • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00D79A18
                                                                                          • GetThreadContext.KERNEL32(?,?), ref: 00D79A52
                                                                                          • TerminateProcess.KERNEL32(?,00000000), ref: 00D79A60
                                                                                          • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00D79A98
                                                                                          • SetThreadContext.KERNEL32(?,00010002), ref: 00D79AB5
                                                                                          • ResumeThread.KERNEL32(?), ref: 00D79AC2
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_d70000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                          • String ID: D
                                                                                          • API String ID: 2981417381-2746444292
                                                                                          • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                          • Instruction ID: fa7bb2d4ecd93f33223b222884586b05cb48b2e48f74ab0dafadceab8ae19d50
                                                                                          • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                          • Instruction Fuzzy Hash: D5213D72902219BBDB11DBA1DC09EEFBBBCEF05750F448061BA19E5150F7758A44CBB4
                                                                                          APIs
                                                                                          • inet_addr.WS2_32(004102D8), ref: 00D71C18
                                                                                          • LoadLibraryA.KERNEL32(004102C8), ref: 00D71C26
                                                                                          • GetProcessHeap.KERNEL32 ref: 00D71C84
                                                                                          • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 00D71C9D
                                                                                          • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 00D71CC1
                                                                                          • HeapFree.KERNEL32(?,00000000,00000000), ref: 00D71D02
                                                                                          • FreeLibrary.KERNEL32(?), ref: 00D71D0B
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_d70000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                          • String ID:
                                                                                          • API String ID: 2324436984-0
                                                                                          • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                          • Instruction ID: 03731f461915edb934bf91966c8ea4d36e9d06897a5fe9dfcad061e5628b65d0
                                                                                          • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                          • Instruction Fuzzy Hash: F7314336D00219BFCB219FE8DC888FEBBB9EB45711B28857AE505A2110E7B54D80DB64
                                                                                          APIs
                                                                                          • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00D76CE4
                                                                                          • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 00D76D22
                                                                                          • GetLastError.KERNEL32 ref: 00D76DA7
                                                                                          • CloseHandle.KERNEL32(?), ref: 00D76DB5
                                                                                          • GetLastError.KERNEL32 ref: 00D76DD6
                                                                                          • DeleteFileA.KERNEL32(?), ref: 00D76DE7
                                                                                          • GetLastError.KERNEL32 ref: 00D76DFD
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_d70000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                          • String ID:
                                                                                          • API String ID: 3873183294-0
                                                                                          • Opcode ID: f90c53903c5e7bc53eced6da245d78f0497ab651d24c434d9efbd75cec7a0e65
                                                                                          • Instruction ID: ba16f7aa594475d73aaf3a051c3be45071dd1797771d8a885c5beeb4f9864bd6
                                                                                          • Opcode Fuzzy Hash: f90c53903c5e7bc53eced6da245d78f0497ab651d24c434d9efbd75cec7a0e65
                                                                                          • Instruction Fuzzy Hash: 2E310E72A00649BFCB21DFA49D48ADE7F78EB48300F18C065E259E3211F7708A988B75
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\cmxmskcp,00D77043), ref: 00D76F4E
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00D76F55
                                                                                          • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00D76F7B
                                                                                          • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00D76F92
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_d70000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                          • String ID: C:\Windows\SysWOW64\$\\.\pipe\cmxmskcp
                                                                                          • API String ID: 1082366364-3093387212
                                                                                          • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                          • Instruction ID: a5522164844f7a239b44152a4a08d1f87a1383c6ac48e1b60374cb403deefe97
                                                                                          • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                          • Instruction Fuzzy Hash: 4421CF217453407AF7325335AC89FBB2A5C8F52720F1CC0A5F948A6191FAD9C8D682BD
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_d70000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen
                                                                                          • String ID: $localcfg
                                                                                          • API String ID: 1659193697-2018645984
                                                                                          • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                          • Instruction ID: 5e65a1ea47d00e255dd02fbb77232059c24100c0a0f67edb0051873f43de18f9
                                                                                          • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                          • Instruction Fuzzy Hash: 80710872A40314BADF319B5CDC86BEE3769DB80715F28C067F90CA6091FA629D848777
                                                                                          APIs
                                                                                            • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                            • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                            • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                            • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                          • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                          • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                          • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                          • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                          • String ID: flags_upd$localcfg
                                                                                          • API String ID: 204374128-3505511081
                                                                                          • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                          • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                          • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                          • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                          APIs
                                                                                            • Part of subcall function 00D7DF6C: GetCurrentThreadId.KERNEL32 ref: 00D7DFBA
                                                                                          • lstrcmp.KERNEL32(00410178,00000000), ref: 00D7E8FA
                                                                                          • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,00D76128), ref: 00D7E950
                                                                                          • lstrcmp.KERNEL32(?,00000008), ref: 00D7E989
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_d70000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                          • String ID: A$ A$ A
                                                                                          • API String ID: 2920362961-1846390581
                                                                                          • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                          • Instruction ID: b04b4933ae8572374221ab5ea4a61207db99e21e41c2ccd4fdee243017d35663
                                                                                          • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                          • Instruction Fuzzy Hash: B731B0326007059BCB71CF24C884BA67BE4EF09320F58C9AAE69987551F370E880CFA1
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Code
                                                                                          • String ID:
                                                                                          • API String ID: 3609698214-0
                                                                                          • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                          • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                          • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                          • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_d70000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Code
                                                                                          • String ID:
                                                                                          • API String ID: 3609698214-0
                                                                                          • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                          • Instruction ID: fa71bf60281b41d26faac38e60196e76cad4da0bd0d52f52721134ddb1644554
                                                                                          • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                          • Instruction Fuzzy Hash: D4214A76204619BFDB119BA0EC49EDF3FADEB49360B24C465F50AD1091FB70DA409674
                                                                                          APIs
                                                                                          • GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                          • wsprintfA.USER32 ref: 004090E9
                                                                                          • CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                          • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                          • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                          • String ID:
                                                                                          • API String ID: 2439722600-0
                                                                                          • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                          • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                          • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                          • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                          APIs
                                                                                          • GetTempPathA.KERNEL32(00000400,?), ref: 00D792E2
                                                                                          • wsprintfA.USER32 ref: 00D79350
                                                                                          • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00D79375
                                                                                          • lstrlen.KERNEL32(?,?,00000000), ref: 00D79389
                                                                                          • WriteFile.KERNEL32(00000000,?,00000000), ref: 00D79394
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00D7939B
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_d70000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                          • String ID:
                                                                                          • API String ID: 2439722600-0
                                                                                          • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                          • Instruction ID: da4fcd9ef3978045be792a22e05583ede1c533b561f36ba9c239ceb8060e86c1
                                                                                          • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                          • Instruction Fuzzy Hash: 0E117FB26401147BE7206B32EC0EFEF7A6DDFC8B10F00C065BB09A5091FAB44A4186B4
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                          • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                          • Sleep.KERNEL32(00000000,?,76230F10,?,00000000,0040E538,?,76230F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                          • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 3819781495-0
                                                                                          • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                          • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                          • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                          • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 00D7C6B4
                                                                                          • InterlockedIncrement.KERNEL32(00D7C74B), ref: 00D7C715
                                                                                          • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,00D7C747), ref: 00D7C728
                                                                                          • CloseHandle.KERNEL32(00000000,?,00D7C747,00413588,00D78A77), ref: 00D7C733
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_d70000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 1026198776-1857712256
                                                                                          • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                          • Instruction ID: 244d38784e906c826c6cb62bc6d9e671aa09a51be3f54e9f928a62bd11adbbd4
                                                                                          • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                          • Instruction Fuzzy Hash: 25515FB1611B418FD7348F29C5C552ABBE9FB48300B54A93EE18BC7AA0E774F840CB20
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 0040815F
                                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 00408187
                                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 004081BE
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 00408210
                                                                                            • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,76230F10,00000000), ref: 0040677E
                                                                                            • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,76230F10,00000000), ref: 0040679A
                                                                                            • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,76230F10,00000000), ref: 004067B0
                                                                                            • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,76230F10,00000000), ref: 004067BF
                                                                                            • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,76230F10,00000000), ref: 004067D3
                                                                                            • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,76230F10,00000000), ref: 00406807
                                                                                            • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0040681F
                                                                                            • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,76230F10,00000000), ref: 0040683E
                                                                                            • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0040685C
                                                                                            • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                            • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                          • String ID: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exe
                                                                                          • API String ID: 124786226-3352897057
                                                                                          • Opcode ID: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                          • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                          • Opcode Fuzzy Hash: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                          • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                          APIs
                                                                                          • GetUserNameA.ADVAPI32(?,?), ref: 00D771E1
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00D77228
                                                                                          • LocalFree.KERNEL32(?,?,?), ref: 00D77286
                                                                                          • wsprintfA.USER32 ref: 00D7729D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_d70000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                          • String ID: |
                                                                                          • API String ID: 2539190677-2343686810
                                                                                          • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                          • Instruction ID: be0500e370c099c6d186e95ba5e40b8b224f2e97665b25f868adb257814afbf5
                                                                                          • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                          • Instruction Fuzzy Hash: E5312972A04208BFDB11DFA8DC45BDA7BACEF04314F14C066F959DB211EA75DA488BA4
                                                                                          APIs
                                                                                          • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                          • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                          • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                          • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$gethostnamelstrcpy
                                                                                          • String ID: LocalHost
                                                                                          • API String ID: 3695455745-3154191806
                                                                                          • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                          • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                          • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                          • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,004122F8), ref: 0040E3E6
                                                                                          • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                          • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                          • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                          • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: QueryValue$CloseOpen
                                                                                          • String ID:
                                                                                          • API String ID: 1586453840-0
                                                                                          • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                          • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                          • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                          • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                          APIs
                                                                                          • GetLocalTime.KERNEL32(?), ref: 00D7B51A
                                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00D7B529
                                                                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 00D7B548
                                                                                          • GetTimeZoneInformation.KERNEL32(?), ref: 00D7B590
                                                                                          • wsprintfA.USER32 ref: 00D7B61E
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_d70000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                          • String ID:
                                                                                          • API String ID: 4026320513-0
                                                                                          • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                          • Instruction ID: 8bb4fadb07ad4487435ade9db077f9e5fcd35eac548462eae27c544bc323fe10
                                                                                          • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                          • Instruction Fuzzy Hash: 6A512EB1D0021CAACF14DFD5D8885EEBBB9AF48314F14816BF505A6150E7B84AC9CFA8
                                                                                          APIs
                                                                                          • IsBadReadPtr.KERNEL32(?,00000014), ref: 0040609C
                                                                                          • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                          • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                          • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Read$AddressLibraryLoadProc
                                                                                          • String ID:
                                                                                          • API String ID: 2438460464-0
                                                                                          • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                          • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                          • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                          • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                          APIs
                                                                                          • IsBadReadPtr.KERNEL32(?,00000014), ref: 00D76303
                                                                                          • LoadLibraryA.KERNEL32(?), ref: 00D7632A
                                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00D763B1
                                                                                          • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 00D76405
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_d70000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Read$AddressLibraryLoadProc
                                                                                          • String ID:
                                                                                          • API String ID: 2438460464-0
                                                                                          • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                          • Instruction ID: 78e92423144b01283f0cc8a63ad4d626d06589c8c6c4d43ccfc72489d92fe64c
                                                                                          • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                          • Instruction Fuzzy Hash: 86414B71A04A09EBDB14CF68C884AA9B7B8EF04358F2CC169E959D7290F771ED40CB60
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                          • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                          • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                          • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                          APIs
                                                                                            • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                            • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                            • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                          • lstrcmpA.KERNEL32(76230F18,00000000,?,76230F10,00000000,?,00405EC1), ref: 0040E693
                                                                                          • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,76230F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                          • lstrcmpA.KERNEL32(?,00000008,?,76230F10,00000000,?,00405EC1), ref: 0040E722
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                          • String ID: A$ A
                                                                                          • API String ID: 3343386518-686259309
                                                                                          • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                          • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                          • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                          • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 0040272E
                                                                                          • htons.WS2_32(00000001), ref: 00402752
                                                                                          • htons.WS2_32(0000000F), ref: 004027D5
                                                                                          • htons.WS2_32(00000001), ref: 004027E3
                                                                                          • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                            • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                            • Part of subcall function 0040EBCC: HeapAlloc.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: htons$Heap$AllocCountProcessTicksendto
                                                                                          • String ID:
                                                                                          • API String ID: 1802437671-0
                                                                                          • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                          • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                          • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                          • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                          APIs
                                                                                          • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                          • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                          • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                          • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                          • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: setsockopt
                                                                                          • String ID:
                                                                                          • API String ID: 3981526788-0
                                                                                          • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                          • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                          • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                          • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,004122F8), ref: 0040915F
                                                                                          • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                          • CharToOemA.USER32(?,?), ref: 00409174
                                                                                          • wsprintfA.USER32 ref: 004091A9
                                                                                            • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                            • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                            • Part of subcall function 00409064: CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                            • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                            • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                            • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                          • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                          • String ID:
                                                                                          • API String ID: 3857584221-0
                                                                                          • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                          • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                          • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                          • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 00D793C6
                                                                                          • GetModuleFileNameA.KERNEL32(00000000), ref: 00D793CD
                                                                                          • CharToOemA.USER32(?,?), ref: 00D793DB
                                                                                          • wsprintfA.USER32 ref: 00D79410
                                                                                            • Part of subcall function 00D792CB: GetTempPathA.KERNEL32(00000400,?), ref: 00D792E2
                                                                                            • Part of subcall function 00D792CB: wsprintfA.USER32 ref: 00D79350
                                                                                            • Part of subcall function 00D792CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00D79375
                                                                                            • Part of subcall function 00D792CB: lstrlen.KERNEL32(?,?,00000000), ref: 00D79389
                                                                                            • Part of subcall function 00D792CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 00D79394
                                                                                            • Part of subcall function 00D792CB: CloseHandle.KERNEL32(00000000), ref: 00D7939B
                                                                                          • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00D79448
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_d70000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                          • String ID:
                                                                                          • API String ID: 3857584221-0
                                                                                          • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                          • Instruction ID: 9ee5502d6b1626ba5bccabadc592a454e35a99caa8a27d45ed12fc19152cc61f
                                                                                          • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                          • Instruction Fuzzy Hash: 19015EF69001587BDB21A7619D89EDF7B7CDB95701F0040A2BB49E2080EAB49AC58F75
                                                                                          APIs
                                                                                          • __CreateFrameInfo.LIBCMT ref: 00442007
                                                                                            • Part of subcall function 0043D346: __getptd.LIBCMT ref: 0043D354
                                                                                            • Part of subcall function 0043D346: __getptd.LIBCMT ref: 0043D362
                                                                                          • __getptd.LIBCMT ref: 00442011
                                                                                            • Part of subcall function 0043EA2F: __getptd_noexit.LIBCMT ref: 0043EA32
                                                                                            • Part of subcall function 0043EA2F: __amsg_exit.LIBCMT ref: 0043EA3F
                                                                                          • __getptd.LIBCMT ref: 0044201F
                                                                                          • __getptd.LIBCMT ref: 0044202D
                                                                                          • __getptd.LIBCMT ref: 00442038
                                                                                            • Part of subcall function 0043D3EB: __CallSettingFrame@12.LIBCMT ref: 0043D437
                                                                                            • Part of subcall function 00442105: __getptd.LIBCMT ref: 00442114
                                                                                            • Part of subcall function 00442105: __getptd.LIBCMT ref: 00442122
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130046316.0000000000415000.00000020.00000001.01000000.00000005.sdmp, Offset: 00415000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_415000_lnmlavab.jbxd
                                                                                          Similarity
                                                                                          • API ID: __getptd$CallCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                                                          • String ID:
                                                                                          • API String ID: 3282538202-0
                                                                                          • Opcode ID: 82b52318a1209ef730d5319d681579c68b95efd4f15e921cb8a75d79ffafd6a1
                                                                                          • Instruction ID: 1f26d2b162cf52cccfd16e20c8fbb1d915908f5f3995bdd14c1524195890a431
                                                                                          • Opcode Fuzzy Hash: 82b52318a1209ef730d5319d681579c68b95efd4f15e921cb8a75d79ffafd6a1
                                                                                          • Instruction Fuzzy Hash: 8A1107B1D01209DFDB00EFA5D845AEDBBB1FF08314F10906AF814B7292DB789A159F54
                                                                                          APIs
                                                                                          • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                          • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                          • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                          • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$lstrcmpi
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 1808961391-1857712256
                                                                                          • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                          • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                          • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                          • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                          • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressLibraryLoadProc
                                                                                          • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                          • API String ID: 2574300362-1087626847
                                                                                          • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                          • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                          • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                          • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                          APIs
                                                                                            • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                            • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                          • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                          • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                          • String ID: hi_id$localcfg
                                                                                          • API String ID: 2777991786-2393279970
                                                                                          • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                          • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                          • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                          • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                          APIs
                                                                                          • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                          • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                          • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                          • String ID: *p@
                                                                                          • API String ID: 3429775523-2474123842
                                                                                          • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                          • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                          • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                          • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                          APIs
                                                                                          • ___BuildCatchObject.LIBCMT ref: 0044239F
                                                                                            • Part of subcall function 004422FA: ___BuildCatchObjectHelper.LIBCMT ref: 00442330
                                                                                          • _UnwindNestedFrames.LIBCMT ref: 004423B6
                                                                                          • ___FrameUnwindToState.LIBCMT ref: 004423C4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130046316.0000000000415000.00000020.00000001.01000000.00000005.sdmp, Offset: 00415000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_415000_lnmlavab.jbxd
                                                                                          Similarity
                                                                                          • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                                                                                          • String ID: csm
                                                                                          • API String ID: 2163707966-1018135373
                                                                                          • Opcode ID: 84f9305d874a50c559aacd72def427a465394a76ca2251e82b6bc0fb57543b16
                                                                                          • Instruction ID: 162b1056426cc82c358fe9af72ed69cc294d3496da7099d7d246f226f1b9182b
                                                                                          • Opcode Fuzzy Hash: 84f9305d874a50c559aacd72def427a465394a76ca2251e82b6bc0fb57543b16
                                                                                          • Instruction Fuzzy Hash: 85012471400109BBEF226E62CD45EAA7E7AFF08358F004016BD1815121D7BA99B2EBA8
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_d70000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: gethostbynameinet_addr
                                                                                          • String ID: time_cfg$u6A
                                                                                          • API String ID: 1594361348-1940331995
                                                                                          • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                          • Instruction ID: 4d9b1e0b6c290b044801e3cc8cdbba9a8ac1f2abfdc93a476c1d8991735df849
                                                                                          • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                          • Instruction Fuzzy Hash: 75E0C2306041518FCB008B2CF888AE537E4EF0A330F08C180F048C31A0D734DDC09B61
                                                                                          APIs
                                                                                          • SetFileAttributesA.KERNEL32(?,00000080), ref: 00D769E5
                                                                                          • SetFileAttributesA.KERNEL32(?,00000002), ref: 00D76A26
                                                                                          • GetFileSize.KERNEL32(000000FF,00000000), ref: 00D76A3A
                                                                                          • CloseHandle.KERNEL32(000000FF), ref: 00D76BD8
                                                                                            • Part of subcall function 00D7EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,00D71DCF,?), ref: 00D7EEA8
                                                                                            • Part of subcall function 00D7EE95: HeapFree.KERNEL32(00000000), ref: 00D7EEAF
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_d70000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                          • String ID:
                                                                                          • API String ID: 3384756699-0
                                                                                          • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                          • Instruction ID: e5159148b0a4016446cbbfa7d51434dee4ece8aa56b3847bcffa3f6946d0ed07
                                                                                          • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                          • Instruction Fuzzy Hash: A171297190061DEFDF11DFA4CC809EEBBB9FB05314F14856AE519E6190E7309E92DB60
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wsprintf
                                                                                          • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                          • API String ID: 2111968516-120809033
                                                                                          • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                          • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                          • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                          • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                          APIs
                                                                                          • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                          • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0040E127
                                                                                          • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,004122F8), ref: 0040E158
                                                                                          • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Value$CloseCreateDelete
                                                                                          • String ID:
                                                                                          • API String ID: 2667537340-0
                                                                                          • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                          • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                          • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                          • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                          APIs
                                                                                          • RegCreateKeyExA.ADVAPI32(80000001,00D7E50A,00000000,00000000,00000000,00020106,00000000,00D7E50A,00000000,000000E4), ref: 00D7E319
                                                                                          • RegSetValueExA.ADVAPI32(00D7E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 00D7E38E
                                                                                          • RegDeleteValueA.ADVAPI32(00D7E50A,?,?,?,?,?,000000C8,004122F8), ref: 00D7E3BF
                                                                                          • RegCloseKey.ADVAPI32(00D7E50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,00D7E50A), ref: 00D7E3C8
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_d70000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Value$CloseCreateDelete
                                                                                          • String ID:
                                                                                          • API String ID: 2667537340-0
                                                                                          • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                          • Instruction ID: f8498b0f1007134ba49f66cae25e55bf493851bb782f7734cd82a3a8529ad0b6
                                                                                          • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                          • Instruction Fuzzy Hash: EB213C71A0021DBBDF209FA5EC89EEE7F79EF09750F148061F908E7161E6718A54D7A0
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130046316.0000000000415000.00000020.00000001.01000000.00000005.sdmp, Offset: 00415000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_415000_lnmlavab.jbxd
                                                                                          Similarity
                                                                                          • API ID: __lock$___addlocaleref__crt_waiting_on_module_handle
                                                                                          • String ID:
                                                                                          • API String ID: 1628550938-0
                                                                                          • Opcode ID: 527085ad0c23569588e8bc56588d9980db29695c3eb2eba31ec3827da0fc121d
                                                                                          • Instruction ID: bc4a548131b22b17b9de46e530637c5985591d8a156a8d0739d64019e8320eaa
                                                                                          • Opcode Fuzzy Hash: 527085ad0c23569588e8bc56588d9980db29695c3eb2eba31ec3827da0fc121d
                                                                                          • Instruction Fuzzy Hash: A7119370901701DAD720AF7BD801B5AB7E0AF08318F10952FE499A76E1CB78A945CF5D
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130046316.0000000000415000.00000020.00000001.01000000.00000005.sdmp, Offset: 00415000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_415000_lnmlavab.jbxd
                                                                                          Similarity
                                                                                          • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                          • String ID:
                                                                                          • API String ID: 3016257755-0
                                                                                          • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                          • Instruction ID: ae282ed6a95cd7186b08dcf145c2bf78d6f0b8c0a9c18ac976c3c7a0e60f1159
                                                                                          • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                          • Instruction Fuzzy Hash: B3114E3240098EBBDF125E85CC41CEE3F23FB18354B588456FE1859132D33AD9B1AB86
                                                                                          APIs
                                                                                          • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                          • GetLastError.KERNEL32 ref: 00403F4E
                                                                                          • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                          • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3373104450-0
                                                                                          • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                          • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                          • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                          • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                          APIs
                                                                                          • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                          • GetLastError.KERNEL32 ref: 00403FC2
                                                                                          • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                          • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                          • String ID:
                                                                                          • API String ID: 888215731-0
                                                                                          • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                          • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                          • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                          • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                          APIs
                                                                                          • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 00D7421F
                                                                                          • GetLastError.KERNEL32 ref: 00D74229
                                                                                          • WaitForSingleObject.KERNEL32(?,?), ref: 00D7423A
                                                                                          • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00D7424D
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_d70000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                          • String ID:
                                                                                          • API String ID: 888215731-0
                                                                                          • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                          • Instruction ID: 5ceadbd31ce54618ab8c33de0177aef0fb31acb881c21471a684344c0664b4c9
                                                                                          • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                          • Instruction Fuzzy Hash: C4010872511109AFDF02DF90ED84BEF7BACEB08365F108061F905E2451E770DA648BBA
                                                                                          APIs
                                                                                          • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 00D741AB
                                                                                          • GetLastError.KERNEL32 ref: 00D741B5
                                                                                          • WaitForSingleObject.KERNEL32(?,?), ref: 00D741C6
                                                                                          • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00D741D9
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_d70000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3373104450-0
                                                                                          • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                          • Instruction ID: 561984ed873f25ac4d15f5f04e43f0393555d514e1f2e519878486904aa1ab6f
                                                                                          • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                          • Instruction Fuzzy Hash: CB014C7651121AAFDF02EF90ED84BEF3B6CEB18356F448065F905E2050E770DA908BB5
                                                                                          APIs
                                                                                          • lstrcmp.KERNEL32(?,80000009), ref: 00D7E066
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_d70000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcmp
                                                                                          • String ID: A$ A$ A
                                                                                          • API String ID: 1534048567-1846390581
                                                                                          • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                          • Instruction ID: 1e374b6f99a42f7531a2e960ee506fce0dda0f6784d62e4c0700c94af4fde0e8
                                                                                          • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                          • Instruction Fuzzy Hash: B1F062312007129BCF20CF25D884A82B7E9FB09321B48C6AAE158C3060E3B4A898CB61
                                                                                          APIs
                                                                                          • __getptd.LIBCMT ref: 0043E6FE
                                                                                            • Part of subcall function 0043EA2F: __getptd_noexit.LIBCMT ref: 0043EA32
                                                                                            • Part of subcall function 0043EA2F: __amsg_exit.LIBCMT ref: 0043EA3F
                                                                                          • __getptd.LIBCMT ref: 0043E715
                                                                                          • __amsg_exit.LIBCMT ref: 0043E723
                                                                                          • __lock.LIBCMT ref: 0043E733
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130046316.0000000000415000.00000020.00000001.01000000.00000005.sdmp, Offset: 00415000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_415000_lnmlavab.jbxd
                                                                                          Similarity
                                                                                          • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                                                                          • String ID:
                                                                                          • API String ID: 3521780317-0
                                                                                          • Opcode ID: b78ccc7f9f955085c9a3344ba17983f18658971e1009bcac8464a64a30da5490
                                                                                          • Instruction ID: 9113c6c431d65f47a9aeab8c6341431268222f3b6a85bdc93a37d405eae70c95
                                                                                          • Opcode Fuzzy Hash: b78ccc7f9f955085c9a3344ba17983f18658971e1009bcac8464a64a30da5490
                                                                                          • Instruction Fuzzy Hash: BCF01D35A42701DAE620BB77D40274E73A0AB08718F10616FE445672D2CB3CA9058A9A
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                          • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                          • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 2207858713-0
                                                                                          • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                          • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                          • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                          • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                          • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                          • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 2207858713-0
                                                                                          • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                          • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                          • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                          • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                          • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                          • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                          • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 2207858713-0
                                                                                          • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                          • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                          • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                          • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 00403103
                                                                                          • GetTickCount.KERNEL32 ref: 0040310F
                                                                                          • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 2207858713-0
                                                                                          • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                          • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                          • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                          • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 00D783C6
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 00D78477
                                                                                            • Part of subcall function 00D769C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 00D769E5
                                                                                            • Part of subcall function 00D769C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 00D76A26
                                                                                            • Part of subcall function 00D769C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 00D76A3A
                                                                                            • Part of subcall function 00D7EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,00D71DCF,?), ref: 00D7EEA8
                                                                                            • Part of subcall function 00D7EE95: HeapFree.KERNEL32(00000000), ref: 00D7EEAF
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_d70000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                          • String ID: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exe
                                                                                          • API String ID: 359188348-3352897057
                                                                                          • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                          • Instruction ID: 0c1ae79636bde4a64df2df130f80ac65d4529bea8e8e29331a686f9874451409
                                                                                          • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                          • Instruction Fuzzy Hash: 084193B2D40109BFEB20EBA09D85DFF777DEB04314F1884A6F508D6011FAB05A849B74
                                                                                          APIs
                                                                                          • GetLocalTime.KERNEL32(?), ref: 00D7AFFF
                                                                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 00D7B00D
                                                                                            • Part of subcall function 00D7AF6F: gethostname.WS2_32(?,00000080), ref: 00D7AF83
                                                                                            • Part of subcall function 00D7AF6F: lstrcpy.KERNEL32(?,00410B90), ref: 00D7AFE6
                                                                                            • Part of subcall function 00D7331C: gethostname.WS2_32(?,00000080), ref: 00D7333F
                                                                                            • Part of subcall function 00D7331C: gethostbyname.WS2_32(?), ref: 00D73349
                                                                                            • Part of subcall function 00D7AA0A: inet_ntoa.WS2_32(00000000), ref: 00D7AA10
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_d70000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                          • String ID: %OUTLOOK_BND_
                                                                                          • API String ID: 1981676241-3684217054
                                                                                          • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                          • Instruction ID: 02c4ce8fc7e1d64894c52a6418a3a935f64f527c8233f7e95bb6cb3bb9c223cd
                                                                                          • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                          • Instruction Fuzzy Hash: 0841037290024CABDB25EFA0DC46FEF376CFF08314F14842AF91992152EA75D6549B74
                                                                                          APIs
                                                                                          • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 00D79536
                                                                                          • Sleep.KERNEL32(000001F4), ref: 00D7955D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_d70000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExecuteShellSleep
                                                                                          • String ID:
                                                                                          • API String ID: 4194306370-3916222277
                                                                                          • Opcode ID: 613737ed03f357cab549a3687ea981c82f12aceb2df9588eb74e5abe8a71fcc2
                                                                                          • Instruction ID: 5193883d5e0ad4030098b8bfd568f461448561e1ef91956ee5b2adb7bb862edf
                                                                                          • Opcode Fuzzy Hash: 613737ed03f357cab549a3687ea981c82f12aceb2df9588eb74e5abe8a71fcc2
                                                                                          • Instruction Fuzzy Hash: B941F7738083A46EEB378B78D8AD7A6BBA49B02314F1CC1A5D48A571A2F6744D818731
                                                                                          APIs
                                                                                          • WriteFile.KERNEL32(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                          • WriteFile.KERNEL32(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: FileWrite
                                                                                          • String ID: ,k@
                                                                                          • API String ID: 3934441357-1053005162
                                                                                          • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                          • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                          • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                          • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 00D7B9D9
                                                                                          • InterlockedIncrement.KERNEL32(00413648), ref: 00D7BA3A
                                                                                          • InterlockedIncrement.KERNEL32(?), ref: 00D7BA94
                                                                                          • GetTickCount.KERNEL32 ref: 00D7BB79
                                                                                          • GetTickCount.KERNEL32 ref: 00D7BB99
                                                                                          • InterlockedIncrement.KERNEL32(?), ref: 00D7BE15
                                                                                          • closesocket.WS2_32(00000000), ref: 00D7BEB4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_d70000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountIncrementInterlockedTick$closesocket
                                                                                          • String ID: %FROM_EMAIL
                                                                                          • API String ID: 1869671989-2903620461
                                                                                          • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                          • Instruction ID: 913ca338bf9ab4f04404473dffdaa565d572e8179a13f12b4125726c321c7681
                                                                                          • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                          • Instruction Fuzzy Hash: 6E317C71400248DFDF25DFA4DC85BED77A8EB48710F24805AFA2882261FB75DA85CF20
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 536389180-1857712256
                                                                                          • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                          • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                                          • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                          • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                                          APIs
                                                                                          Strings
                                                                                          • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTickwsprintf
                                                                                          • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                          • API String ID: 2424974917-1012700906
                                                                                          • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                          • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                          • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                          • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                          APIs
                                                                                            • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                            • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                          • String ID: %FROM_EMAIL
                                                                                          • API String ID: 3716169038-2903620461
                                                                                          • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                          • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                          • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                          • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                          APIs
                                                                                          • GetUserNameW.ADVAPI32(?,?), ref: 00D770BC
                                                                                          • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 00D770F4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_d70000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Name$AccountLookupUser
                                                                                          • String ID: |
                                                                                          • API String ID: 2370142434-2343686810
                                                                                          • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                          • Instruction ID: 1cec5a6fd6a5d87f5e2e9f0fdc9b90fd257a35c952a3895e895fc50eab8d9d3b
                                                                                          • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                          • Instruction Fuzzy Hash: BF115E72A0421CEBDF11CFD4DC84ADEB7BCAB04301F5491A6E905E6090E7709B88CBB0
                                                                                          APIs
                                                                                            • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                            • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                          • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                          • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 2777991786-1857712256
                                                                                          • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                          • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                          • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                          • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                          APIs
                                                                                          • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                          • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: IncrementInterlockedlstrcpyn
                                                                                          • String ID: %FROM_EMAIL
                                                                                          • API String ID: 224340156-2903620461
                                                                                          • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                          • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                          • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                          • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                          APIs
                                                                                          • __getptd.LIBCMT ref: 00442114
                                                                                            • Part of subcall function 0043EA2F: __getptd_noexit.LIBCMT ref: 0043EA32
                                                                                            • Part of subcall function 0043EA2F: __amsg_exit.LIBCMT ref: 0043EA3F
                                                                                          • __getptd.LIBCMT ref: 00442122
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130046316.0000000000415000.00000020.00000001.01000000.00000005.sdmp, Offset: 00415000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_415000_lnmlavab.jbxd
                                                                                          Similarity
                                                                                          • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                          • String ID: csm
                                                                                          • API String ID: 803148776-1018135373
                                                                                          • Opcode ID: dc06647ed881300172cdfc684aac1163bc2a0f868911a398cd8d5672599b3405
                                                                                          • Instruction ID: 96f6a5e9f7941ab84f0187159e4ce633c560aaca1b25a4ff6305554a5f7d0553
                                                                                          • Opcode Fuzzy Hash: dc06647ed881300172cdfc684aac1163bc2a0f868911a398cd8d5672599b3405
                                                                                          • Instruction Fuzzy Hash: FC018B388002018AEF34AF22D5407AEB3B5BF94311FA4542FF441A63A1CBB89D81CF49
                                                                                          APIs
                                                                                          • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                          • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: gethostbyaddrinet_ntoa
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 2112563974-1857712256
                                                                                          • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                          • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                          • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                          • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                          APIs
                                                                                          • inet_addr.WS2_32(00000001), ref: 00402693
                                                                                          • gethostbyname.WS2_32(00000001), ref: 0040269F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: gethostbynameinet_addr
                                                                                          • String ID: time_cfg
                                                                                          • API String ID: 1594361348-2401304539
                                                                                          • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                          • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                          • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                          • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,75B4EA50,80000001,00000000), ref: 0040EAF2
                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040EB07
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressLibraryLoadProc
                                                                                          • String ID: ntdll.dll
                                                                                          • API String ID: 2574300362-2227199552
                                                                                          • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                          • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                          • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                          • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                          APIs
                                                                                            • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,762323A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                            • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                          • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130023880.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_400000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                          • String ID:
                                                                                          • API String ID: 1017166417-0
                                                                                          • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                          • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                          • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                          • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88
                                                                                          APIs
                                                                                            • Part of subcall function 00D72F88: GetModuleHandleA.KERNEL32(?), ref: 00D72FA1
                                                                                            • Part of subcall function 00D72F88: LoadLibraryA.KERNEL32(?), ref: 00D72FB1
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D731DA
                                                                                          • HeapFree.KERNEL32(00000000), ref: 00D731E1
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2130374425.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_d70000_lnmlavab.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                          • String ID:
                                                                                          • API String ID: 1017166417-0
                                                                                          • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                          • Instruction ID: 36d72d4817d1aae506c2788f64d6c803f424addc84adb5532ffa37187aad99b3
                                                                                          • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                          • Instruction Fuzzy Hash: 4351BC7190024AAFCF119F68D8889FAB7B5FF15304F148169EC9AC7211F732DA19DBA4

                                                                                          Execution Graph

                                                                                          Execution Coverage:15%
                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                          Signature Coverage:0.7%
                                                                                          Total number of Nodes:1807
                                                                                          Total number of Limit Nodes:18
                                                                                          execution_graph 7902 2be5d34 IsBadWritePtr 7903 2be5d47 7902->7903 7904 2be5d4a 7902->7904 7907 2be5389 7904->7907 7908 2be4bd1 4 API calls 7907->7908 7909 2be53a5 7908->7909 7910 2be4ae6 8 API calls 7909->7910 7912 2be53ad 7910->7912 7911 2be4ae6 8 API calls 7911->7912 7912->7911 7913 2be5407 7912->7913 7914 2bebe31 lstrcmpiA 7915 2bebe55 lstrcmpiA 7914->7915 7921 2bebe71 7914->7921 7916 2bebe61 lstrcmpiA 7915->7916 7915->7921 7919 2bebfc8 7916->7919 7916->7921 7917 2bebf62 lstrcmpiA 7918 2bebf77 lstrcmpiA 7917->7918 7923 2bebf70 7917->7923 7920 2bebf8c lstrcmpiA 7918->7920 7918->7923 7920->7923 7921->7917 7925 2beebcc 4 API calls 7921->7925 7922 2bebfc2 7926 2beec2e codecvt 4 API calls 7922->7926 7923->7919 7923->7922 7924 2beec2e codecvt 4 API calls 7923->7924 7924->7923 7929 2bebeb6 7925->7929 7926->7919 7927 2bebf5a 7927->7917 7928 2beebcc 4 API calls 7928->7929 7929->7917 7929->7919 7929->7927 7929->7928 6129 2be9a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 6245 2beec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6129->6245 6131 2be9a95 6132 2be9aa3 GetModuleHandleA GetModuleFileNameA 6131->6132 6139 2bea3cc 6131->6139 6141 2be9ac4 6132->6141 6133 2bea41c CreateThread WSAStartup 6246 2bee52e 6133->6246 7321 2be405e CreateEventA 6133->7321 6135 2be9afd GetCommandLineA 6145 2be9b22 6135->6145 6136 2bea406 DeleteFileA 6138 2bea40d 6136->6138 6136->6139 6137 2bea445 6265 2beeaaf 6137->6265 6138->6133 6139->6133 6139->6136 6139->6138 6142 2bea3ed GetLastError 6139->6142 6141->6135 6142->6138 6144 2bea3f8 Sleep 6142->6144 6143 2bea44d 6269 2be1d96 6143->6269 6144->6136 6149 2be9c0c 6145->6149 6158 2be9b47 6145->6158 6147 2bea457 6317 2be80c9 6147->6317 6509 2be96aa 6149->6509 6155 2be9c39 6159 2bea167 GetModuleHandleA GetModuleFileNameA 6155->6159 6515 2be4280 CreateEventA 6155->6515 6156 2bea1d2 6165 2bea1e3 GetCommandLineA 6156->6165 6161 2be9b96 lstrlenA 6158->6161 6164 2be9b58 6158->6164 6162 2bea189 6159->6162 6163 2be9c05 ExitProcess 6159->6163 6161->6164 6162->6163 6173 2bea1b2 GetDriveTypeA 6162->6173 6164->6163 6468 2be675c 6164->6468 6189 2bea205 6165->6189 6173->6163 6175 2bea1c5 6173->6175 6616 2be9145 GetModuleHandleA GetModuleFileNameA CharToOemA 6175->6616 6176 2be675c 21 API calls 6178 2be9c79 6176->6178 6178->6159 6185 2be9e3e 6178->6185 6186 2be9ca0 GetTempPathA 6178->6186 6179 2be9bff 6179->6163 6181 2bea491 6182 2bea49f GetTickCount 6181->6182 6183 2bea4be Sleep 6181->6183 6188 2bea4b7 GetTickCount 6181->6188 6364 2bec913 6181->6364 6182->6181 6182->6183 6183->6181 6192 2be9e6b GetEnvironmentVariableA 6185->6192 6197 2be9e04 6185->6197 6186->6185 6187 2be9cba 6186->6187 6541 2be99d2 lstrcpyA 6187->6541 6188->6183 6193 2bea285 lstrlenA 6189->6193 6205 2bea239 6189->6205 6196 2be9e7d 6192->6196 6192->6197 6193->6205 6198 2be99d2 16 API calls 6196->6198 6611 2beec2e 6197->6611 6199 2be9e9d 6198->6199 6199->6197 6204 2be9eb0 lstrcpyA lstrlenA 6199->6204 6202 2be9d5f 6555 2be6cc9 6202->6555 6203 2bea3c2 6628 2be98f2 6203->6628 6208 2be9ef4 6204->6208 6205->6205 6624 2be6ec3 6205->6624 6212 2be6dc2 6 API calls 6208->6212 6213 2be9f03 6208->6213 6209 2bea39d StartServiceCtrlDispatcherA 6209->6203 6210 2be9d72 lstrcpyA lstrcatA lstrcatA 6214 2be9cf6 6210->6214 6211 2bea3c7 6211->6139 6212->6213 6215 2be9f32 RegOpenKeyExA 6213->6215 6564 2be9326 6214->6564 6216 2be9f48 RegSetValueExA RegCloseKey 6215->6216 6220 2be9f70 6215->6220 6216->6220 6217 2bea35f 6217->6203 6217->6209 6225 2be9f9d GetModuleHandleA GetModuleFileNameA 6220->6225 6221 2be9dde GetFileAttributesExA 6222 2be9e0c DeleteFileA 6221->6222 6224 2be9df7 6221->6224 6222->6185 6224->6197 6601 2be96ff 6224->6601 6227 2bea093 6225->6227 6228 2be9fc2 6225->6228 6229 2bea103 CreateProcessA 6227->6229 6232 2bea0a4 wsprintfA 6227->6232 6228->6227 6233 2be9ff1 GetDriveTypeA 6228->6233 6230 2bea13a 6229->6230 6231 2bea12a DeleteFileA 6229->6231 6230->6197 6238 2be96ff 3 API calls 6230->6238 6231->6230 6607 2be2544 6232->6607 6233->6227 6236 2bea00d 6233->6236 6240 2bea02d lstrcatA 6236->6240 6238->6197 6241 2bea046 6240->6241 6242 2bea064 lstrcatA 6241->6242 6243 2bea052 lstrcatA 6241->6243 6242->6227 6244 2bea081 lstrcatA 6242->6244 6243->6242 6244->6227 6245->6131 6635 2bedd05 GetTickCount 6246->6635 6248 2bee538 6643 2bedbcf 6248->6643 6250 2bee544 6251 2bee555 GetFileSize 6250->6251 6256 2bee5b8 6250->6256 6252 2bee566 6251->6252 6253 2bee5b1 CloseHandle 6251->6253 6667 2bedb2e 6252->6667 6253->6256 6653 2bee3ca RegOpenKeyExA 6256->6653 6257 2bee576 ReadFile 6257->6253 6259 2bee58d 6257->6259 6671 2bee332 6259->6671 6261 2bee5f2 6263 2bee629 6261->6263 6264 2bee3ca 19 API calls 6261->6264 6263->6137 6264->6263 6266 2beeabe 6265->6266 6268 2beeaba 6265->6268 6267 2bedd05 6 API calls 6266->6267 6266->6268 6267->6268 6268->6143 6270 2beee2a 6269->6270 6271 2be1db4 GetVersionExA 6270->6271 6272 2be1dd0 GetSystemInfo GetModuleHandleA GetProcAddress 6271->6272 6274 2be1e16 GetCurrentProcess 6272->6274 6275 2be1e24 6272->6275 6274->6275 6729 2bee819 6275->6729 6277 2be1e3d 6278 2bee819 11 API calls 6277->6278 6279 2be1e4e 6278->6279 6280 2be1e77 6279->6280 6770 2bedf70 6279->6770 6736 2beea84 6280->6736 6283 2be1e6c 6285 2bedf70 12 API calls 6283->6285 6285->6280 6286 2bee819 11 API calls 6287 2be1e93 6286->6287 6740 2be199c inet_addr LoadLibraryA 6287->6740 6290 2bee819 11 API calls 6291 2be1eb9 6290->6291 6292 2be1ed8 6291->6292 6293 2bef04e 4 API calls 6291->6293 6294 2bee819 11 API calls 6292->6294 6295 2be1ec9 6293->6295 6296 2be1eee 6294->6296 6297 2beea84 30 API calls 6295->6297 6298 2be1f0a 6296->6298 6754 2be1b71 6296->6754 6297->6292 6299 2bee819 11 API calls 6298->6299 6301 2be1f23 6299->6301 6303 2be1f3f 6301->6303 6758 2be1bdf 6301->6758 6302 2be1efd 6304 2beea84 30 API calls 6302->6304 6306 2bee819 11 API calls 6303->6306 6304->6298 6308 2be1f5e 6306->6308 6310 2be1f77 6308->6310 6311 2beea84 30 API calls 6308->6311 6309 2beea84 30 API calls 6309->6303 6766 2be30b5 6310->6766 6311->6310 6314 2be6ec3 2 API calls 6316 2be1f8e GetTickCount 6314->6316 6316->6147 6318 2be6ec3 2 API calls 6317->6318 6319 2be80eb 6318->6319 6320 2be80ef 6319->6320 6321 2be80f9 6319->6321 6824 2be7ee6 6320->6824 6837 2be704c 6321->6837 6324 2be8269 CreateThread 6343 2be5e6c 6324->6343 7299 2be877e 6324->7299 6325 2be80f4 6325->6324 6326 2be675c 21 API calls 6325->6326 6333 2be8244 6326->6333 6327 2be8110 6327->6325 6328 2be8156 RegOpenKeyExA 6327->6328 6329 2be816d RegQueryValueExA 6328->6329 6330 2be8216 6328->6330 6331 2be818d 6329->6331 6332 2be81f7 6329->6332 6330->6325 6331->6332 6337 2beebcc 4 API calls 6331->6337 6334 2be820d RegCloseKey 6332->6334 6336 2beec2e codecvt 4 API calls 6332->6336 6333->6324 6335 2beec2e codecvt 4 API calls 6333->6335 6334->6330 6335->6324 6342 2be81dd 6336->6342 6338 2be81a0 6337->6338 6338->6334 6339 2be81aa RegQueryValueExA 6338->6339 6339->6332 6340 2be81c4 6339->6340 6341 2beebcc 4 API calls 6340->6341 6341->6342 6342->6334 6939 2beec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6343->6939 6345 2be5e71 6940 2bee654 6345->6940 6347 2be5ec1 6348 2be3132 6347->6348 6349 2bedf70 12 API calls 6348->6349 6350 2be313b 6349->6350 6351 2bec125 6350->6351 6951 2beec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6351->6951 6353 2bec12d 6354 2bee654 13 API calls 6353->6354 6355 2bec2bd 6354->6355 6356 2bee654 13 API calls 6355->6356 6357 2bec2c9 6356->6357 6358 2bee654 13 API calls 6357->6358 6359 2bea47a 6358->6359 6360 2be8db1 6359->6360 6361 2be8dbc 6360->6361 6362 2bee654 13 API calls 6361->6362 6363 2be8dec Sleep 6362->6363 6363->6181 6365 2bec92f 6364->6365 6366 2bec93c 6365->6366 6963 2bec517 6365->6963 6368 2beca2b 6366->6368 6369 2bee819 11 API calls 6366->6369 6368->6181 6370 2bec96a 6369->6370 6371 2bee819 11 API calls 6370->6371 6372 2bec97d 6371->6372 6373 2bee819 11 API calls 6372->6373 6374 2bec990 6373->6374 6375 2bec9aa 6374->6375 6376 2beebcc 4 API calls 6374->6376 6375->6368 6952 2be2684 6375->6952 6376->6375 6381 2beca26 6980 2bec8aa 6381->6980 6384 2beca44 6385 2beca4b closesocket 6384->6385 6386 2beca83 6384->6386 6385->6381 6387 2beea84 30 API calls 6386->6387 6388 2becaac 6387->6388 6389 2bef04e 4 API calls 6388->6389 6390 2becab2 6389->6390 6391 2beea84 30 API calls 6390->6391 6392 2becaca 6391->6392 6393 2beea84 30 API calls 6392->6393 6394 2becad9 6393->6394 6984 2bec65c 6394->6984 6397 2becb60 closesocket 6397->6368 6399 2bedad2 closesocket 6400 2bee318 23 API calls 6399->6400 6401 2bedae0 6400->6401 6401->6368 6402 2bedf4c 20 API calls 6462 2becb70 6402->6462 6407 2bee654 13 API calls 6407->6462 6413 2bec65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 6413->6462 6414 2beea84 30 API calls 6414->6462 6415 2becc1c GetTempPathA 6415->6462 6416 2bed569 closesocket Sleep 7031 2bee318 6416->7031 6417 2bed815 wsprintfA 6417->6462 6418 2be7ead 6 API calls 6418->6462 6419 2bec517 23 API calls 6419->6462 6421 2bef04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 6421->6462 6422 2bee8a1 30 API calls 6422->6462 6423 2bed582 ExitProcess 6424 2beec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 6424->6462 6425 2becfe3 GetSystemDirectoryA 6425->6462 6426 2becfad GetEnvironmentVariableA 6426->6462 6427 2be675c 21 API calls 6427->6462 6428 2bed027 GetSystemDirectoryA 6428->6462 6429 2bed105 lstrcatA 6429->6462 6430 2beef1e lstrlenA 6430->6462 6431 2becc9f CreateFileA 6432 2beccc6 WriteFile 6431->6432 6431->6462 6436 2becdcc CloseHandle 6432->6436 6437 2becced CloseHandle 6432->6437 6433 2be8e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 6433->6462 6434 2bed15b CreateFileA 6435 2bed182 WriteFile CloseHandle 6434->6435 6434->6462 6435->6462 6436->6462 6442 2becd2f 6437->6442 6438 2bed149 SetFileAttributesA 6438->6434 6439 2becd16 wsprintfA 6439->6442 6440 2bed36e GetEnvironmentVariableA 6440->6462 6441 2bed1bf SetFileAttributesA 6441->6462 6442->6439 7013 2be7fcf 6442->7013 6443 2bed22d GetEnvironmentVariableA 6443->6462 6444 2bed3af lstrcatA 6447 2bed3f2 CreateFileA 6444->6447 6444->6462 6446 2be7fcf 64 API calls 6446->6462 6449 2bed415 WriteFile CloseHandle 6447->6449 6447->6462 6449->6462 6450 2becda5 6452 2be7ee6 64 API calls 6450->6452 6451 2becd81 WaitForSingleObject CloseHandle CloseHandle 6453 2bef04e 4 API calls 6451->6453 6454 2becdbd DeleteFileA 6452->6454 6453->6450 6454->6462 6455 2bed4b1 CreateProcessA 6458 2bed4e8 CloseHandle CloseHandle 6455->6458 6455->6462 6456 2bed3e0 SetFileAttributesA 6456->6447 6457 2bed26e lstrcatA 6459 2bed2b1 CreateFileA 6457->6459 6457->6462 6458->6462 6459->6462 6463 2bed2d8 WriteFile CloseHandle 6459->6463 6460 2be7ee6 64 API calls 6460->6462 6461 2bed452 SetFileAttributesA 6461->6462 6462->6399 6462->6402 6462->6407 6462->6413 6462->6414 6462->6415 6462->6416 6462->6417 6462->6418 6462->6419 6462->6421 6462->6422 6462->6424 6462->6425 6462->6426 6462->6427 6462->6428 6462->6429 6462->6430 6462->6431 6462->6433 6462->6434 6462->6438 6462->6440 6462->6441 6462->6443 6462->6444 6462->6446 6462->6447 6462->6455 6462->6456 6462->6457 6462->6459 6462->6460 6462->6461 6465 2bed29f SetFileAttributesA 6462->6465 6467 2bed31d SetFileAttributesA 6462->6467 6992 2bec75d 6462->6992 7004 2be7e2f 6462->7004 7026 2be7ead 6462->7026 7036 2be31d0 6462->7036 7053 2be3c09 6462->7053 7063 2be3a00 6462->7063 7067 2bee7b4 6462->7067 7070 2bec06c 6462->7070 7076 2be6f5f GetUserNameA 6462->7076 7087 2bee854 6462->7087 7097 2be7dd6 6462->7097 6463->6462 6465->6459 6467->6462 6469 2be677a SetFileAttributesA 6468->6469 6470 2be6784 CreateFileA 6468->6470 6469->6470 6471 2be67a4 CreateFileA 6470->6471 6472 2be67b5 6470->6472 6471->6472 6473 2be67ba SetFileAttributesA 6472->6473 6474 2be67c5 6472->6474 6473->6474 6475 2be67cf GetFileSize 6474->6475 6476 2be6977 6474->6476 6477 2be67e5 6475->6477 6495 2be6965 6475->6495 6476->6163 6496 2be6a60 CreateFileA 6476->6496 6479 2be67ed ReadFile 6477->6479 6477->6495 6478 2be696e CloseHandle 6478->6476 6480 2be6811 SetFilePointer 6479->6480 6479->6495 6481 2be682a ReadFile 6480->6481 6480->6495 6482 2be6848 SetFilePointer 6481->6482 6481->6495 6483 2be6867 6482->6483 6482->6495 6484 2be6878 ReadFile 6483->6484 6485 2be68d5 6483->6485 6486 2be6891 6484->6486 6489 2be68d0 6484->6489 6485->6478 6487 2beebcc 4 API calls 6485->6487 6486->6484 6486->6489 6488 2be68f8 6487->6488 6490 2be6900 SetFilePointer 6488->6490 6488->6495 6489->6485 6491 2be690d ReadFile 6490->6491 6492 2be695a 6490->6492 6491->6492 6494 2be6922 6491->6494 6493 2beec2e codecvt 4 API calls 6492->6493 6493->6495 6494->6478 6495->6478 6497 2be6a8f GetDiskFreeSpaceA 6496->6497 6498 2be6b8c GetLastError 6496->6498 6500 2be6ac5 6497->6500 6507 2be6ad7 6497->6507 6499 2be6b86 6498->6499 6499->6179 7182 2beeb0e 6500->7182 6504 2be6b56 CloseHandle 6504->6499 6506 2be6b65 GetLastError CloseHandle 6504->6506 6505 2be6b36 GetLastError CloseHandle 6508 2be6b7f DeleteFileA 6505->6508 6506->6508 7186 2be6987 6507->7186 6508->6499 6510 2be96b9 6509->6510 6511 2be73ff 17 API calls 6510->6511 6512 2be96e2 6511->6512 6513 2be96f7 6512->6513 6514 2be704c 16 API calls 6512->6514 6513->6155 6513->6156 6514->6513 6516 2be42a5 6515->6516 6521 2be429d 6515->6521 7192 2be3ecd 6516->7192 6518 2be42b0 7196 2be4000 6518->7196 6520 2be43c1 CloseHandle 6520->6521 6521->6159 6521->6176 6522 2be42b6 6522->6520 6522->6521 7202 2be3f18 WriteFile 6522->7202 6527 2be43ba CloseHandle 6527->6520 6528 2be4318 6529 2be3f18 4 API calls 6528->6529 6530 2be4331 6529->6530 6531 2be3f18 4 API calls 6530->6531 6532 2be434a 6531->6532 6533 2beebcc 4 API calls 6532->6533 6534 2be4350 6533->6534 6535 2be3f18 4 API calls 6534->6535 6536 2be4389 6535->6536 6537 2beec2e codecvt 4 API calls 6536->6537 6538 2be438f 6537->6538 6539 2be3f8c 4 API calls 6538->6539 6540 2be439f CloseHandle CloseHandle 6539->6540 6540->6521 6542 2be99eb 6541->6542 6543 2be9a2f lstrcatA 6542->6543 6544 2beee2a 6543->6544 6545 2be9a4b lstrcatA 6544->6545 6546 2be6a60 13 API calls 6545->6546 6547 2be9a60 6546->6547 6547->6185 6547->6214 6548 2be6dc2 6547->6548 6549 2be6dd7 6548->6549 6550 2be6e33 6548->6550 6551 2be6cc9 5 API calls 6549->6551 6550->6202 6552 2be6ddc 6551->6552 6552->6552 6553 2be6e02 GetVolumeInformationA 6552->6553 6554 2be6e24 6552->6554 6553->6554 6554->6550 6556 2be6cdc GetModuleHandleA GetProcAddress 6555->6556 6561 2be6d8b 6555->6561 6557 2be6cfd 6556->6557 6558 2be6d12 GetSystemDirectoryA 6556->6558 6557->6558 6557->6561 6559 2be6d1e 6558->6559 6560 2be6d27 GetWindowsDirectoryA 6558->6560 6559->6560 6559->6561 6562 2be6d42 6560->6562 6561->6210 6563 2beef1e lstrlenA 6562->6563 6563->6561 7210 2be1910 6564->7210 6567 2be934a GetModuleHandleA GetModuleFileNameA 6569 2be937f 6567->6569 6570 2be93d9 6569->6570 6571 2be93a4 6569->6571 6573 2be9401 wsprintfA 6570->6573 6572 2be93c3 wsprintfA 6571->6572 6574 2be9415 6572->6574 6573->6574 6575 2be94a0 6574->6575 6578 2be6cc9 5 API calls 6574->6578 6576 2be6edd 5 API calls 6575->6576 6577 2be94ac 6576->6577 6579 2be962f 6577->6579 6580 2be94e8 RegOpenKeyExA 6577->6580 6583 2be9439 6578->6583 6585 2be9646 6579->6585 7225 2be1820 6579->7225 6581 2be94fb 6580->6581 6582 2be9502 6580->6582 6581->6579 6589 2be958a 6581->6589 6587 2be951f RegQueryValueExA 6582->6587 6588 2beef1e lstrlenA 6583->6588 6595 2be95d6 6585->6595 7231 2be91eb 6585->7231 6590 2be9539 6587->6590 6591 2be9530 6587->6591 6592 2be9462 6588->6592 6589->6585 6593 2be9593 6589->6593 6596 2be9556 RegQueryValueExA 6590->6596 6594 2be956e RegCloseKey 6591->6594 6597 2be947e wsprintfA 6592->6597 6593->6595 7212 2bef0e4 6593->7212 6594->6581 6595->6221 6595->6222 6596->6591 6596->6594 6597->6575 6599 2be95bb 6599->6595 7219 2be18e0 6599->7219 6602 2be2544 6601->6602 6603 2be972d RegOpenKeyExA 6602->6603 6604 2be9765 6603->6604 6605 2be9740 6603->6605 6604->6197 6606 2be974f RegDeleteValueA RegCloseKey 6605->6606 6606->6604 6608 2be2554 lstrcatA 6607->6608 6609 2beee2a 6608->6609 6610 2bea0ec lstrcatA 6609->6610 6610->6229 6612 2bea15d 6611->6612 6613 2beec37 6611->6613 6612->6159 6612->6163 6614 2beeba0 codecvt 2 API calls 6613->6614 6615 2beec3d GetProcessHeap RtlFreeHeap 6614->6615 6615->6612 6617 2be2544 6616->6617 6618 2be919e wsprintfA 6617->6618 6619 2be91bb 6618->6619 7270 2be9064 GetTempPathA 6619->7270 6622 2be91e7 6622->6179 6623 2be91d5 ShellExecuteA 6623->6622 6625 2be6ed5 6624->6625 6626 2be6ecc 6624->6626 6625->6217 6627 2be6e36 2 API calls 6626->6627 6627->6625 6629 2be98f6 6628->6629 6630 2be4280 30 API calls 6629->6630 6631 2be9904 Sleep 6629->6631 6632 2be9915 6629->6632 6630->6629 6631->6629 6631->6632 6634 2be9947 6632->6634 7277 2be977c 6632->7277 6634->6211 6636 2bedd41 InterlockedExchange 6635->6636 6637 2bedd4a 6636->6637 6638 2bedd20 GetCurrentThreadId 6636->6638 6640 2bedd53 GetCurrentThreadId 6637->6640 6639 2bedd2e GetTickCount 6638->6639 6638->6640 6641 2bedd4c 6639->6641 6642 2bedd39 Sleep 6639->6642 6640->6248 6641->6640 6642->6636 6644 2bedbf0 6643->6644 6676 2bedb67 GetEnvironmentVariableA 6644->6676 6646 2bedc19 6647 2bedcda 6646->6647 6648 2bedb67 3 API calls 6646->6648 6647->6250 6649 2bedc5c 6648->6649 6649->6647 6650 2bedb67 3 API calls 6649->6650 6651 2bedc9b 6650->6651 6651->6647 6652 2bedb67 3 API calls 6651->6652 6652->6647 6654 2bee528 6653->6654 6655 2bee3f4 6653->6655 6654->6261 6656 2bee434 RegQueryValueExA 6655->6656 6657 2bee51d RegCloseKey 6656->6657 6658 2bee458 6656->6658 6657->6654 6659 2bee46e RegQueryValueExA 6658->6659 6659->6658 6660 2bee488 6659->6660 6660->6657 6661 2bedb2e 8 API calls 6660->6661 6662 2bee499 6661->6662 6662->6657 6663 2bee4b9 RegQueryValueExA 6662->6663 6664 2bee4e8 6662->6664 6663->6662 6663->6664 6664->6657 6665 2bee332 14 API calls 6664->6665 6666 2bee513 6665->6666 6666->6657 6668 2bedb3a 6667->6668 6669 2bedb55 6667->6669 6680 2beebed 6668->6680 6669->6253 6669->6257 6698 2bef04e SystemTimeToFileTime GetSystemTimeAsFileTime 6671->6698 6673 2bee3be 6673->6253 6674 2bee342 6674->6673 6701 2bede24 6674->6701 6677 2bedbca 6676->6677 6678 2bedb89 lstrcpyA CreateFileA 6676->6678 6677->6646 6678->6646 6681 2beebf6 6680->6681 6682 2beec01 6680->6682 6689 2beebcc GetProcessHeap RtlAllocateHeap 6681->6689 6692 2beeba0 6682->6692 6690 2beeb74 2 API calls 6689->6690 6691 2beebe8 6690->6691 6691->6669 6693 2beebbf GetProcessHeap RtlReAllocateHeap 6692->6693 6694 2beeba7 GetProcessHeap HeapSize 6692->6694 6695 2beeb74 6693->6695 6694->6693 6696 2beeb93 6695->6696 6697 2beeb7b GetProcessHeap HeapSize 6695->6697 6696->6669 6697->6696 6712 2beeb41 6698->6712 6700 2bef0b7 6700->6674 6702 2bede3a 6701->6702 6708 2bede4e 6702->6708 6721 2bedd84 6702->6721 6705 2beebed 8 API calls 6707 2bedef6 6705->6707 6706 2bede9e 6706->6705 6706->6708 6707->6708 6711 2beddcf lstrcmpA 6707->6711 6708->6674 6709 2bede76 6725 2beddcf 6709->6725 6711->6708 6713 2beeb4a 6712->6713 6714 2beeb61 6712->6714 6717 2beeae4 6713->6717 6714->6700 6716 2beeb54 6716->6700 6716->6714 6718 2beeaed LoadLibraryA 6717->6718 6719 2beeb02 GetProcAddress 6717->6719 6718->6719 6720 2beeb01 6718->6720 6719->6716 6720->6716 6722 2bedd96 6721->6722 6724 2beddc5 6721->6724 6723 2beddad lstrcmpiA 6722->6723 6722->6724 6723->6722 6723->6724 6724->6706 6724->6709 6726 2bede20 6725->6726 6728 2bedddd 6725->6728 6726->6708 6727 2beddfa lstrcmpA 6727->6728 6728->6726 6728->6727 6730 2bedd05 6 API calls 6729->6730 6731 2bee821 6730->6731 6732 2bedd84 lstrcmpiA 6731->6732 6733 2bee82c 6732->6733 6735 2bee844 6733->6735 6779 2be2480 6733->6779 6735->6277 6737 2beea98 6736->6737 6788 2bee8a1 6737->6788 6739 2be1e84 6739->6286 6741 2be19d5 GetProcAddress GetProcAddress GetProcAddress 6740->6741 6744 2be19ce 6740->6744 6742 2be1a04 6741->6742 6743 2be1ab3 FreeLibrary 6741->6743 6742->6743 6745 2be1a14 GetBestInterface GetProcessHeap 6742->6745 6743->6744 6744->6290 6745->6744 6746 2be1a2e HeapAlloc 6745->6746 6746->6744 6747 2be1a42 GetAdaptersInfo 6746->6747 6748 2be1a62 6747->6748 6749 2be1a52 HeapReAlloc 6747->6749 6750 2be1a69 GetAdaptersInfo 6748->6750 6751 2be1aa1 FreeLibrary 6748->6751 6749->6748 6750->6751 6752 2be1a75 HeapFree 6750->6752 6751->6744 6752->6751 6816 2be1ac3 LoadLibraryA 6754->6816 6757 2be1bcf 6757->6302 6759 2be1ac3 13 API calls 6758->6759 6760 2be1c09 6759->6760 6761 2be1c0d GetComputerNameA 6760->6761 6762 2be1c5a 6760->6762 6763 2be1c1f 6761->6763 6764 2be1c45 GetVolumeInformationA 6761->6764 6762->6309 6763->6764 6765 2be1c41 6763->6765 6764->6762 6765->6762 6767 2beee2a 6766->6767 6768 2be30d0 gethostname gethostbyname 6767->6768 6769 2be1f82 6768->6769 6769->6314 6769->6316 6771 2bedd05 6 API calls 6770->6771 6772 2bedf7c 6771->6772 6773 2bedd84 lstrcmpiA 6772->6773 6777 2bedf89 6773->6777 6774 2bedfc4 6774->6283 6775 2beddcf lstrcmpA 6775->6777 6776 2beec2e codecvt 4 API calls 6776->6777 6777->6774 6777->6775 6777->6776 6778 2bedd84 lstrcmpiA 6777->6778 6778->6777 6782 2be2419 lstrlenA 6779->6782 6781 2be2491 6781->6735 6783 2be243d lstrlenA 6782->6783 6784 2be2474 6782->6784 6785 2be244e lstrcmpiA 6783->6785 6786 2be2464 lstrlenA 6783->6786 6784->6781 6785->6786 6787 2be245c 6785->6787 6786->6783 6786->6784 6787->6784 6787->6786 6789 2bedd05 6 API calls 6788->6789 6790 2bee8b4 6789->6790 6791 2bedd84 lstrcmpiA 6790->6791 6792 2bee8c0 6791->6792 6793 2bee8c8 lstrcpynA 6792->6793 6794 2bee90a 6792->6794 6795 2bee8f5 6793->6795 6796 2be2419 4 API calls 6794->6796 6804 2beea27 6794->6804 6809 2bedf4c 6795->6809 6797 2bee926 lstrlenA lstrlenA 6796->6797 6799 2bee94c lstrlenA 6797->6799 6800 2bee96a 6797->6800 6799->6800 6803 2beebcc 4 API calls 6800->6803 6800->6804 6801 2bee901 6802 2bedd84 lstrcmpiA 6801->6802 6802->6794 6805 2bee98f 6803->6805 6804->6739 6805->6804 6806 2bedf4c 20 API calls 6805->6806 6807 2beea1e 6806->6807 6808 2beec2e codecvt 4 API calls 6807->6808 6808->6804 6810 2bedd05 6 API calls 6809->6810 6811 2bedf51 6810->6811 6812 2bef04e 4 API calls 6811->6812 6813 2bedf58 6812->6813 6814 2bede24 10 API calls 6813->6814 6815 2bedf63 6814->6815 6815->6801 6817 2be1ae2 GetProcAddress 6816->6817 6823 2be1b68 GetComputerNameA GetVolumeInformationA 6816->6823 6820 2be1af5 6817->6820 6817->6823 6818 2be1b1c GetAdaptersAddresses 6818->6820 6821 2be1b29 6818->6821 6819 2beebed 8 API calls 6819->6820 6820->6818 6820->6819 6820->6821 6821->6821 6822 2beec2e codecvt 4 API calls 6821->6822 6821->6823 6822->6823 6823->6757 6825 2be6ec3 2 API calls 6824->6825 6826 2be7ef4 6825->6826 6836 2be7fc9 6826->6836 6860 2be73ff 6826->6860 6828 2be7f16 6828->6836 6880 2be7809 GetUserNameA 6828->6880 6830 2be7f63 6830->6836 6904 2beef1e lstrlenA 6830->6904 6833 2beef1e lstrlenA 6834 2be7fb7 6833->6834 6906 2be7a95 RegOpenKeyExA 6834->6906 6836->6325 6838 2be7073 6837->6838 6839 2be70b9 RegOpenKeyExA 6838->6839 6840 2be70d0 6839->6840 6854 2be71b8 6839->6854 6841 2be6dc2 6 API calls 6840->6841 6844 2be70d5 6841->6844 6842 2be719b RegEnumValueA 6843 2be71af RegCloseKey 6842->6843 6842->6844 6843->6854 6844->6842 6846 2be71d0 6844->6846 6937 2bef1a5 lstrlenA 6844->6937 6847 2be7205 RegCloseKey 6846->6847 6848 2be7227 6846->6848 6847->6854 6849 2be728e RegCloseKey 6848->6849 6850 2be72b8 ___ascii_stricmp 6848->6850 6849->6854 6851 2be72cd RegCloseKey 6850->6851 6852 2be72dd 6850->6852 6851->6854 6853 2be7311 RegCloseKey 6852->6853 6855 2be7335 6852->6855 6853->6854 6854->6327 6856 2be73d5 RegCloseKey 6855->6856 6858 2be737e GetFileAttributesExA 6855->6858 6859 2be7397 6855->6859 6857 2be73e4 6856->6857 6858->6859 6859->6856 6861 2be741b 6860->6861 6862 2be6dc2 6 API calls 6861->6862 6863 2be743f 6862->6863 6864 2be7469 RegOpenKeyExA 6863->6864 6865 2be77f9 6864->6865 6875 2be7487 ___ascii_stricmp 6864->6875 6865->6828 6866 2be7703 RegEnumKeyA 6867 2be7714 RegCloseKey 6866->6867 6866->6875 6867->6865 6868 2be74d2 RegOpenKeyExA 6868->6875 6869 2be772c 6871 2be774b 6869->6871 6872 2be7742 RegCloseKey 6869->6872 6870 2be7521 RegQueryValueExA 6870->6875 6874 2be77ec RegCloseKey 6871->6874 6872->6871 6873 2be76e4 RegCloseKey 6873->6875 6874->6865 6875->6866 6875->6868 6875->6869 6875->6870 6875->6873 6877 2bef1a5 lstrlenA 6875->6877 6878 2be777e GetFileAttributesExA 6875->6878 6879 2be7769 6875->6879 6876 2be77e3 RegCloseKey 6876->6874 6877->6875 6878->6879 6879->6876 6881 2be7a8d 6880->6881 6882 2be783d LookupAccountNameA 6880->6882 6881->6830 6882->6881 6883 2be7874 GetLengthSid GetFileSecurityA 6882->6883 6883->6881 6884 2be78a8 GetSecurityDescriptorOwner 6883->6884 6885 2be791d GetSecurityDescriptorDacl 6884->6885 6886 2be78c5 EqualSid 6884->6886 6885->6881 6893 2be7941 6885->6893 6886->6885 6887 2be78dc LocalAlloc 6886->6887 6887->6885 6888 2be78ef InitializeSecurityDescriptor 6887->6888 6890 2be78fb SetSecurityDescriptorOwner 6888->6890 6891 2be7916 LocalFree 6888->6891 6889 2be795b GetAce 6889->6893 6890->6891 6892 2be790b SetFileSecurityA 6890->6892 6891->6885 6892->6891 6893->6881 6893->6889 6894 2be7980 EqualSid 6893->6894 6895 2be7a3d 6893->6895 6896 2be79be EqualSid 6893->6896 6897 2be799d DeleteAce 6893->6897 6894->6893 6895->6881 6898 2be7a43 LocalAlloc 6895->6898 6896->6893 6897->6893 6898->6881 6899 2be7a56 InitializeSecurityDescriptor 6898->6899 6900 2be7a86 LocalFree 6899->6900 6901 2be7a62 SetSecurityDescriptorDacl 6899->6901 6900->6881 6901->6900 6902 2be7a73 SetFileSecurityA 6901->6902 6902->6900 6903 2be7a83 6902->6903 6903->6900 6905 2be7fa6 6904->6905 6905->6833 6907 2be7acb GetUserNameA 6906->6907 6908 2be7ac4 6906->6908 6909 2be7aed LookupAccountNameA 6907->6909 6910 2be7da7 RegCloseKey 6907->6910 6908->6836 6909->6910 6911 2be7b24 RegGetKeySecurity 6909->6911 6910->6908 6911->6910 6912 2be7b49 GetSecurityDescriptorOwner 6911->6912 6913 2be7bb8 GetSecurityDescriptorDacl 6912->6913 6914 2be7b63 EqualSid 6912->6914 6916 2be7da6 6913->6916 6929 2be7bdc 6913->6929 6914->6913 6915 2be7b74 LocalAlloc 6914->6915 6915->6913 6917 2be7b8a InitializeSecurityDescriptor 6915->6917 6916->6910 6918 2be7b96 SetSecurityDescriptorOwner 6917->6918 6919 2be7bb1 LocalFree 6917->6919 6918->6919 6921 2be7ba6 RegSetKeySecurity 6918->6921 6919->6913 6920 2be7bf8 GetAce 6920->6929 6921->6919 6922 2be7c1d EqualSid 6922->6929 6923 2be7cd9 6923->6916 6926 2be7d5a LocalAlloc 6923->6926 6928 2be7cf2 RegOpenKeyExA 6923->6928 6924 2be7c5f EqualSid 6924->6929 6925 2be7c3a DeleteAce 6925->6929 6926->6916 6927 2be7d70 InitializeSecurityDescriptor 6926->6927 6930 2be7d9f LocalFree 6927->6930 6931 2be7d7c SetSecurityDescriptorDacl 6927->6931 6928->6926 6934 2be7d0f 6928->6934 6929->6916 6929->6920 6929->6922 6929->6923 6929->6924 6929->6925 6930->6916 6931->6930 6932 2be7d8c RegSetKeySecurity 6931->6932 6932->6930 6933 2be7d9c 6932->6933 6933->6930 6935 2be7d43 RegSetValueExA 6934->6935 6935->6926 6936 2be7d54 6935->6936 6936->6926 6938 2bef1c3 6937->6938 6938->6844 6939->6345 6941 2bedd05 6 API calls 6940->6941 6943 2bee65f 6941->6943 6942 2beebcc 4 API calls 6946 2bee6b0 6942->6946 6944 2bee6a5 6943->6944 6945 2bee68c lstrcmpA 6943->6945 6944->6942 6949 2bee6f5 6944->6949 6945->6943 6947 2bee6b7 6946->6947 6948 2bee6e0 lstrcpynA 6946->6948 6946->6949 6947->6347 6948->6949 6949->6947 6950 2bee71d lstrcmpA 6949->6950 6950->6949 6951->6353 6953 2be2692 inet_addr 6952->6953 6955 2be268e 6952->6955 6954 2be269e gethostbyname 6953->6954 6953->6955 6954->6955 6956 2bef428 6955->6956 7104 2bef315 6956->7104 6959 2bef43e 6960 2bef473 recv 6959->6960 6961 2bef47c 6960->6961 6962 2bef458 6960->6962 6961->6384 6962->6960 6962->6961 6964 2bec532 6963->6964 6965 2bec525 6963->6965 6966 2bec548 6964->6966 7117 2bee7ff 6964->7117 6965->6964 6967 2beec2e codecvt 4 API calls 6965->6967 6969 2bee7ff lstrcmpiA 6966->6969 6977 2bec54f 6966->6977 6967->6964 6970 2bec615 6969->6970 6971 2beebcc 4 API calls 6970->6971 6970->6977 6971->6977 6973 2bec5d1 6975 2beebcc 4 API calls 6973->6975 6974 2bee819 11 API calls 6976 2bec5b7 6974->6976 6975->6977 6978 2bef04e 4 API calls 6976->6978 6977->6366 6979 2bec5bf 6978->6979 6979->6966 6979->6973 6982 2bec8d2 6980->6982 6981 2bec907 6981->6368 6982->6981 6983 2bec517 23 API calls 6982->6983 6983->6981 6985 2bec67d 6984->6985 6986 2bec670 6984->6986 6987 2bec699 6985->6987 6989 2beebcc 4 API calls 6985->6989 6988 2beebcc 4 API calls 6986->6988 6990 2bec6f3 6987->6990 6991 2bec73c send 6987->6991 6988->6985 6989->6987 6990->6397 6990->6462 6991->6990 6993 2bec77d 6992->6993 6994 2bec770 6992->6994 6996 2bec799 6993->6996 6997 2beebcc 4 API calls 6993->6997 6995 2beebcc 4 API calls 6994->6995 6995->6993 6998 2bec7b5 6996->6998 7000 2beebcc 4 API calls 6996->7000 6997->6996 6999 2bef43e recv 6998->6999 7001 2bec7cb 6999->7001 7000->6998 7002 2bef43e recv 7001->7002 7003 2bec7d3 7001->7003 7002->7003 7003->6462 7120 2be7db7 7004->7120 7007 2be7e70 7009 2be7e96 7007->7009 7011 2bef04e 4 API calls 7007->7011 7008 2bef04e 4 API calls 7010 2be7e4c 7008->7010 7009->6462 7010->7007 7012 2bef04e 4 API calls 7010->7012 7011->7009 7012->7007 7014 2be6ec3 2 API calls 7013->7014 7015 2be7fdd 7014->7015 7016 2be73ff 17 API calls 7015->7016 7017 2be80c2 CreateProcessA 7015->7017 7018 2be7fff 7016->7018 7017->6450 7017->6451 7018->7017 7019 2be7809 21 API calls 7018->7019 7020 2be804d 7019->7020 7020->7017 7021 2beef1e lstrlenA 7020->7021 7022 2be809e 7021->7022 7023 2beef1e lstrlenA 7022->7023 7024 2be80af 7023->7024 7025 2be7a95 24 API calls 7024->7025 7025->7017 7027 2be7db7 2 API calls 7026->7027 7028 2be7eb8 7027->7028 7029 2bef04e 4 API calls 7028->7029 7030 2be7ece DeleteFileA 7029->7030 7030->6462 7032 2bedd05 6 API calls 7031->7032 7033 2bee31d 7032->7033 7124 2bee177 7033->7124 7035 2bee326 7035->6423 7037 2be31f3 7036->7037 7047 2be31ec 7036->7047 7038 2beebcc 4 API calls 7037->7038 7051 2be31fc 7038->7051 7039 2be344b 7040 2be349d 7039->7040 7041 2be3459 7039->7041 7042 2beec2e codecvt 4 API calls 7040->7042 7043 2bef04e 4 API calls 7041->7043 7042->7047 7044 2be345f 7043->7044 7045 2be30fa 4 API calls 7044->7045 7045->7047 7046 2beebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 7046->7051 7047->6462 7048 2be344d 7049 2beec2e codecvt 4 API calls 7048->7049 7049->7039 7051->7039 7051->7046 7051->7047 7051->7048 7052 2be3141 lstrcmpiA 7051->7052 7150 2be30fa GetTickCount 7051->7150 7052->7051 7054 2be30fa 4 API calls 7053->7054 7055 2be3c1a 7054->7055 7059 2be3ce6 7055->7059 7155 2be3a72 7055->7155 7058 2be3a72 9 API calls 7062 2be3c5e 7058->7062 7059->6462 7060 2be3a72 9 API calls 7060->7062 7061 2beec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7061->7062 7062->7059 7062->7060 7062->7061 7064 2be3a10 7063->7064 7065 2be30fa 4 API calls 7064->7065 7066 2be3a1a 7065->7066 7066->6462 7068 2bedd05 6 API calls 7067->7068 7069 2bee7be 7068->7069 7069->6462 7071 2bec07e wsprintfA 7070->7071 7072 2bec105 7070->7072 7164 2bebfce GetTickCount wsprintfA 7071->7164 7072->6462 7074 2bec0ef 7165 2bebfce GetTickCount wsprintfA 7074->7165 7077 2be6f88 LookupAccountNameA 7076->7077 7078 2be7047 7076->7078 7080 2be6fcb 7077->7080 7081 2be7025 7077->7081 7078->6462 7083 2be6fdb ConvertSidToStringSidA 7080->7083 7166 2be6edd 7081->7166 7083->7081 7085 2be6ff1 7083->7085 7086 2be7013 LocalFree 7085->7086 7086->7081 7088 2bedd05 6 API calls 7087->7088 7089 2bee85c 7088->7089 7090 2bedd84 lstrcmpiA 7089->7090 7091 2bee867 7090->7091 7092 2bee885 lstrcpyA 7091->7092 7177 2be24a5 7091->7177 7180 2bedd69 7092->7180 7098 2be7db7 2 API calls 7097->7098 7099 2be7de1 7098->7099 7100 2be7e16 7099->7100 7101 2bef04e 4 API calls 7099->7101 7100->6462 7102 2be7df2 7101->7102 7102->7100 7103 2bef04e 4 API calls 7102->7103 7103->7100 7105 2bef33b 7104->7105 7106 2beca1d 7104->7106 7107 2bef347 htons socket 7105->7107 7106->6381 7106->6959 7108 2bef374 closesocket 7107->7108 7109 2bef382 ioctlsocket 7107->7109 7108->7106 7110 2bef39d 7109->7110 7111 2bef3aa connect select 7109->7111 7112 2bef39f closesocket 7110->7112 7111->7106 7113 2bef3f2 __WSAFDIsSet 7111->7113 7112->7106 7113->7112 7114 2bef403 ioctlsocket 7113->7114 7116 2bef26d setsockopt setsockopt setsockopt setsockopt setsockopt 7114->7116 7116->7106 7118 2bedd84 lstrcmpiA 7117->7118 7119 2bec58e 7118->7119 7119->6966 7119->6973 7119->6974 7121 2be7dc8 InterlockedExchange 7120->7121 7122 2be7dd4 7121->7122 7123 2be7dc0 Sleep 7121->7123 7122->7007 7122->7008 7123->7121 7126 2bee184 7124->7126 7125 2bee2e4 7125->7035 7126->7125 7127 2bee223 7126->7127 7140 2bedfe2 7126->7140 7127->7125 7129 2bedfe2 8 API calls 7127->7129 7132 2bee23c 7129->7132 7130 2bee1be 7130->7127 7131 2bedbcf 3 API calls 7130->7131 7134 2bee1d6 7131->7134 7132->7125 7144 2bee095 RegCreateKeyExA 7132->7144 7133 2bee21a CloseHandle 7133->7127 7134->7127 7134->7133 7135 2bee1f9 WriteFile 7134->7135 7135->7133 7137 2bee213 7135->7137 7137->7133 7138 2bee2a3 7138->7125 7139 2bee095 4 API calls 7138->7139 7139->7125 7141 2bedffc 7140->7141 7143 2bee024 7140->7143 7142 2bedb2e 8 API calls 7141->7142 7141->7143 7142->7143 7143->7130 7145 2bee172 7144->7145 7147 2bee0c0 7144->7147 7145->7138 7146 2bee13d 7148 2bee14e RegDeleteValueA RegCloseKey 7146->7148 7147->7146 7149 2bee115 RegSetValueExA 7147->7149 7148->7145 7149->7146 7149->7147 7151 2be3122 InterlockedExchange 7150->7151 7152 2be312e 7151->7152 7153 2be310f GetTickCount 7151->7153 7152->7051 7153->7152 7154 2be311a Sleep 7153->7154 7154->7151 7156 2bef04e 4 API calls 7155->7156 7163 2be3a83 7156->7163 7157 2beec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7159 2be3bc0 7157->7159 7158 2be3be6 7160 2beec2e codecvt 4 API calls 7158->7160 7159->7157 7159->7158 7162 2be3ac1 7160->7162 7161 2be3b66 lstrlenA 7161->7162 7161->7163 7162->7058 7162->7059 7163->7159 7163->7161 7163->7162 7164->7074 7165->7072 7167 2be6eef AllocateAndInitializeSid 7166->7167 7173 2be6f55 wsprintfA 7166->7173 7168 2be6f1c CheckTokenMembership 7167->7168 7169 2be6f44 7167->7169 7170 2be6f2e 7168->7170 7171 2be6f3b FreeSid 7168->7171 7169->7173 7174 2be6e36 GetUserNameW 7169->7174 7170->7171 7171->7169 7173->7078 7175 2be6e5f LookupAccountNameW 7174->7175 7176 2be6e97 7174->7176 7175->7176 7176->7173 7178 2be2419 4 API calls 7177->7178 7179 2be24b6 7178->7179 7179->7092 7181 2bedd79 lstrlenA 7180->7181 7181->6462 7183 2beeb21 7182->7183 7184 2beeb17 7182->7184 7183->6507 7185 2beeae4 2 API calls 7184->7185 7185->7183 7187 2be69b9 WriteFile 7186->7187 7190 2be6a3c 7187->7190 7191 2be69ff 7187->7191 7189 2be6a10 WriteFile 7189->7190 7189->7191 7190->6504 7190->6505 7191->7189 7191->7190 7193 2be3edc 7192->7193 7194 2be3ee2 7192->7194 7195 2be6dc2 6 API calls 7193->7195 7194->6518 7195->7194 7197 2be400b CreateFileA 7196->7197 7198 2be402c GetLastError 7197->7198 7200 2be4052 7197->7200 7199 2be4037 7198->7199 7198->7200 7199->7200 7201 2be4041 Sleep 7199->7201 7200->6522 7201->7197 7201->7200 7203 2be3f4e GetLastError 7202->7203 7204 2be3f7c 7202->7204 7203->7204 7205 2be3f5b WaitForSingleObject GetOverlappedResult 7203->7205 7206 2be3f8c ReadFile 7204->7206 7205->7204 7207 2be3fc2 GetLastError 7206->7207 7208 2be3ff0 7206->7208 7207->7208 7209 2be3fcf WaitForSingleObject GetOverlappedResult 7207->7209 7208->6527 7208->6528 7209->7208 7211 2be1924 GetVersionExA 7210->7211 7211->6567 7213 2bef0ed 7212->7213 7214 2bef0f1 7212->7214 7213->6599 7215 2bef0fa lstrlenA SysAllocStringByteLen 7214->7215 7216 2bef119 7214->7216 7217 2bef11c MultiByteToWideChar 7215->7217 7218 2bef117 7215->7218 7216->7217 7217->7218 7218->6599 7220 2be1820 17 API calls 7219->7220 7221 2be18f2 7220->7221 7222 2be18f9 7221->7222 7236 2be1280 7221->7236 7222->6595 7224 2be1908 7224->6595 7249 2be1000 7225->7249 7227 2be1839 7228 2be183d 7227->7228 7229 2be1851 GetCurrentProcess 7227->7229 7228->6585 7230 2be1864 7229->7230 7230->6585 7232 2be920e 7231->7232 7235 2be9308 7231->7235 7233 2be92f1 Sleep 7232->7233 7234 2be92bf ShellExecuteA 7232->7234 7232->7235 7233->7232 7234->7232 7234->7235 7235->6595 7239 2be12e1 ShellExecuteExW 7236->7239 7238 2be16f9 GetLastError 7245 2be1699 7238->7245 7239->7238 7247 2be13a8 7239->7247 7240 2be1570 lstrlenW 7240->7247 7241 2be15be GetStartupInfoW 7241->7247 7242 2be15ff CreateProcessWithLogonW 7243 2be16bf GetLastError 7242->7243 7244 2be163f WaitForSingleObject 7242->7244 7243->7245 7246 2be1659 CloseHandle 7244->7246 7244->7247 7245->7224 7246->7247 7247->7240 7247->7241 7247->7242 7247->7245 7248 2be1668 CloseHandle 7247->7248 7248->7247 7250 2be100d LoadLibraryA 7249->7250 7261 2be1023 7249->7261 7251 2be1021 7250->7251 7250->7261 7251->7227 7252 2be10b5 GetProcAddress 7253 2be127b 7252->7253 7254 2be10d1 GetProcAddress 7252->7254 7253->7227 7254->7253 7255 2be10f0 GetProcAddress 7254->7255 7255->7253 7256 2be1110 GetProcAddress 7255->7256 7256->7253 7257 2be1130 GetProcAddress 7256->7257 7257->7253 7258 2be114f GetProcAddress 7257->7258 7258->7253 7259 2be116f GetProcAddress 7258->7259 7259->7253 7260 2be118f GetProcAddress 7259->7260 7260->7253 7262 2be11ae GetProcAddress 7260->7262 7261->7252 7269 2be10ae 7261->7269 7262->7253 7263 2be11ce GetProcAddress 7262->7263 7263->7253 7264 2be11ee GetProcAddress 7263->7264 7264->7253 7265 2be1209 GetProcAddress 7264->7265 7265->7253 7266 2be1225 GetProcAddress 7265->7266 7266->7253 7267 2be1241 GetProcAddress 7266->7267 7267->7253 7268 2be125c GetProcAddress 7267->7268 7268->7253 7269->7227 7271 2be908d 7270->7271 7272 2be90e2 wsprintfA 7271->7272 7273 2beee2a 7272->7273 7274 2be90fd CreateFileA 7273->7274 7275 2be913f 7274->7275 7276 2be911a lstrlenA WriteFile CloseHandle 7274->7276 7275->6622 7275->6623 7276->7275 7278 2beee2a 7277->7278 7279 2be9794 CreateProcessA 7278->7279 7280 2be97bb 7279->7280 7281 2be97c2 7279->7281 7280->6634 7282 2be97d4 GetThreadContext 7281->7282 7283 2be97f5 7282->7283 7284 2be9801 7282->7284 7285 2be97f6 TerminateProcess 7283->7285 7291 2be637c 7284->7291 7285->7280 7287 2be9816 7287->7285 7288 2be981e WriteProcessMemory 7287->7288 7288->7283 7289 2be983b SetThreadContext 7288->7289 7289->7283 7290 2be9858 ResumeThread 7289->7290 7290->7280 7292 2be638a GetModuleHandleA VirtualAlloc 7291->7292 7293 2be6386 7291->7293 7294 2be63b6 7292->7294 7295 2be63f5 7292->7295 7293->7287 7296 2be63be VirtualAllocEx 7294->7296 7295->7287 7296->7295 7297 2be63d6 7296->7297 7298 2be63df WriteProcessMemory 7297->7298 7298->7295 7300 2be879f 7299->7300 7301 2be8791 7299->7301 7303 2be87bc 7300->7303 7305 2bef04e 4 API calls 7300->7305 7302 2bef04e 4 API calls 7301->7302 7302->7300 7304 2bee819 11 API calls 7303->7304 7306 2be87d7 7304->7306 7305->7303 7319 2be8803 7306->7319 7454 2be26b2 gethostbyaddr 7306->7454 7309 2be87eb 7311 2bee8a1 30 API calls 7309->7311 7309->7319 7311->7319 7314 2bee819 11 API calls 7314->7319 7315 2be88a0 Sleep 7315->7319 7317 2be26b2 2 API calls 7317->7319 7318 2bef04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 7318->7319 7319->7314 7319->7315 7319->7317 7319->7318 7320 2bee8a1 30 API calls 7319->7320 7351 2be8cee 7319->7351 7359 2bec4d6 7319->7359 7362 2bec4e2 7319->7362 7365 2be2011 7319->7365 7400 2be8328 7319->7400 7320->7319 7322 2be407d 7321->7322 7323 2be4084 7321->7323 7324 2be3ecd 6 API calls 7323->7324 7325 2be408f 7324->7325 7326 2be4000 3 API calls 7325->7326 7327 2be4095 7326->7327 7328 2be4130 7327->7328 7329 2be40c0 7327->7329 7330 2be3ecd 6 API calls 7328->7330 7334 2be3f18 4 API calls 7329->7334 7331 2be4159 CreateNamedPipeA 7330->7331 7332 2be4188 ConnectNamedPipe 7331->7332 7333 2be4167 Sleep 7331->7333 7337 2be4195 GetLastError 7332->7337 7346 2be41ab 7332->7346 7333->7328 7335 2be4176 CloseHandle 7333->7335 7336 2be40da 7334->7336 7335->7332 7338 2be3f8c 4 API calls 7336->7338 7339 2be425e DisconnectNamedPipe 7337->7339 7337->7346 7340 2be40ec 7338->7340 7339->7332 7341 2be4127 CloseHandle 7340->7341 7342 2be4101 7340->7342 7341->7328 7343 2be3f18 4 API calls 7342->7343 7345 2be411c ExitProcess 7343->7345 7344 2be3f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 7344->7346 7346->7332 7346->7339 7346->7344 7347 2be3f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 7346->7347 7348 2be426a CloseHandle CloseHandle 7346->7348 7347->7346 7349 2bee318 23 API calls 7348->7349 7350 2be427b 7349->7350 7350->7350 7352 2be8dae 7351->7352 7353 2be8d02 GetTickCount 7351->7353 7352->7319 7353->7352 7356 2be8d19 7353->7356 7354 2be8da1 GetTickCount 7354->7352 7356->7354 7358 2be8d89 7356->7358 7459 2bea677 7356->7459 7462 2bea688 7356->7462 7358->7354 7470 2bec2dc 7359->7470 7363 2bec2dc 142 API calls 7362->7363 7364 2bec4ec 7363->7364 7364->7319 7366 2be202e 7365->7366 7367 2be2020 7365->7367 7369 2be204b 7366->7369 7370 2bef04e 4 API calls 7366->7370 7368 2bef04e 4 API calls 7367->7368 7368->7366 7371 2be206e GetTickCount 7369->7371 7373 2bef04e 4 API calls 7369->7373 7370->7369 7372 2be20db GetTickCount 7371->7372 7384 2be2090 7371->7384 7375 2be2132 GetTickCount GetTickCount 7372->7375 7383 2be20e7 7372->7383 7376 2be2068 7373->7376 7374 2be20d4 GetTickCount 7374->7372 7377 2bef04e 4 API calls 7375->7377 7376->7371 7380 2be2159 7377->7380 7378 2be212b GetTickCount 7378->7375 7379 2be2684 2 API calls 7379->7384 7382 2be21b4 7380->7382 7386 2bee854 13 API calls 7380->7386 7385 2bef04e 4 API calls 7382->7385 7383->7378 7392 2be1978 15 API calls 7383->7392 7393 2be2125 7383->7393 7800 2be2ef8 7383->7800 7384->7374 7384->7379 7389 2be20ce 7384->7389 7810 2be1978 7384->7810 7388 2be21d1 7385->7388 7390 2be218e 7386->7390 7394 2be21f2 7388->7394 7396 2beea84 30 API calls 7388->7396 7389->7374 7391 2bee819 11 API calls 7390->7391 7395 2be219c 7391->7395 7392->7383 7393->7378 7394->7319 7395->7382 7815 2be1c5f 7395->7815 7397 2be21ec 7396->7397 7398 2bef04e 4 API calls 7397->7398 7398->7394 7401 2be7dd6 6 API calls 7400->7401 7402 2be833c 7401->7402 7403 2be6ec3 2 API calls 7402->7403 7429 2be8340 7402->7429 7404 2be834f 7403->7404 7405 2be835c 7404->7405 7409 2be846b 7404->7409 7406 2be73ff 17 API calls 7405->7406 7423 2be8373 7406->7423 7407 2be85df 7410 2be8626 GetTempPathA 7407->7410 7421 2be8768 7407->7421 7434 2be8671 7407->7434 7408 2be675c 21 API calls 7408->7407 7411 2be84a7 RegOpenKeyExA 7409->7411 7427 2be8450 7409->7427 7420 2be8638 7410->7420 7413 2be852f 7411->7413 7414 2be84c0 RegQueryValueExA 7411->7414 7422 2be8564 RegOpenKeyExA 7413->7422 7432 2be85a5 7413->7432 7416 2be84dd 7414->7416 7417 2be8521 RegCloseKey 7414->7417 7415 2be86ad 7418 2be8762 7415->7418 7419 2be7e2f 6 API calls 7415->7419 7416->7417 7428 2beebcc 4 API calls 7416->7428 7417->7413 7418->7421 7433 2be86bb 7419->7433 7420->7434 7426 2beec2e codecvt 4 API calls 7421->7426 7421->7429 7424 2be8573 RegSetValueExA RegCloseKey 7422->7424 7422->7432 7423->7427 7423->7429 7435 2be83ea RegOpenKeyExA 7423->7435 7424->7432 7425 2be875b DeleteFileA 7425->7418 7426->7429 7427->7407 7427->7408 7431 2be84f0 7428->7431 7429->7319 7431->7417 7436 2be84f8 RegQueryValueExA 7431->7436 7432->7427 7438 2beec2e codecvt 4 API calls 7432->7438 7433->7425 7441 2be86e0 lstrcpyA lstrlenA 7433->7441 7887 2be6ba7 IsBadCodePtr 7434->7887 7435->7427 7439 2be83fd RegQueryValueExA 7435->7439 7436->7417 7437 2be8515 7436->7437 7440 2beec2e codecvt 4 API calls 7437->7440 7438->7427 7442 2be841e 7439->7442 7443 2be842d RegSetValueExA 7439->7443 7444 2be851d 7440->7444 7445 2be7fcf 64 API calls 7441->7445 7442->7443 7446 2be8447 RegCloseKey 7442->7446 7443->7446 7444->7417 7447 2be8719 CreateProcessA 7445->7447 7446->7427 7448 2be874f 7447->7448 7449 2be873d CloseHandle CloseHandle 7447->7449 7450 2be7ee6 64 API calls 7448->7450 7449->7421 7451 2be8754 7450->7451 7452 2be7ead 6 API calls 7451->7452 7453 2be875a 7452->7453 7453->7425 7455 2be26cd 7454->7455 7456 2be26fb 7454->7456 7457 2be26e1 inet_ntoa 7455->7457 7458 2be26de 7455->7458 7456->7309 7457->7458 7458->7309 7465 2bea63d 7459->7465 7461 2bea685 7461->7356 7463 2bea63d GetTickCount 7462->7463 7464 2bea696 7463->7464 7464->7356 7466 2bea64d 7465->7466 7467 2bea645 7465->7467 7468 2bea65e GetTickCount 7466->7468 7469 2bea66e 7466->7469 7467->7461 7468->7469 7469->7461 7487 2bea4c7 GetTickCount 7470->7487 7473 2bec47a 7478 2bec4ab InterlockedIncrement CreateThread 7473->7478 7479 2bec4d2 7473->7479 7474 2bec326 7476 2bec337 7474->7476 7477 2bec32b GetTickCount 7474->7477 7475 2bec300 GetTickCount 7475->7476 7476->7473 7481 2bec363 GetTickCount 7476->7481 7477->7476 7478->7479 7480 2bec4cb CloseHandle 7478->7480 7492 2beb535 7478->7492 7479->7319 7480->7479 7481->7473 7482 2bec373 7481->7482 7483 2bec378 GetTickCount 7482->7483 7484 2bec37f 7482->7484 7483->7484 7485 2bec43b GetTickCount 7484->7485 7486 2bec45e 7485->7486 7486->7473 7488 2bea4f7 InterlockedExchange 7487->7488 7489 2bea4e4 GetTickCount 7488->7489 7490 2bea500 7488->7490 7489->7490 7491 2bea4ef Sleep 7489->7491 7490->7473 7490->7474 7490->7475 7491->7488 7493 2beb566 7492->7493 7494 2beebcc 4 API calls 7493->7494 7495 2beb587 7494->7495 7496 2beebcc 4 API calls 7495->7496 7547 2beb590 7496->7547 7497 2bebdcd InterlockedDecrement 7498 2bebde2 7497->7498 7500 2beec2e codecvt 4 API calls 7498->7500 7501 2bebdea 7500->7501 7502 2beec2e codecvt 4 API calls 7501->7502 7504 2bebdf2 7502->7504 7503 2bebdb7 Sleep 7503->7547 7505 2bebe05 7504->7505 7507 2beec2e codecvt 4 API calls 7504->7507 7506 2bebdcc 7506->7497 7507->7505 7508 2beebed 8 API calls 7508->7547 7511 2beb6b6 lstrlenA 7511->7547 7512 2be30b5 2 API calls 7512->7547 7513 2beb6ed lstrcpyA 7567 2be5ce1 7513->7567 7514 2bee819 11 API calls 7514->7547 7517 2beb71f lstrcmpA 7518 2beb731 lstrlenA 7517->7518 7517->7547 7518->7547 7519 2beb772 GetTickCount 7519->7547 7520 2bebd49 InterlockedIncrement 7661 2bea628 7520->7661 7523 2bebc5b InterlockedIncrement 7523->7547 7524 2beb7ce InterlockedIncrement 7577 2beacd7 7524->7577 7527 2beb912 GetTickCount 7527->7547 7528 2beb826 InterlockedIncrement 7528->7519 7529 2bebcdc closesocket 7529->7547 7530 2beb932 GetTickCount 7531 2bebc6d InterlockedIncrement 7530->7531 7530->7547 7531->7547 7532 2be38f0 6 API calls 7532->7547 7534 2beab81 lstrcpynA InterlockedIncrement 7534->7547 7535 2bebba6 InterlockedIncrement 7535->7547 7538 2bebc4c closesocket 7538->7547 7540 2be5ce1 22 API calls 7540->7547 7541 2beba71 wsprintfA 7595 2bea7c1 7541->7595 7542 2be5ded 12 API calls 7542->7547 7545 2bea7c1 22 API calls 7545->7547 7546 2beef1e lstrlenA 7546->7547 7547->7497 7547->7503 7547->7506 7547->7508 7547->7511 7547->7512 7547->7513 7547->7514 7547->7517 7547->7518 7547->7519 7547->7520 7547->7523 7547->7524 7547->7527 7547->7528 7547->7529 7547->7530 7547->7532 7547->7534 7547->7535 7547->7538 7547->7540 7547->7541 7547->7542 7547->7545 7547->7546 7548 2bea688 GetTickCount 7547->7548 7549 2be3e10 7547->7549 7552 2be3e4f 7547->7552 7555 2be384f 7547->7555 7575 2bea7a3 inet_ntoa 7547->7575 7582 2beabee 7547->7582 7594 2be1feb GetTickCount 7547->7594 7615 2be3cfb 7547->7615 7618 2beb3c5 7547->7618 7649 2beab81 7547->7649 7548->7547 7550 2be30fa 4 API calls 7549->7550 7551 2be3e1d 7550->7551 7551->7547 7553 2be30fa 4 API calls 7552->7553 7554 2be3e5c 7553->7554 7554->7547 7556 2be30fa 4 API calls 7555->7556 7558 2be3863 7556->7558 7557 2be38b2 7557->7547 7558->7557 7559 2be38b9 7558->7559 7560 2be3889 7558->7560 7670 2be35f9 7559->7670 7664 2be3718 7560->7664 7565 2be3718 6 API calls 7565->7557 7566 2be35f9 6 API calls 7566->7557 7568 2be5cec 7567->7568 7569 2be5cf4 7567->7569 7676 2be4bd1 GetTickCount 7568->7676 7571 2be4bd1 4 API calls 7569->7571 7572 2be5d02 7571->7572 7681 2be5472 7572->7681 7576 2bea7b9 7575->7576 7576->7547 7578 2bef315 14 API calls 7577->7578 7579 2beaceb 7578->7579 7580 2beacff 7579->7580 7581 2bef315 14 API calls 7579->7581 7580->7547 7581->7580 7583 2beabfb 7582->7583 7586 2beac65 7583->7586 7744 2be2f22 7583->7744 7585 2bef315 14 API calls 7585->7586 7586->7585 7587 2beac6f 7586->7587 7593 2beac8a 7586->7593 7588 2beab81 2 API calls 7587->7588 7590 2beac81 7588->7590 7589 2be2684 2 API calls 7591 2beac23 7589->7591 7752 2be38f0 7590->7752 7591->7586 7591->7589 7593->7547 7594->7547 7596 2bea7df 7595->7596 7597 2bea87d lstrlenA send 7595->7597 7596->7597 7604 2bea7fa wsprintfA 7596->7604 7606 2bea80a 7596->7606 7607 2bea8f2 7596->7607 7598 2bea8bf 7597->7598 7599 2bea899 7597->7599 7600 2bea8c4 send 7598->7600 7598->7607 7602 2bea8a5 wsprintfA 7599->7602 7608 2bea89e 7599->7608 7603 2bea8d8 wsprintfA 7600->7603 7600->7607 7601 2bea978 recv 7601->7607 7609 2bea982 7601->7609 7602->7608 7603->7608 7604->7606 7605 2bea9b0 wsprintfA 7605->7608 7606->7597 7607->7601 7607->7605 7607->7609 7608->7547 7609->7608 7610 2be30b5 2 API calls 7609->7610 7611 2beab05 7610->7611 7612 2bee819 11 API calls 7611->7612 7613 2beab17 7612->7613 7614 2bea7a3 inet_ntoa 7613->7614 7614->7608 7616 2be30fa 4 API calls 7615->7616 7617 2be3d0b 7616->7617 7617->7547 7619 2be5ce1 22 API calls 7618->7619 7620 2beb3e6 7619->7620 7621 2be5ce1 22 API calls 7620->7621 7622 2beb404 7621->7622 7623 2beb440 7622->7623 7624 2beef7c 3 API calls 7622->7624 7625 2beef7c 3 API calls 7623->7625 7626 2beb42b 7624->7626 7627 2beb458 wsprintfA 7625->7627 7628 2beef7c 3 API calls 7626->7628 7629 2beef7c 3 API calls 7627->7629 7628->7623 7630 2beb480 7629->7630 7631 2beef7c 3 API calls 7630->7631 7632 2beb493 7631->7632 7633 2beef7c 3 API calls 7632->7633 7634 2beb4bb 7633->7634 7768 2bead89 GetLocalTime SystemTimeToFileTime 7634->7768 7638 2beb4cc 7639 2beef7c 3 API calls 7638->7639 7640 2beb4dd 7639->7640 7641 2beb211 7 API calls 7640->7641 7642 2beb4ec 7641->7642 7643 2beef7c 3 API calls 7642->7643 7644 2beb4fd 7643->7644 7645 2beb211 7 API calls 7644->7645 7646 2beb509 7645->7646 7647 2beef7c 3 API calls 7646->7647 7648 2beb51a 7647->7648 7648->7547 7650 2beabe9 GetTickCount 7649->7650 7652 2beab8c 7649->7652 7654 2bea51d 7650->7654 7651 2beaba8 lstrcpynA 7651->7652 7652->7650 7652->7651 7653 2beabe1 InterlockedIncrement 7652->7653 7653->7652 7655 2bea4c7 4 API calls 7654->7655 7656 2bea52c 7655->7656 7657 2bea542 GetTickCount 7656->7657 7659 2bea539 GetTickCount 7656->7659 7657->7659 7660 2bea56c 7659->7660 7660->7547 7662 2bea4c7 4 API calls 7661->7662 7663 2bea633 7662->7663 7663->7547 7665 2bef04e 4 API calls 7664->7665 7667 2be372a 7665->7667 7666 2be3847 7666->7557 7666->7565 7667->7666 7668 2be37b3 GetCurrentThreadId 7667->7668 7668->7667 7669 2be37c8 GetCurrentThreadId 7668->7669 7669->7667 7671 2bef04e 4 API calls 7670->7671 7672 2be360c 7671->7672 7673 2be36da GetCurrentThreadId 7672->7673 7675 2be36f1 7672->7675 7674 2be36e5 GetCurrentThreadId 7673->7674 7673->7675 7674->7675 7675->7557 7675->7566 7677 2be4bff InterlockedExchange 7676->7677 7678 2be4bec GetTickCount 7677->7678 7679 2be4c08 7677->7679 7678->7679 7680 2be4bf7 Sleep 7678->7680 7679->7569 7680->7677 7700 2be4763 7681->7700 7683 2be5b58 7710 2be4699 7683->7710 7686 2be4763 lstrlenA 7687 2be5b6e 7686->7687 7731 2be4f9f 7687->7731 7689 2be5b79 7689->7547 7691 2be5549 lstrlenA 7693 2be548a 7691->7693 7693->7683 7694 2be558d lstrcpynA 7693->7694 7695 2be5a9f lstrcpyA 7693->7695 7696 2be4ae6 8 API calls 7693->7696 7697 2be5935 lstrcpynA 7693->7697 7698 2be5472 13 API calls 7693->7698 7699 2be58e7 lstrcpyA 7693->7699 7704 2be4ae6 7693->7704 7708 2beef7c lstrlenA lstrlenA lstrlenA 7693->7708 7694->7693 7695->7693 7696->7693 7697->7693 7698->7693 7699->7693 7703 2be477a 7700->7703 7701 2be4859 7701->7693 7702 2be480d lstrlenA 7702->7703 7703->7701 7703->7702 7705 2be4af3 7704->7705 7707 2be4b03 7704->7707 7706 2beebed 8 API calls 7705->7706 7706->7707 7707->7691 7709 2beefb4 7708->7709 7709->7693 7736 2be45b3 7710->7736 7713 2be45b3 7 API calls 7714 2be46c6 7713->7714 7715 2be45b3 7 API calls 7714->7715 7716 2be46d8 7715->7716 7717 2be45b3 7 API calls 7716->7717 7718 2be46ea 7717->7718 7719 2be45b3 7 API calls 7718->7719 7720 2be46ff 7719->7720 7721 2be45b3 7 API calls 7720->7721 7722 2be4711 7721->7722 7723 2be45b3 7 API calls 7722->7723 7724 2be4723 7723->7724 7725 2beef7c 3 API calls 7724->7725 7726 2be4735 7725->7726 7727 2beef7c 3 API calls 7726->7727 7728 2be474a 7727->7728 7729 2beef7c 3 API calls 7728->7729 7730 2be475c 7729->7730 7730->7686 7732 2be4fac 7731->7732 7734 2be4fb0 7731->7734 7732->7689 7733 2be4ffd 7733->7689 7734->7733 7735 2be4fd5 IsBadCodePtr 7734->7735 7735->7734 7737 2be45c8 7736->7737 7738 2be45c1 7736->7738 7740 2beebcc 4 API calls 7737->7740 7742 2be45e1 7737->7742 7739 2beebcc 4 API calls 7738->7739 7739->7737 7740->7742 7741 2be4691 7741->7713 7742->7741 7743 2beef7c 3 API calls 7742->7743 7743->7742 7759 2be2d21 GetModuleHandleA 7744->7759 7747 2be2fcf GetProcessHeap HeapFree 7751 2be2f44 7747->7751 7748 2be2f4f 7750 2be2f6b GetProcessHeap HeapFree 7748->7750 7749 2be2f85 7749->7747 7749->7749 7750->7751 7751->7591 7753 2be3980 7752->7753 7754 2be3900 7752->7754 7753->7593 7755 2be30fa 4 API calls 7754->7755 7757 2be390a 7755->7757 7756 2be391b GetCurrentThreadId 7756->7757 7757->7753 7757->7756 7758 2be3939 GetCurrentThreadId 7757->7758 7758->7757 7760 2be2d5b GetProcAddress 7759->7760 7761 2be2d46 LoadLibraryA 7759->7761 7762 2be2d6b DnsQuery_A 7760->7762 7764 2be2d54 7760->7764 7761->7760 7761->7764 7763 2be2d7d 7762->7763 7762->7764 7763->7764 7765 2be2d97 GetProcessHeap HeapAlloc 7763->7765 7764->7748 7764->7749 7764->7751 7765->7764 7767 2be2dac 7765->7767 7766 2be2db5 lstrcpynA 7766->7767 7767->7763 7767->7766 7769 2beadbf 7768->7769 7793 2bead08 gethostname 7769->7793 7772 2be30b5 2 API calls 7773 2beadd3 7772->7773 7774 2bea7a3 inet_ntoa 7773->7774 7775 2beade4 7773->7775 7774->7775 7776 2beae85 wsprintfA 7775->7776 7778 2beae36 wsprintfA wsprintfA 7775->7778 7777 2beef7c 3 API calls 7776->7777 7779 2beaebb 7777->7779 7780 2beef7c 3 API calls 7778->7780 7781 2beef7c 3 API calls 7779->7781 7780->7775 7782 2beaed2 7781->7782 7783 2beb211 7782->7783 7784 2beb2af GetLocalTime 7783->7784 7785 2beb2bb FileTimeToLocalFileTime FileTimeToSystemTime 7783->7785 7786 2beb2d2 7784->7786 7785->7786 7787 2beb31c GetTimeZoneInformation 7786->7787 7788 2beb2d9 SystemTimeToFileTime 7786->7788 7790 2beb33a wsprintfA 7787->7790 7789 2beb2ec 7788->7789 7791 2beb312 FileTimeToSystemTime 7789->7791 7790->7638 7791->7787 7794 2bead71 7793->7794 7799 2bead26 lstrlenA 7793->7799 7796 2bead79 lstrcpyA 7794->7796 7797 2bead85 7794->7797 7796->7797 7797->7772 7798 2bead68 lstrlenA 7798->7794 7799->7794 7799->7798 7801 2be2d21 7 API calls 7800->7801 7802 2be2f01 7801->7802 7803 2be2f06 7802->7803 7804 2be2f14 7802->7804 7823 2be2df2 GetModuleHandleA 7803->7823 7805 2be2684 2 API calls 7804->7805 7808 2be2f1d 7805->7808 7808->7383 7809 2be2f1f 7809->7383 7811 2bef428 14 API calls 7810->7811 7812 2be198a 7811->7812 7813 2be1998 7812->7813 7814 2be1990 closesocket 7812->7814 7813->7384 7814->7813 7816 2be1c80 7815->7816 7817 2be1cc2 wsprintfA 7816->7817 7819 2be1d1c 7816->7819 7822 2be1d79 7816->7822 7818 2be2684 2 API calls 7817->7818 7818->7816 7820 2be1d47 wsprintfA 7819->7820 7821 2be2684 2 API calls 7820->7821 7821->7822 7822->7382 7824 2be2e0b 7823->7824 7825 2be2e10 LoadLibraryA 7823->7825 7824->7825 7826 2be2e17 7824->7826 7825->7826 7827 2be2ef1 7826->7827 7828 2be2e28 GetProcAddress 7826->7828 7827->7804 7827->7809 7828->7827 7829 2be2e3e GetProcessHeap HeapAlloc 7828->7829 7830 2be2e62 7829->7830 7830->7827 7831 2be2ede GetProcessHeap HeapFree 7830->7831 7832 2be2e7f htons inet_addr 7830->7832 7833 2be2ea5 gethostbyname 7830->7833 7835 2be2ceb 7830->7835 7831->7827 7832->7830 7832->7833 7833->7830 7837 2be2cf2 7835->7837 7838 2be2d1c 7837->7838 7839 2be2d0e Sleep 7837->7839 7840 2be2a62 GetProcessHeap HeapAlloc 7837->7840 7838->7830 7839->7837 7839->7838 7841 2be2a99 socket 7840->7841 7842 2be2a92 7840->7842 7843 2be2ab4 7841->7843 7844 2be2cd3 GetProcessHeap HeapFree 7841->7844 7842->7837 7843->7844 7858 2be2abd 7843->7858 7844->7842 7845 2be2adb htons 7860 2be26ff 7845->7860 7847 2be2b04 select 7847->7858 7848 2be2ca4 7849 2be2cb3 GetProcessHeap HeapFree closesocket 7848->7849 7849->7842 7850 2be2b3f recv 7850->7858 7851 2be2b66 htons 7851->7848 7851->7858 7852 2be2b87 htons 7852->7848 7852->7858 7855 2be2bf3 GetProcessHeap HeapAlloc 7855->7858 7856 2be2c17 htons 7875 2be2871 7856->7875 7858->7845 7858->7847 7858->7848 7858->7849 7858->7850 7858->7851 7858->7852 7858->7855 7858->7856 7859 2be2c4d GetProcessHeap HeapFree 7858->7859 7867 2be2923 7858->7867 7879 2be2904 7858->7879 7859->7858 7861 2be2717 7860->7861 7862 2be271d 7860->7862 7863 2beebcc 4 API calls 7861->7863 7864 2be272b GetTickCount htons 7862->7864 7863->7862 7865 2be27cc htons htons sendto 7864->7865 7866 2be278a 7864->7866 7865->7858 7866->7865 7868 2be2944 7867->7868 7870 2be293d 7867->7870 7883 2be2816 htons 7868->7883 7870->7858 7871 2be2950 7871->7870 7872 2be2871 htons 7871->7872 7873 2be29bd htons htons htons 7871->7873 7872->7871 7873->7870 7874 2be29f6 GetProcessHeap HeapAlloc 7873->7874 7874->7870 7874->7871 7876 2be28e3 7875->7876 7877 2be2889 7875->7877 7876->7858 7877->7876 7877->7877 7878 2be28c3 htons 7877->7878 7878->7876 7878->7877 7880 2be2908 7879->7880 7881 2be2921 7879->7881 7882 2be2909 GetProcessHeap HeapFree 7880->7882 7881->7858 7882->7881 7882->7882 7884 2be286b 7883->7884 7885 2be2836 7883->7885 7884->7871 7885->7884 7886 2be285c htons 7885->7886 7886->7884 7886->7885 7888 2be6bbc 7887->7888 7889 2be6bc0 7887->7889 7888->7415 7890 2beebcc 4 API calls 7889->7890 7900 2be6bd4 7889->7900 7891 2be6be4 7890->7891 7892 2be6bfc 7891->7892 7893 2be6c07 CreateFileA 7891->7893 7891->7900 7894 2beec2e codecvt 4 API calls 7892->7894 7895 2be6c2a 7893->7895 7896 2be6c34 WriteFile 7893->7896 7894->7900 7897 2beec2e codecvt 4 API calls 7895->7897 7898 2be6c5a CloseHandle 7896->7898 7899 2be6c49 CloseHandle DeleteFileA 7896->7899 7897->7900 7901 2beec2e codecvt 4 API calls 7898->7901 7899->7895 7900->7415 7901->7900 7930 2be5029 7935 2be4a02 7930->7935 7936 2be4a12 7935->7936 7938 2be4a18 7935->7938 7937 2beec2e codecvt 4 API calls 7936->7937 7937->7938 7939 2beec2e codecvt 4 API calls 7938->7939 7940 2be4a26 7938->7940 7939->7940 7941 2be4a34 7940->7941 7942 2beec2e codecvt 4 API calls 7940->7942 7942->7941 7943 2be35a5 7944 2be30fa 4 API calls 7943->7944 7946 2be35b3 7944->7946 7945 2be35ea 7946->7945 7950 2be355d 7946->7950 7948 2be35da 7948->7945 7949 2be355d 4 API calls 7948->7949 7949->7945 7951 2bef04e 4 API calls 7950->7951 7952 2be356a 7951->7952 7952->7948 8102 2be4960 8103 2be496d 8102->8103 8105 2be497d 8102->8105 8104 2beebed 8 API calls 8103->8104 8104->8105 7953 2be5e21 7954 2be5e29 7953->7954 7955 2be5e36 7953->7955 7957 2be50dc 7954->7957 7958 2be4bd1 4 API calls 7957->7958 7959 2be50f2 7958->7959 7960 2be4ae6 8 API calls 7959->7960 7966 2be50ff 7960->7966 7961 2be5130 7963 2be4ae6 8 API calls 7961->7963 7962 2be4ae6 8 API calls 7964 2be5110 lstrcmpA 7962->7964 7965 2be5138 7963->7965 7964->7961 7964->7966 7967 2be513e 7965->7967 7968 2be516e 7965->7968 7970 2be4ae6 8 API calls 7965->7970 7966->7961 7966->7962 7969 2be4ae6 8 API calls 7966->7969 7967->7955 7968->7967 7972 2be4ae6 8 API calls 7968->7972 7969->7966 7971 2be515e 7970->7971 7971->7968 7975 2be4ae6 8 API calls 7971->7975 7973 2be51b6 7972->7973 8000 2be4a3d 7973->8000 7975->7968 7977 2be4ae6 8 API calls 7978 2be51c7 7977->7978 7979 2be4ae6 8 API calls 7978->7979 7980 2be51d7 7979->7980 7981 2be4ae6 8 API calls 7980->7981 7982 2be51e7 7981->7982 7982->7967 7983 2be4ae6 8 API calls 7982->7983 7984 2be5219 7983->7984 7985 2be4ae6 8 API calls 7984->7985 7986 2be5227 7985->7986 7987 2be4ae6 8 API calls 7986->7987 7988 2be524f lstrcpyA 7987->7988 7989 2be4ae6 8 API calls 7988->7989 7992 2be5263 7989->7992 7990 2be4ae6 8 API calls 7991 2be5315 7990->7991 7993 2be4ae6 8 API calls 7991->7993 7992->7990 7994 2be5323 7993->7994 7995 2be4ae6 8 API calls 7994->7995 7997 2be5331 7995->7997 7996 2be4ae6 8 API calls 7996->7997 7997->7967 7997->7996 7998 2be4ae6 8 API calls 7997->7998 7999 2be5351 lstrcmpA 7998->7999 7999->7967 7999->7997 8001 2be4a4a 8000->8001 8002 2be4a53 8000->8002 8003 2beebed 8 API calls 8001->8003 8004 2be4a78 8002->8004 8007 2beebed 8 API calls 8002->8007 8003->8002 8005 2be4a8e 8004->8005 8006 2be4aa3 8004->8006 8008 2be4a9b 8005->8008 8009 2beec2e codecvt 4 API calls 8005->8009 8006->8008 8010 2beebed 8 API calls 8006->8010 8007->8004 8008->7977 8009->8008 8010->8008 8106 2be4861 IsBadWritePtr 8107 2be4876 8106->8107 8108 2be9961 RegisterServiceCtrlHandlerA 8109 2be997d 8108->8109 8116 2be99cb 8108->8116 8118 2be9892 8109->8118 8111 2be999a 8112 2be99ba 8111->8112 8113 2be9892 SetServiceStatus 8111->8113 8115 2be9892 SetServiceStatus 8112->8115 8112->8116 8114 2be99aa 8113->8114 8114->8112 8117 2be98f2 41 API calls 8114->8117 8115->8116 8117->8112 8119 2be98c2 SetServiceStatus 8118->8119 8119->8111 8121 2be195b 8122 2be196b 8121->8122 8123 2be1971 8121->8123 8124 2beec2e codecvt 4 API calls 8122->8124 8124->8123 8011 2be5099 8012 2be4bd1 4 API calls 8011->8012 8013 2be50a2 8012->8013 8014 2be8314 8015 2be675c 21 API calls 8014->8015 8016 2be8324 8015->8016 8017 2be4e92 GetTickCount 8018 2be4ec0 InterlockedExchange 8017->8018 8019 2be4ead GetTickCount 8018->8019 8020 2be4ec9 8018->8020 8019->8020 8021 2be4eb8 Sleep 8019->8021 8021->8018 8125 2be43d2 8126 2be43e0 8125->8126 8127 2be43ef 8126->8127 8128 2be1940 4 API calls 8126->8128 8128->8127 8022 2be5d93 IsBadWritePtr 8023 2be5ddc 8022->8023 8024 2be5da8 8022->8024 8024->8023 8025 2be5389 12 API calls 8024->8025 8025->8023 8129 2be4ed3 8134 2be4c9a 8129->8134 8135 2be4cd8 8134->8135 8137 2be4ca9 8134->8137 8136 2beec2e codecvt 4 API calls 8136->8135 8137->8136 8138 2be5453 8143 2be543a 8138->8143 8146 2be5048 8143->8146 8147 2be4bd1 4 API calls 8146->8147 8148 2be5056 8147->8148 8149 2beec2e codecvt 4 API calls 8148->8149 8150 2be508b 8148->8150 8149->8150 8026 2be6511 wsprintfA IsBadReadPtr 8027 2be674e 8026->8027 8028 2be656a htonl htonl wsprintfA wsprintfA 8026->8028 8029 2bee318 23 API calls 8027->8029 8032 2be65f3 8028->8032 8030 2be6753 ExitProcess 8029->8030 8031 2be668a GetCurrentProcess StackWalk64 8031->8032 8033 2be66a0 wsprintfA 8031->8033 8032->8031 8032->8033 8035 2be6652 wsprintfA 8032->8035 8034 2be66ba 8033->8034 8036 2be6712 wsprintfA 8034->8036 8037 2be66ed wsprintfA 8034->8037 8038 2be66da wsprintfA 8034->8038 8035->8032 8039 2bee8a1 30 API calls 8036->8039 8037->8034 8038->8037 8040 2be6739 8039->8040 8041 2bee318 23 API calls 8040->8041 8042 2be6741 8041->8042 8151 2be8c51 8152 2be8c5d 8151->8152 8153 2be8c86 8151->8153 8157 2be8c6e 8152->8157 8158 2be8c7d 8152->8158 8154 2be8c8b lstrcmpA 8153->8154 8164 2be8c7b 8153->8164 8155 2be8c9e 8154->8155 8154->8164 8156 2be8cad 8155->8156 8160 2beec2e codecvt 4 API calls 8155->8160 8163 2beebcc 4 API calls 8156->8163 8156->8164 8165 2be8be7 8157->8165 8173 2be8bb3 8158->8173 8160->8156 8163->8164 8166 2be8c2a 8165->8166 8167 2be8bf2 8165->8167 8166->8164 8168 2be8bb3 6 API calls 8167->8168 8169 2be8bf8 8168->8169 8177 2be6410 8169->8177 8171 2be8c01 8171->8166 8192 2be6246 8171->8192 8174 2be8be4 8173->8174 8175 2be8bbc 8173->8175 8175->8174 8176 2be6246 6 API calls 8175->8176 8176->8174 8178 2be641e 8177->8178 8179 2be6421 8177->8179 8178->8171 8180 2be643a 8179->8180 8181 2be643e VirtualAlloc 8179->8181 8180->8171 8182 2be645b VirtualAlloc 8181->8182 8183 2be6472 8181->8183 8182->8183 8191 2be64fb 8182->8191 8184 2beebcc 4 API calls 8183->8184 8185 2be6479 8184->8185 8185->8191 8202 2be6069 8185->8202 8188 2be64da 8189 2be6246 6 API calls 8188->8189 8188->8191 8189->8191 8191->8171 8193 2be62b3 8192->8193 8198 2be6252 8192->8198 8193->8166 8194 2be6297 8195 2be62ad 8194->8195 8196 2be62a0 VirtualFree 8194->8196 8199 2beec2e codecvt 4 API calls 8195->8199 8196->8195 8197 2be628f 8201 2beec2e codecvt 4 API calls 8197->8201 8198->8194 8198->8197 8200 2be6281 FreeLibrary 8198->8200 8199->8193 8200->8198 8201->8194 8203 2be6089 8202->8203 8204 2be6090 IsBadReadPtr 8202->8204 8203->8188 8212 2be5f3f 8203->8212 8204->8203 8211 2be60aa 8204->8211 8205 2be60c0 LoadLibraryA 8205->8203 8205->8211 8206 2beebcc 4 API calls 8206->8211 8207 2beebed 8 API calls 8207->8211 8208 2be6191 IsBadReadPtr 8208->8203 8208->8211 8209 2be6155 GetProcAddress 8209->8211 8210 2be6141 GetProcAddress 8210->8211 8211->8203 8211->8205 8211->8206 8211->8207 8211->8208 8211->8209 8211->8210 8213 2be5fe6 8212->8213 8215 2be5f61 8212->8215 8213->8188 8214 2be5fbf VirtualProtect 8214->8213 8214->8215 8215->8213 8215->8214 8043 2be5e0d 8044 2be50dc 17 API calls 8043->8044 8045 2be5e20 8044->8045 8046 2be4c0d 8047 2be4ae6 8 API calls 8046->8047 8048 2be4c17 8047->8048 8216 2be5e4d 8217 2be5048 8 API calls 8216->8217 8218 2be5e55 8217->8218 8219 2be5e64 8218->8219 8220 2be1940 4 API calls 8218->8220 8220->8219 8058 2be448b 8059 2be4499 8058->8059 8060 2be44ab 8059->8060 8062 2be1940 8059->8062 8063 2beec2e codecvt 4 API calls 8062->8063 8064 2be1949 8063->8064 8064->8060 8225 2bee749 8226 2bedd05 6 API calls 8225->8226 8227 2bee751 8226->8227 8228 2bee799 8227->8228 8229 2bee781 lstrcmpA 8227->8229 8229->8227 8065 2be5b84 IsBadWritePtr 8066 2be5b99 8065->8066 8067 2be5b9d 8065->8067 8068 2be4bd1 4 API calls 8067->8068 8069 2be5bcc 8068->8069 8070 2be5472 18 API calls 8069->8070 8071 2be5be5 8070->8071 8072 2bef304 8075 2bef26d setsockopt setsockopt setsockopt setsockopt setsockopt 8072->8075 8074 2bef312 8075->8074 8076 2be5c05 IsBadWritePtr 8077 2be5ca6 8076->8077 8078 2be5c24 IsBadWritePtr 8076->8078 8078->8077 8079 2be5c32 8078->8079 8080 2be5c82 8079->8080 8081 2be4bd1 4 API calls 8079->8081 8082 2be4bd1 4 API calls 8080->8082 8081->8080 8083 2be5c90 8082->8083 8084 2be5472 18 API calls 8083->8084 8084->8077 8085 2bef483 WSAStartup
                                                                                          APIs
                                                                                          • closesocket.WS2_32(?), ref: 02BECA4E
                                                                                          • closesocket.WS2_32(?), ref: 02BECB63
                                                                                          • GetTempPathA.KERNEL32(00000120,?), ref: 02BECC28
                                                                                          • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02BECCB4
                                                                                          • WriteFile.KERNEL32(02BEA4B3,?,-000000E8,?,00000000), ref: 02BECCDC
                                                                                          • CloseHandle.KERNEL32(02BEA4B3), ref: 02BECCED
                                                                                          • wsprintfA.USER32 ref: 02BECD21
                                                                                          • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 02BECD77
                                                                                          • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 02BECD89
                                                                                          • CloseHandle.KERNEL32(?), ref: 02BECD98
                                                                                          • CloseHandle.KERNEL32(?), ref: 02BECD9D
                                                                                          • DeleteFileA.KERNEL32(?), ref: 02BECDC4
                                                                                          • CloseHandle.KERNEL32(02BEA4B3), ref: 02BECDCC
                                                                                          • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 02BECFB1
                                                                                          • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 02BECFEF
                                                                                          • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 02BED033
                                                                                          • lstrcatA.KERNEL32(?,04300108), ref: 02BED10C
                                                                                          • SetFileAttributesA.KERNEL32(?,00000080), ref: 02BED155
                                                                                          • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 02BED171
                                                                                          • WriteFile.KERNEL32(00000000,0430012C,?,?,00000000), ref: 02BED195
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 02BED19C
                                                                                          • SetFileAttributesA.KERNEL32(?,00000002), ref: 02BED1C8
                                                                                          • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 02BED231
                                                                                          • lstrcatA.KERNEL32(?,04300108,?,?,?,?,?,?,?,00000100), ref: 02BED27C
                                                                                          • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 02BED2AB
                                                                                          • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 02BED2C7
                                                                                          • WriteFile.KERNEL32(00000000,0430012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 02BED2EB
                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 02BED2F2
                                                                                          • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 02BED326
                                                                                          • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 02BED372
                                                                                          • lstrcatA.KERNEL32(?,04300108,?,?,?,?,?,?,?,00000100), ref: 02BED3BD
                                                                                          • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 02BED3EC
                                                                                          • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 02BED408
                                                                                          • WriteFile.KERNEL32(00000000,0430012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 02BED428
                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 02BED42F
                                                                                          • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 02BED45B
                                                                                          • CreateProcessA.KERNEL32(?,02BF0264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 02BED4DE
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 02BED4F4
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 02BED4FC
                                                                                          • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 02BED513
                                                                                          • closesocket.WS2_32(?), ref: 02BED56C
                                                                                          • Sleep.KERNEL32(000003E8), ref: 02BED577
                                                                                          • ExitProcess.KERNEL32 ref: 02BED583
                                                                                          • wsprintfA.USER32 ref: 02BED81F
                                                                                            • Part of subcall function 02BEC65C: send.WS2_32(00000000,?,00000000), ref: 02BEC74B
                                                                                          • closesocket.WS2_32(?), ref: 02BEDAD5
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                          • String ID: .dat$.sys$4$@$C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exe$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                          • API String ID: 562065436-1927557597
                                                                                          • Opcode ID: 7007dcbfb402103e0e4fe84ecdffd90bdd95772ac475ffd0878a3fcdfeaa9f45
                                                                                          • Instruction ID: cb0d42aacebbb28a7a253c3a6561dbafc5988db518dafaed7969b1369f304abe
                                                                                          • Opcode Fuzzy Hash: 7007dcbfb402103e0e4fe84ecdffd90bdd95772ac475ffd0878a3fcdfeaa9f45
                                                                                          • Instruction Fuzzy Hash: 3AB2C2B2D40249AFEF60ABA4DC44FEE7BBDEB08344F0409EAE606A7151D7709A55CF50
                                                                                          APIs
                                                                                          • SetErrorMode.KERNELBASE(00000003), ref: 02BE9A7F
                                                                                          • SetErrorMode.KERNELBASE(00000003), ref: 02BE9A83
                                                                                          • SetUnhandledExceptionFilter.KERNEL32(02BE6511), ref: 02BE9A8A
                                                                                            • Part of subcall function 02BEEC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 02BEEC5E
                                                                                            • Part of subcall function 02BEEC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 02BEEC72
                                                                                            • Part of subcall function 02BEEC54: GetTickCount.KERNEL32 ref: 02BEEC78
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 02BE9AB3
                                                                                          • GetModuleFileNameA.KERNEL32(00000000), ref: 02BE9ABA
                                                                                          • GetCommandLineA.KERNEL32 ref: 02BE9AFD
                                                                                          • lstrlenA.KERNEL32(?), ref: 02BE9B99
                                                                                          • ExitProcess.KERNEL32 ref: 02BE9C06
                                                                                          • GetTempPathA.KERNEL32(000001F4,?), ref: 02BE9CAC
                                                                                          • lstrcpyA.KERNEL32(?,00000000), ref: 02BE9D7A
                                                                                          • lstrcatA.KERNEL32(?,?), ref: 02BE9D8B
                                                                                          • lstrcatA.KERNEL32(?,02BF070C), ref: 02BE9D9D
                                                                                          • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 02BE9DED
                                                                                          • DeleteFileA.KERNEL32(00000022), ref: 02BE9E38
                                                                                          • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 02BE9E6F
                                                                                          • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 02BE9EC8
                                                                                          • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 02BE9ED5
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 02BE9F3B
                                                                                          • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 02BE9F5E
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 02BE9F6A
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 02BE9FAD
                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 02BE9FB4
                                                                                          • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 02BE9FFE
                                                                                          • lstrcatA.KERNEL32(00000022,00000000), ref: 02BEA038
                                                                                          • lstrcatA.KERNEL32(00000022,02BF0A34), ref: 02BEA05E
                                                                                          • lstrcatA.KERNEL32(00000022,00000022), ref: 02BEA072
                                                                                          • lstrcatA.KERNEL32(00000022,02BF0A34), ref: 02BEA08D
                                                                                          • wsprintfA.USER32 ref: 02BEA0B6
                                                                                          • lstrcatA.KERNEL32(00000022,00000000), ref: 02BEA0DE
                                                                                          • lstrcatA.KERNEL32(00000022,?), ref: 02BEA0FD
                                                                                          • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 02BEA120
                                                                                          • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 02BEA131
                                                                                          • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 02BEA174
                                                                                          • GetModuleFileNameA.KERNEL32(00000000), ref: 02BEA17B
                                                                                          • GetDriveTypeA.KERNEL32(00000022), ref: 02BEA1B6
                                                                                          • GetCommandLineA.KERNEL32 ref: 02BEA1E5
                                                                                            • Part of subcall function 02BE99D2: lstrcpyA.KERNEL32(?,?,00000100,02BF22F8,00000000,?,02BE9E9D,?,00000022,?,?,?,?,?,?,?), ref: 02BE99DF
                                                                                            • Part of subcall function 02BE99D2: lstrcatA.KERNEL32(00000022,00000000,?,?,02BE9E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 02BE9A3C
                                                                                            • Part of subcall function 02BE99D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,02BE9E9D,?,00000022,?,?,?), ref: 02BE9A52
                                                                                          • lstrlenA.KERNEL32(?), ref: 02BEA288
                                                                                          • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 02BEA3B7
                                                                                          • GetLastError.KERNEL32 ref: 02BEA3ED
                                                                                          • Sleep.KERNELBASE(000003E8), ref: 02BEA400
                                                                                          • DeleteFileA.KERNELBASE(02BF33D8), ref: 02BEA407
                                                                                          • CreateThread.KERNELBASE(00000000,00000000,02BE405E,00000000,00000000,00000000), ref: 02BEA42C
                                                                                          • WSAStartup.WS2_32(00001010,?), ref: 02BEA43A
                                                                                          • CreateThread.KERNELBASE(00000000,00000000,02BE877E,00000000,00000000,00000000), ref: 02BEA469
                                                                                          • Sleep.KERNELBASE(00000BB8), ref: 02BEA48A
                                                                                          • GetTickCount.KERNEL32 ref: 02BEA49F
                                                                                          • GetTickCount.KERNEL32 ref: 02BEA4B7
                                                                                          • Sleep.KERNELBASE(00001838), ref: 02BEA4C3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                          • String ID: "$"$"$%X%08X$C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exe$D$P$\$gqbqwogt
                                                                                          • API String ID: 2089075347-2461606005
                                                                                          • Opcode ID: 810c156cb4daa72a842da7fcc9708dc8d1d65c67d9d9d6754391bcbf7a4e5911
                                                                                          • Instruction ID: b2ea6b813486287bba8c8e685c883346979c975ac5c3a986966677ca3bb589cc
                                                                                          • Opcode Fuzzy Hash: 810c156cb4daa72a842da7fcc9708dc8d1d65c67d9d9d6754391bcbf7a4e5911
                                                                                          • Instruction Fuzzy Hash: 5D5262B1D40259AFDF51ABA0CC49EEE7BBDEB08304F1448E5F607A3151E7749A888F61

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 905 2be199c-2be19cc inet_addr LoadLibraryA 906 2be19ce-2be19d0 905->906 907 2be19d5-2be19fe GetProcAddress * 3 905->907 908 2be1abf-2be1ac2 906->908 909 2be1a04-2be1a06 907->909 910 2be1ab3-2be1ab6 FreeLibrary 907->910 909->910 911 2be1a0c-2be1a0e 909->911 912 2be1abc 910->912 911->910 913 2be1a14-2be1a28 GetBestInterface GetProcessHeap 911->913 914 2be1abe 912->914 913->912 915 2be1a2e-2be1a40 HeapAlloc 913->915 914->908 915->912 916 2be1a42-2be1a50 GetAdaptersInfo 915->916 917 2be1a62-2be1a67 916->917 918 2be1a52-2be1a60 HeapReAlloc 916->918 919 2be1a69-2be1a73 GetAdaptersInfo 917->919 920 2be1aa1-2be1aad FreeLibrary 917->920 918->917 919->920 921 2be1a75 919->921 920->912 922 2be1aaf-2be1ab1 920->922 923 2be1a77-2be1a80 921->923 922->914 924 2be1a8a-2be1a91 923->924 925 2be1a82-2be1a86 923->925 927 2be1a96-2be1a9b HeapFree 924->927 928 2be1a93 924->928 925->923 926 2be1a88 925->926 926->927 927->920 928->927
                                                                                          APIs
                                                                                          • inet_addr.WS2_32(123.45.67.89), ref: 02BE19B1
                                                                                          • LoadLibraryA.KERNELBASE(Iphlpapi.dll,?,?,?,?,00000001,02BE1E9E), ref: 02BE19BF
                                                                                          • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 02BE19E2
                                                                                          • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 02BE19ED
                                                                                          • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 02BE19F9
                                                                                          • GetBestInterface.IPHLPAPI(?,?,?,?,?,?,00000001,02BE1E9E), ref: 02BE1A1B
                                                                                          • GetProcessHeap.KERNEL32(?,?,?,?,00000001,02BE1E9E), ref: 02BE1A1D
                                                                                          • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,02BE1E9E), ref: 02BE1A36
                                                                                          • GetAdaptersInfo.IPHLPAPI(00000000,02BE1E9E,?,?,?,?,00000001,02BE1E9E), ref: 02BE1A4A
                                                                                          • HeapReAlloc.KERNEL32(?,00000000,00000000,02BE1E9E,?,?,?,?,00000001,02BE1E9E), ref: 02BE1A5A
                                                                                          • GetAdaptersInfo.IPHLPAPI(00000000,02BE1E9E,?,?,?,?,00000001,02BE1E9E), ref: 02BE1A6E
                                                                                          • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,02BE1E9E), ref: 02BE1A9B
                                                                                          • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,02BE1E9E), ref: 02BE1AA4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$AddressProc$AdaptersAllocFreeInfoLibrary$BestInterfaceLoadProcessinet_addr
                                                                                          • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                          • API String ID: 293628436-270533642
                                                                                          • Opcode ID: 3a333301e65d388d610d8e0ee07b42fe0fa6e37181a338ce0d0b15447e6d131a
                                                                                          • Instruction ID: 1092e0307697db0702122cf3e563040412a3497e37ce3d8eb53970448790bad2
                                                                                          • Opcode Fuzzy Hash: 3a333301e65d388d610d8e0ee07b42fe0fa6e37181a338ce0d0b15447e6d131a
                                                                                          • Instruction Fuzzy Hash: A3316171D50209AFDF51AFE8CC88CBEBBB5EF44745B6449A9F626A3121D7304E40CB60

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 696 2be7a95-2be7ac2 RegOpenKeyExA 697 2be7acb-2be7ae7 GetUserNameA 696->697 698 2be7ac4-2be7ac6 696->698 700 2be7aed-2be7b1e LookupAccountNameA 697->700 701 2be7da7-2be7db3 RegCloseKey 697->701 699 2be7db4-2be7db6 698->699 700->701 702 2be7b24-2be7b43 RegGetKeySecurity 700->702 701->699 702->701 703 2be7b49-2be7b61 GetSecurityDescriptorOwner 702->703 704 2be7bb8-2be7bd6 GetSecurityDescriptorDacl 703->704 705 2be7b63-2be7b72 EqualSid 703->705 707 2be7bdc-2be7be1 704->707 708 2be7da6 704->708 705->704 706 2be7b74-2be7b88 LocalAlloc 705->706 706->704 709 2be7b8a-2be7b94 InitializeSecurityDescriptor 706->709 707->708 710 2be7be7-2be7bf2 707->710 708->701 711 2be7b96-2be7ba4 SetSecurityDescriptorOwner 709->711 712 2be7bb1-2be7bb2 LocalFree 709->712 710->708 713 2be7bf8-2be7c08 GetAce 710->713 711->712 714 2be7ba6-2be7bab RegSetKeySecurity 711->714 712->704 715 2be7c0e-2be7c1b 713->715 716 2be7cc6 713->716 714->712 718 2be7c4f-2be7c52 715->718 719 2be7c1d-2be7c2f EqualSid 715->719 717 2be7cc9-2be7cd3 716->717 717->713 720 2be7cd9-2be7cdc 717->720 723 2be7c5f-2be7c71 EqualSid 718->723 724 2be7c54-2be7c5e 718->724 721 2be7c36-2be7c38 719->721 722 2be7c31-2be7c34 719->722 720->708 727 2be7ce2-2be7ce8 720->727 721->718 728 2be7c3a-2be7c4d DeleteAce 721->728 722->719 722->721 725 2be7c86 723->725 726 2be7c73-2be7c84 723->726 724->723 729 2be7c8b-2be7c8e 725->729 726->729 730 2be7d5a-2be7d6e LocalAlloc 727->730 731 2be7cea-2be7cf0 727->731 728->717 732 2be7c9d-2be7c9f 729->732 733 2be7c90-2be7c96 729->733 730->708 734 2be7d70-2be7d7a InitializeSecurityDescriptor 730->734 731->730 735 2be7cf2-2be7d0d RegOpenKeyExA 731->735 736 2be7ca7-2be7cc3 732->736 737 2be7ca1-2be7ca5 732->737 733->732 738 2be7d9f-2be7da0 LocalFree 734->738 739 2be7d7c-2be7d8a SetSecurityDescriptorDacl 734->739 735->730 740 2be7d0f-2be7d16 735->740 736->716 737->716 737->736 738->708 739->738 741 2be7d8c-2be7d9a RegSetKeySecurity 739->741 742 2be7d19-2be7d1e 740->742 741->738 744 2be7d9c 741->744 742->742 743 2be7d20-2be7d52 call 2be2544 RegSetValueExA 742->743 743->730 747 2be7d54 743->747 744->738 747->730
                                                                                          APIs
                                                                                          • RegOpenKeyExA.KERNELBASE(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 02BE7ABA
                                                                                          • GetUserNameA.ADVAPI32(?,?), ref: 02BE7ADF
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,02BF070C,?,?,?), ref: 02BE7B16
                                                                                          • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 02BE7B3B
                                                                                          • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 02BE7B59
                                                                                          • EqualSid.ADVAPI32(?,00000022), ref: 02BE7B6A
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 02BE7B7E
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02BE7B8C
                                                                                          • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02BE7B9C
                                                                                          • RegSetKeySecurity.KERNELBASE(00000000,00000001,00000000), ref: 02BE7BAB
                                                                                          • LocalFree.KERNEL32(00000000), ref: 02BE7BB2
                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,02BE7FC9,?,00000000), ref: 02BE7BCE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                          • String ID: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exe$D
                                                                                          • API String ID: 2976863881-2668765463
                                                                                          • Opcode ID: 1b968d5315b6f4f77b1dded9fb99f05063d3f83c5e120207cd1d8d7894cbdfde
                                                                                          • Instruction ID: 87ffd29bd5490bdac200f7f303fc8f15ec341acdc08612c41142c79937feac08
                                                                                          • Opcode Fuzzy Hash: 1b968d5315b6f4f77b1dded9fb99f05063d3f83c5e120207cd1d8d7894cbdfde
                                                                                          • Instruction Fuzzy Hash: 08A14DB1D40219AFEF519FA0DC88EEEBBBDFB04344F0444A9E606E3151EB358A55DB60

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 748 2be7809-2be7837 GetUserNameA 749 2be7a8e-2be7a94 748->749 750 2be783d-2be786e LookupAccountNameA 748->750 750->749 751 2be7874-2be78a2 GetLengthSid GetFileSecurityA 750->751 751->749 752 2be78a8-2be78c3 GetSecurityDescriptorOwner 751->752 753 2be791d-2be793b GetSecurityDescriptorDacl 752->753 754 2be78c5-2be78da EqualSid 752->754 755 2be7a8d 753->755 756 2be7941-2be7946 753->756 754->753 757 2be78dc-2be78ed LocalAlloc 754->757 755->749 756->755 758 2be794c-2be7955 756->758 757->753 759 2be78ef-2be78f9 InitializeSecurityDescriptor 757->759 758->755 760 2be795b-2be796b GetAce 758->760 761 2be78fb-2be7909 SetSecurityDescriptorOwner 759->761 762 2be7916-2be7917 LocalFree 759->762 763 2be7a2a 760->763 764 2be7971-2be797e 760->764 761->762 765 2be790b-2be7910 SetFileSecurityA 761->765 762->753 768 2be7a2d-2be7a37 763->768 766 2be79ae-2be79b1 764->766 767 2be7980-2be7992 EqualSid 764->767 765->762 772 2be79be-2be79d0 EqualSid 766->772 773 2be79b3-2be79bd 766->773 769 2be7999-2be799b 767->769 770 2be7994-2be7997 767->770 768->760 771 2be7a3d-2be7a41 768->771 769->766 774 2be799d-2be79ac DeleteAce 769->774 770->767 770->769 771->755 775 2be7a43-2be7a54 LocalAlloc 771->775 776 2be79e5 772->776 777 2be79d2-2be79e3 772->777 773->772 774->768 775->755 778 2be7a56-2be7a60 InitializeSecurityDescriptor 775->778 779 2be79ea-2be79ed 776->779 777->779 782 2be7a86-2be7a87 LocalFree 778->782 783 2be7a62-2be7a71 SetSecurityDescriptorDacl 778->783 780 2be79ef-2be79f5 779->780 781 2be79f8-2be79fb 779->781 780->781 784 2be79fd-2be7a01 781->784 785 2be7a03-2be7a0e 781->785 782->755 783->782 786 2be7a73-2be7a81 SetFileSecurityA 783->786 784->763 784->785 787 2be7a19-2be7a24 785->787 788 2be7a10-2be7a17 785->788 786->782 789 2be7a83 786->789 790 2be7a27 787->790 788->790 789->782 790->763
                                                                                          APIs
                                                                                          • GetUserNameA.ADVAPI32(?,?), ref: 02BE782F
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02BE7866
                                                                                          • GetLengthSid.ADVAPI32(?), ref: 02BE7878
                                                                                          • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 02BE789A
                                                                                          • GetSecurityDescriptorOwner.ADVAPI32(?,02BE7F63,?), ref: 02BE78B8
                                                                                          • EqualSid.ADVAPI32(?,02BE7F63), ref: 02BE78D2
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 02BE78E3
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02BE78F1
                                                                                          • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02BE7901
                                                                                          • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 02BE7910
                                                                                          • LocalFree.KERNEL32(00000000), ref: 02BE7917
                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02BE7933
                                                                                          • GetAce.ADVAPI32(?,00000000,?), ref: 02BE7963
                                                                                          • EqualSid.ADVAPI32(?,02BE7F63), ref: 02BE798A
                                                                                          • DeleteAce.ADVAPI32(?,00000000), ref: 02BE79A3
                                                                                          • EqualSid.ADVAPI32(?,02BE7F63), ref: 02BE79C5
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 02BE7A4A
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02BE7A58
                                                                                          • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 02BE7A69
                                                                                          • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 02BE7A79
                                                                                          • LocalFree.KERNEL32(00000000), ref: 02BE7A87
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                          • String ID: D
                                                                                          • API String ID: 3722657555-2746444292
                                                                                          • Opcode ID: f8e02c7e6e35c74215ebebe087d64ee0d92da3853897f0e586ab7e2a2251cd03
                                                                                          • Instruction ID: b90ca1d4fd9c9bb27cbced215756b51bdfef878aed87e9f70a5df559b5d414c3
                                                                                          • Opcode Fuzzy Hash: f8e02c7e6e35c74215ebebe087d64ee0d92da3853897f0e586ab7e2a2251cd03
                                                                                          • Instruction Fuzzy Hash: BF814971D0021AABDF21DFA4DD48FEEBBB8EF08344F0444AAE616E3151DB348651DBA4

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 791 2be8328-2be833e call 2be7dd6 794 2be8348-2be8356 call 2be6ec3 791->794 795 2be8340-2be8343 791->795 799 2be835c-2be8378 call 2be73ff 794->799 800 2be846b-2be8474 794->800 796 2be877b-2be877d 795->796 808 2be837e-2be8384 799->808 809 2be8464-2be8466 799->809 801 2be847a-2be8480 800->801 802 2be85c2-2be85ce 800->802 801->802 806 2be8486-2be84ba call 2be2544 RegOpenKeyExA 801->806 804 2be8615-2be8620 802->804 805 2be85d0-2be85da call 2be675c 802->805 812 2be8626-2be864c GetTempPathA call 2be8274 call 2beeca5 804->812 813 2be86a7-2be86b0 call 2be6ba7 804->813 816 2be85df-2be85eb 805->816 822 2be8543-2be8571 call 2be2544 RegOpenKeyExA 806->822 823 2be84c0-2be84db RegQueryValueExA 806->823 808->809 814 2be838a-2be838d 808->814 815 2be8779-2be877a 809->815 843 2be864e-2be866f call 2beeca5 812->843 844 2be8671-2be86a4 call 2be2544 call 2beef00 call 2beee2a 812->844 832 2be86b6-2be86bd call 2be7e2f 813->832 833 2be8762 813->833 814->809 820 2be8393-2be8399 814->820 815->796 816->804 821 2be85ed-2be85ef 816->821 827 2be839c-2be83a1 820->827 821->804 828 2be85f1-2be85fa 821->828 851 2be85a5-2be85b7 call 2beee2a 822->851 852 2be8573-2be857b 822->852 830 2be84dd-2be84e1 823->830 831 2be8521-2be852d RegCloseKey 823->831 827->827 837 2be83a3-2be83af 827->837 828->804 839 2be85fc-2be860f call 2be24c2 828->839 830->831 841 2be84e3-2be84e6 830->841 831->822 838 2be852f-2be8541 call 2beeed1 831->838 854 2be875b-2be875c DeleteFileA 832->854 855 2be86c3-2be873b call 2beee2a * 2 lstrcpyA lstrlenA call 2be7fcf CreateProcessA 832->855 836 2be8768-2be876b 833->836 845 2be876d-2be8775 call 2beec2e 836->845 846 2be8776-2be8778 836->846 847 2be83b3-2be83ba 837->847 848 2be83b1 837->848 838->822 838->851 839->804 839->836 841->831 853 2be84e8-2be84f6 call 2beebcc 841->853 843->844 844->813 845->846 846->815 860 2be8450-2be845f call 2beee2a 847->860 861 2be83c0-2be83fb call 2be2544 RegOpenKeyExA 847->861 848->847 851->802 875 2be85b9-2be85c1 call 2beec2e 851->875 863 2be857e-2be8583 852->863 853->831 880 2be84f8-2be8513 RegQueryValueExA 853->880 854->833 899 2be874f-2be875a call 2be7ee6 call 2be7ead 855->899 900 2be873d-2be874d CloseHandle * 2 855->900 860->802 861->860 885 2be83fd-2be841c RegQueryValueExA 861->885 863->863 872 2be8585-2be859f RegSetValueExA RegCloseKey 863->872 872->851 875->802 880->831 881 2be8515-2be851e call 2beec2e 880->881 881->831 890 2be841e-2be8421 885->890 891 2be842d-2be8441 RegSetValueExA 885->891 890->891 895 2be8423-2be8426 890->895 896 2be8447-2be844a RegCloseKey 891->896 895->891 898 2be8428-2be842b 895->898 896->860 898->891 898->896 899->854 900->836
                                                                                          APIs
                                                                                          • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000103,02BF0750,?,?,00000000,localcfg,00000000), ref: 02BE83F3
                                                                                          • RegQueryValueExA.KERNELBASE(02BF0750,?,00000000,?,02BE8893,?,?,?,00000000,00000103,02BF0750,?,?,00000000,localcfg,00000000), ref: 02BE8414
                                                                                          • RegSetValueExA.KERNELBASE(02BF0750,?,00000000,00000004,02BE8893,00000004,?,?,00000000,00000103,02BF0750,?,?,00000000,localcfg,00000000), ref: 02BE8441
                                                                                          • RegCloseKey.ADVAPI32(02BF0750,?,?,00000000,00000103,02BF0750,?,?,00000000,localcfg,00000000), ref: 02BE844A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Value$CloseOpenQuery
                                                                                          • String ID: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exe$localcfg
                                                                                          • API String ID: 237177642-2863267139
                                                                                          • Opcode ID: 04ff6e9a9693c973c8a4f6b52068b6b08ecdbaf5523dc7204c56c44ecca03fd4
                                                                                          • Instruction ID: 12193281b0bb79f26809aac92359c5550c1feb75f6c0e54321041009431310cd
                                                                                          • Opcode Fuzzy Hash: 04ff6e9a9693c973c8a4f6b52068b6b08ecdbaf5523dc7204c56c44ecca03fd4
                                                                                          • Instruction Fuzzy Hash: 63C192B1D4050CBEEF51ABA4DC85EEE7BBDEF04344F1448E5F606A6061EB318A949F21

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • GetVersionExA.KERNEL32 ref: 02BE1DC6
                                                                                          • GetSystemInfo.KERNELBASE(?), ref: 02BE1DE8
                                                                                          • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 02BE1E03
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 02BE1E0A
                                                                                          • GetCurrentProcess.KERNEL32(?), ref: 02BE1E1B
                                                                                          • GetTickCount.KERNEL32 ref: 02BE1FC9
                                                                                            • Part of subcall function 02BE1BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 02BE1C15
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                          • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                          • API String ID: 4207808166-1381319158
                                                                                          • Opcode ID: ec17b297a3c93c4fdb9b2e59d4026de07c0cc95ae147fc2e45675dbd0a3c5d2a
                                                                                          • Instruction ID: c2ab8352d2f9bcf0183133a6ebbd29127bc93dccf8f243dfc2303bb39818f782
                                                                                          • Opcode Fuzzy Hash: ec17b297a3c93c4fdb9b2e59d4026de07c0cc95ae147fc2e45675dbd0a3c5d2a
                                                                                          • Instruction Fuzzy Hash: E551BFB09043446FEB60AF798C89F27BBECEB44748F004D9DB65B82552D774A904CBA2

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 999 2be73ff-2be7419 1000 2be741d-2be7422 999->1000 1001 2be741b 999->1001 1002 2be7426-2be742b 1000->1002 1003 2be7424 1000->1003 1001->1000 1004 2be742d 1002->1004 1005 2be7430-2be7435 1002->1005 1003->1002 1004->1005 1006 2be743a-2be7481 call 2be6dc2 call 2be2544 RegOpenKeyExA 1005->1006 1007 2be7437 1005->1007 1012 2be77f9-2be77fe call 2beee2a 1006->1012 1013 2be7487-2be749d call 2beee2a 1006->1013 1007->1006 1018 2be7801 1012->1018 1019 2be7703-2be770e RegEnumKeyA 1013->1019 1022 2be7804-2be7808 1018->1022 1020 2be7714-2be771d RegCloseKey 1019->1020 1021 2be74a2-2be74b1 call 2be6cad 1019->1021 1020->1018 1025 2be76ed-2be7700 1021->1025 1026 2be74b7-2be74cc call 2bef1a5 1021->1026 1025->1019 1026->1025 1029 2be74d2-2be74f8 RegOpenKeyExA 1026->1029 1030 2be74fe-2be7530 call 2be2544 RegQueryValueExA 1029->1030 1031 2be7727-2be772a 1029->1031 1030->1031 1038 2be7536-2be753c 1030->1038 1033 2be772c-2be7740 call 2beef00 1031->1033 1034 2be7755-2be7764 call 2beee2a 1031->1034 1043 2be774b-2be774e 1033->1043 1044 2be7742-2be7745 RegCloseKey 1033->1044 1041 2be76df-2be76e2 1034->1041 1042 2be753f-2be7544 1038->1042 1041->1025 1045 2be76e4-2be76e7 RegCloseKey 1041->1045 1042->1042 1046 2be7546-2be754b 1042->1046 1047 2be77ec-2be77f7 RegCloseKey 1043->1047 1044->1043 1045->1025 1046->1034 1048 2be7551-2be756b call 2beee95 1046->1048 1047->1022 1048->1034 1051 2be7571-2be7593 call 2be2544 call 2beee95 1048->1051 1056 2be7599-2be75a0 1051->1056 1057 2be7753 1051->1057 1058 2be75c8-2be75d7 call 2beed03 1056->1058 1059 2be75a2-2be75c6 call 2beef00 call 2beed03 1056->1059 1057->1034 1065 2be75d8-2be75da 1058->1065 1059->1065 1067 2be75df-2be7623 call 2beee95 call 2be2544 call 2beee95 call 2beee2a 1065->1067 1068 2be75dc 1065->1068 1077 2be7626-2be762b 1067->1077 1068->1067 1077->1077 1078 2be762d-2be7634 1077->1078 1079 2be7637-2be763c 1078->1079 1079->1079 1080 2be763e-2be7642 1079->1080 1081 2be765c-2be7673 call 2beed23 1080->1081 1082 2be7644-2be7656 call 2beed77 1080->1082 1087 2be7675-2be767e 1081->1087 1088 2be7680 1081->1088 1082->1081 1089 2be7769-2be777c call 2beef00 1082->1089 1091 2be7683-2be768e call 2be6cad 1087->1091 1088->1091 1094 2be77e3-2be77e6 RegCloseKey 1089->1094 1096 2be7694-2be76bf call 2bef1a5 call 2be6c96 1091->1096 1097 2be7722-2be7725 1091->1097 1094->1047 1103 2be76d8 1096->1103 1104 2be76c1-2be76c7 1096->1104 1098 2be76dd 1097->1098 1098->1041 1103->1098 1104->1103 1105 2be76c9-2be76d2 1104->1105 1105->1103 1106 2be777e-2be7797 GetFileAttributesExA 1105->1106 1107 2be779a-2be779f 1106->1107 1108 2be7799 1106->1108 1109 2be77a3-2be77a8 1107->1109 1110 2be77a1 1107->1110 1108->1107 1111 2be77aa-2be77c0 call 2beee08 1109->1111 1112 2be77c4-2be77c8 1109->1112 1110->1109 1111->1112 1114 2be77ca-2be77d6 call 2beef00 1112->1114 1115 2be77d7-2be77dc 1112->1115 1114->1115 1116 2be77de 1115->1116 1117 2be77e0-2be77e2 1115->1117 1116->1117 1117->1094
                                                                                          APIs
                                                                                          • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,76230F10,00000000), ref: 02BE7472
                                                                                          • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,76230F10,00000000), ref: 02BE74F0
                                                                                          • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,76230F10,00000000), ref: 02BE7528
                                                                                          • ___ascii_stricmp.LIBCMT ref: 02BE764D
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,76230F10,00000000), ref: 02BE76E7
                                                                                          • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 02BE7706
                                                                                          • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,76230F10,00000000), ref: 02BE7717
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,76230F10,00000000), ref: 02BE7745
                                                                                          • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,76230F10,00000000), ref: 02BE77EF
                                                                                            • Part of subcall function 02BEF1A5: lstrlenA.KERNEL32(000000C8,000000E4,02BF22F8,000000C8,02BE7150,?), ref: 02BEF1AD
                                                                                          • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 02BE778F
                                                                                          • RegCloseKey.KERNELBASE(?), ref: 02BE77E6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                          • String ID: "
                                                                                          • API String ID: 3433985886-123907689
                                                                                          • Opcode ID: c2b11867c8a2a249ce21fe4d58143e4aa084892c8e06dd4d326bf496d3fb1bfa
                                                                                          • Instruction ID: 6ad6ebebba77c143ead67459e88fbaa3ed0c6412e8aced3f0a824cdfed10fb38
                                                                                          • Opcode Fuzzy Hash: c2b11867c8a2a249ce21fe4d58143e4aa084892c8e06dd4d326bf496d3fb1bfa
                                                                                          • Instruction Fuzzy Hash: 26C18F72940209AFEF11ABA4DC45FEEBBBAEF45314F1404E5E506E6190EF31DA84DB60

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1121 2be675c-2be6778 1122 2be677a-2be677e SetFileAttributesA 1121->1122 1123 2be6784-2be67a2 CreateFileA 1121->1123 1122->1123 1124 2be67a4-2be67b2 CreateFileA 1123->1124 1125 2be67b5-2be67b8 1123->1125 1124->1125 1126 2be67ba-2be67bf SetFileAttributesA 1125->1126 1127 2be67c5-2be67c9 1125->1127 1126->1127 1128 2be67cf-2be67df GetFileSize 1127->1128 1129 2be6977-2be6986 1127->1129 1130 2be696b 1128->1130 1131 2be67e5-2be67e7 1128->1131 1132 2be696e-2be6971 CloseHandle 1130->1132 1131->1130 1133 2be67ed-2be680b ReadFile 1131->1133 1132->1129 1133->1130 1134 2be6811-2be6824 SetFilePointer 1133->1134 1134->1130 1135 2be682a-2be6842 ReadFile 1134->1135 1135->1130 1136 2be6848-2be6861 SetFilePointer 1135->1136 1136->1130 1137 2be6867-2be6876 1136->1137 1138 2be6878-2be688f ReadFile 1137->1138 1139 2be68d5-2be68df 1137->1139 1141 2be68d2 1138->1141 1142 2be6891-2be689e 1138->1142 1139->1132 1140 2be68e5-2be68eb 1139->1140 1143 2be68ed 1140->1143 1144 2be68f0-2be68fe call 2beebcc 1140->1144 1141->1139 1145 2be68b7-2be68ba 1142->1145 1146 2be68a0-2be68b5 1142->1146 1143->1144 1144->1130 1153 2be6900-2be690b SetFilePointer 1144->1153 1147 2be68bd-2be68c3 1145->1147 1146->1147 1149 2be68c8-2be68ce 1147->1149 1150 2be68c5 1147->1150 1149->1138 1152 2be68d0 1149->1152 1150->1149 1152->1139 1154 2be690d-2be6920 ReadFile 1153->1154 1155 2be695a-2be6969 call 2beec2e 1153->1155 1154->1155 1157 2be6922-2be6958 1154->1157 1155->1132 1157->1132
                                                                                          APIs
                                                                                          • SetFileAttributesA.KERNEL32(?,00000080,?,76230F10,00000000), ref: 02BE677E
                                                                                          • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,76230F10,00000000), ref: 02BE679A
                                                                                          • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,76230F10,00000000), ref: 02BE67B0
                                                                                          • SetFileAttributesA.KERNEL32(?,00000002,?,76230F10,00000000), ref: 02BE67BF
                                                                                          • GetFileSize.KERNEL32(000000FF,00000000,?,76230F10,00000000), ref: 02BE67D3
                                                                                          • ReadFile.KERNELBASE(000000FF,?,00000040,02BE8244,00000000,?,76230F10,00000000), ref: 02BE6807
                                                                                          • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 02BE681F
                                                                                          • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,76230F10,00000000), ref: 02BE683E
                                                                                          • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 02BE685C
                                                                                          • ReadFile.KERNEL32(000000FF,?,00000028,02BE8244,00000000,?,76230F10,00000000), ref: 02BE688B
                                                                                          • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,76230F10,00000000), ref: 02BE6906
                                                                                          • ReadFile.KERNEL32(000000FF,?,00000000,02BE8244,00000000,?,76230F10,00000000), ref: 02BE691C
                                                                                          • CloseHandle.KERNELBASE(000000FF,?,76230F10,00000000), ref: 02BE6971
                                                                                            • Part of subcall function 02BEEC2E: GetProcessHeap.KERNEL32(00000000,02BEEA27,00000000,02BEEA27,00000000), ref: 02BEEC41
                                                                                            • Part of subcall function 02BEEC2E: RtlFreeHeap.NTDLL(00000000), ref: 02BEEC48
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                                          • String ID:
                                                                                          • API String ID: 2622201749-0
                                                                                          • Opcode ID: 73c7eaa818e4f47d7b099dc44a380658883484af49fd11271f830a5323f2625b
                                                                                          • Instruction ID: 0340a751f6a7ff3afa5cf562eef5d98fc36d39940b6eb873099e9cdda35a2737
                                                                                          • Opcode Fuzzy Hash: 73c7eaa818e4f47d7b099dc44a380658883484af49fd11271f830a5323f2625b
                                                                                          • Instruction Fuzzy Hash: 5E711975C0021DEFDF159FA4CC80AEEBBB9FB18354F1045AAE516A6190E7309E91DF60

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1159 2bef315-2bef332 1160 2bef33b-2bef372 call 2beee2a htons socket 1159->1160 1161 2bef334-2bef336 1159->1161 1165 2bef374-2bef37d closesocket 1160->1165 1166 2bef382-2bef39b ioctlsocket 1160->1166 1162 2bef424-2bef427 1161->1162 1165->1162 1167 2bef39d 1166->1167 1168 2bef3aa-2bef3f0 connect select 1166->1168 1169 2bef39f-2bef3a8 closesocket 1167->1169 1170 2bef3f2-2bef401 __WSAFDIsSet 1168->1170 1171 2bef421 1168->1171 1172 2bef423 1169->1172 1170->1169 1173 2bef403-2bef416 ioctlsocket call 2bef26d 1170->1173 1171->1172 1172->1162 1175 2bef41b-2bef41f 1173->1175 1175->1172
                                                                                          APIs
                                                                                          • htons.WS2_32(02BECA1D), ref: 02BEF34D
                                                                                          • socket.WS2_32(00000002,00000001,00000000), ref: 02BEF367
                                                                                          • closesocket.WS2_32(00000000), ref: 02BEF375
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: closesockethtonssocket
                                                                                          • String ID: time_cfg
                                                                                          • API String ID: 311057483-2401304539
                                                                                          • Opcode ID: 1122e495cc7bd39b91aca18a2a19b51797cb663fd561d8210e0510d1df03b3df
                                                                                          • Instruction ID: ae9a85bf6babaa8f72816d3a65672336bfb6850487123362f897d455735d6368
                                                                                          • Opcode Fuzzy Hash: 1122e495cc7bd39b91aca18a2a19b51797cb663fd561d8210e0510d1df03b3df
                                                                                          • Instruction Fuzzy Hash: 19317C76940118ABDB10DFA9DC849FE7BBCFF88350F1045A6FA16E3151E7309A418BA0

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1176 2be405e-2be407b CreateEventA 1177 2be407d-2be4081 1176->1177 1178 2be4084-2be40a8 call 2be3ecd call 2be4000 1176->1178 1183 2be40ae-2be40be call 2beee2a 1178->1183 1184 2be4130-2be413e call 2beee2a 1178->1184 1183->1184 1190 2be40c0-2be40f1 call 2beeca5 call 2be3f18 call 2be3f8c 1183->1190 1189 2be413f-2be4165 call 2be3ecd CreateNamedPipeA 1184->1189 1195 2be4188-2be4193 ConnectNamedPipe 1189->1195 1196 2be4167-2be4174 Sleep 1189->1196 1207 2be4127-2be412a CloseHandle 1190->1207 1208 2be40f3-2be40ff 1190->1208 1200 2be41ab-2be41c0 call 2be3f8c 1195->1200 1201 2be4195-2be41a5 GetLastError 1195->1201 1196->1189 1198 2be4176-2be4182 CloseHandle 1196->1198 1198->1195 1200->1195 1209 2be41c2-2be41f2 call 2be3f18 call 2be3f8c 1200->1209 1201->1200 1203 2be425e-2be4265 DisconnectNamedPipe 1201->1203 1203->1195 1207->1184 1208->1207 1210 2be4101-2be4121 call 2be3f18 ExitProcess 1208->1210 1209->1203 1217 2be41f4-2be4200 1209->1217 1217->1203 1218 2be4202-2be4215 call 2be3f8c 1217->1218 1218->1203 1221 2be4217-2be421b 1218->1221 1221->1203 1222 2be421d-2be4230 call 2be3f8c 1221->1222 1222->1203 1225 2be4232-2be4236 1222->1225 1225->1195 1226 2be423c-2be4251 call 2be3f18 1225->1226 1229 2be426a-2be4276 CloseHandle * 2 call 2bee318 1226->1229 1230 2be4253-2be4259 1226->1230 1232 2be427b 1229->1232 1230->1195 1232->1232
                                                                                          APIs
                                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 02BE4070
                                                                                          • ExitProcess.KERNEL32 ref: 02BE4121
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateEventExitProcess
                                                                                          • String ID:
                                                                                          • API String ID: 2404124870-0
                                                                                          • Opcode ID: 473f2bef60f0079ea71ca3053500bd91f14e8bbf95d147f4e66570824edfa38b
                                                                                          • Instruction ID: feecdd2dcb4fed54b2e5ce31658f5df427dc6620aca1d84f291419d659253b82
                                                                                          • Opcode Fuzzy Hash: 473f2bef60f0079ea71ca3053500bd91f14e8bbf95d147f4e66570824edfa38b
                                                                                          • Instruction Fuzzy Hash: D8517FB1D40219BAEF20ABA08C45FBF7BBDEF15754F0004E5F616B6181E7348A45DBA2

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1233 2be2d21-2be2d44 GetModuleHandleA 1234 2be2d5b-2be2d69 GetProcAddress 1233->1234 1235 2be2d46-2be2d52 LoadLibraryA 1233->1235 1236 2be2d54-2be2d56 1234->1236 1237 2be2d6b-2be2d7b DnsQuery_A 1234->1237 1235->1234 1235->1236 1238 2be2dee-2be2df1 1236->1238 1237->1236 1239 2be2d7d-2be2d88 1237->1239 1240 2be2d8a-2be2d8b 1239->1240 1241 2be2deb 1239->1241 1242 2be2d90-2be2d95 1240->1242 1241->1238 1243 2be2d97-2be2daa GetProcessHeap HeapAlloc 1242->1243 1244 2be2de2-2be2de8 1242->1244 1245 2be2dac-2be2dd9 call 2beee2a lstrcpynA 1243->1245 1246 2be2dea 1243->1246 1244->1242 1244->1246 1249 2be2ddb-2be2dde 1245->1249 1250 2be2de0 1245->1250 1246->1241 1249->1244 1250->1244
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00000000,762323A0,?,00000000,02BE2F01,?,02BE20FF,02BF2000), ref: 02BE2D3A
                                                                                          • LoadLibraryA.KERNEL32(?), ref: 02BE2D4A
                                                                                          • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 02BE2D61
                                                                                          • DnsQuery_A.DNSAPI(00000000,0000000F,00000000,00000000,?,00000000), ref: 02BE2D77
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 02BE2D99
                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 02BE2DA0
                                                                                          • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 02BE2DCB
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcessQuery_lstrcpyn
                                                                                          • String ID: DnsQuery_A$dnsapi.dll
                                                                                          • API String ID: 233223969-3847274415
                                                                                          • Opcode ID: fdf6a7dfc3cf2a8eba2eed11f02947bc7aaf7537bb3eb3f665367dad22afa51c
                                                                                          • Instruction ID: 01300f6c8d0252e468460d9d3cb41b65f6b7e1b5301862c6ee20619e5d148f73
                                                                                          • Opcode Fuzzy Hash: fdf6a7dfc3cf2a8eba2eed11f02947bc7aaf7537bb3eb3f665367dad22afa51c
                                                                                          • Instruction Fuzzy Hash: 88216271D40229EBCF12AF64DC44AAEBBBDEF08B51F108892FA06E7115D770DA9587D0

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1251 2be80c9-2be80ed call 2be6ec3 1254 2be80ef call 2be7ee6 1251->1254 1255 2be80f9-2be8115 call 2be704c 1251->1255 1258 2be80f4 1254->1258 1260 2be8225-2be822b 1255->1260 1261 2be811b-2be8121 1255->1261 1258->1260 1262 2be826c-2be8273 1260->1262 1263 2be822d-2be8233 1260->1263 1261->1260 1264 2be8127-2be812a 1261->1264 1263->1262 1265 2be8235-2be823f call 2be675c 1263->1265 1264->1260 1266 2be8130-2be8167 call 2be2544 RegOpenKeyExA 1264->1266 1270 2be8244-2be824b 1265->1270 1271 2be816d-2be818b RegQueryValueExA 1266->1271 1272 2be8216-2be8222 call 2beee2a 1266->1272 1270->1262 1273 2be824d-2be8269 call 2be24c2 call 2beec2e 1270->1273 1274 2be818d-2be8191 1271->1274 1275 2be81f7-2be81fe 1271->1275 1272->1260 1273->1262 1274->1275 1281 2be8193-2be8196 1274->1281 1279 2be820d-2be8210 RegCloseKey 1275->1279 1280 2be8200-2be8206 call 2beec2e 1275->1280 1279->1272 1289 2be820c 1280->1289 1281->1275 1285 2be8198-2be81a8 call 2beebcc 1281->1285 1285->1279 1291 2be81aa-2be81c2 RegQueryValueExA 1285->1291 1289->1279 1291->1275 1292 2be81c4-2be81ca 1291->1292 1293 2be81cd-2be81d2 1292->1293 1293->1293 1294 2be81d4-2be81e5 call 2beebcc 1293->1294 1294->1279 1297 2be81e7-2be81f5 call 2beef00 1294->1297 1297->1289
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 02BE815F
                                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,02BEA45F,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 02BE8187
                                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,02BEA45F,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 02BE81BE
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 02BE8210
                                                                                            • Part of subcall function 02BE675C: SetFileAttributesA.KERNEL32(?,00000080,?,76230F10,00000000), ref: 02BE677E
                                                                                            • Part of subcall function 02BE675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,76230F10,00000000), ref: 02BE679A
                                                                                            • Part of subcall function 02BE675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,76230F10,00000000), ref: 02BE67B0
                                                                                            • Part of subcall function 02BE675C: SetFileAttributesA.KERNEL32(?,00000002,?,76230F10,00000000), ref: 02BE67BF
                                                                                            • Part of subcall function 02BE675C: GetFileSize.KERNEL32(000000FF,00000000,?,76230F10,00000000), ref: 02BE67D3
                                                                                            • Part of subcall function 02BE675C: ReadFile.KERNELBASE(000000FF,?,00000040,02BE8244,00000000,?,76230F10,00000000), ref: 02BE6807
                                                                                            • Part of subcall function 02BE675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 02BE681F
                                                                                            • Part of subcall function 02BE675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,76230F10,00000000), ref: 02BE683E
                                                                                            • Part of subcall function 02BE675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 02BE685C
                                                                                            • Part of subcall function 02BEEC2E: GetProcessHeap.KERNEL32(00000000,02BEEA27,00000000,02BEEA27,00000000), ref: 02BEEC41
                                                                                            • Part of subcall function 02BEEC2E: RtlFreeHeap.NTDLL(00000000), ref: 02BEEC48
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                          • String ID: C:\Windows\SysWOW64\gqbqwogt\lnmlavab.exe
                                                                                          • API String ID: 124786226-3352897057
                                                                                          • Opcode ID: a7db080f15aa5d708a129e452364d0d9c30910e6a219248f46cb4b10dc264d3d
                                                                                          • Instruction ID: eb940b4118befa6517e154dc87eaf92d7b0d1e53486a039e03a9e899a799f462
                                                                                          • Opcode Fuzzy Hash: a7db080f15aa5d708a129e452364d0d9c30910e6a219248f46cb4b10dc264d3d
                                                                                          • Instruction Fuzzy Hash: 76419FB2D45509BFEF51EBA09D80DBEB7ADDB04344F0408EAEA42A7010E7309E949B61

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1300 2be1ac3-2be1adc LoadLibraryA 1301 2be1b6b-2be1b70 1300->1301 1302 2be1ae2-2be1af3 GetProcAddress 1300->1302 1303 2be1b6a 1302->1303 1304 2be1af5-2be1b01 1302->1304 1303->1301 1305 2be1b1c-2be1b27 GetAdaptersAddresses 1304->1305 1306 2be1b29-2be1b2b 1305->1306 1307 2be1b03-2be1b12 call 2beebed 1305->1307 1309 2be1b2d-2be1b32 1306->1309 1310 2be1b5b-2be1b5e 1306->1310 1307->1306 1318 2be1b14-2be1b1b 1307->1318 1311 2be1b69 1309->1311 1314 2be1b34-2be1b3b 1309->1314 1310->1311 1312 2be1b60-2be1b68 call 2beec2e 1310->1312 1311->1303 1312->1311 1315 2be1b3d-2be1b52 1314->1315 1316 2be1b54-2be1b59 1314->1316 1315->1315 1315->1316 1316->1310 1316->1314 1318->1305
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02BE1AD4
                                                                                          • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02BE1AE9
                                                                                          • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02BE1B20
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AdaptersAddressAddressesLibraryLoadProc
                                                                                          • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                          • API String ID: 3646706440-1087626847
                                                                                          • Opcode ID: 95e035282beeb3e6be2ee1f7909325bca4a3f04c9915e3dc64e30866ae06df5c
                                                                                          • Instruction ID: 485c7456a995e9a0c4526085e22920d23df75453da347a5d798a46e921169374
                                                                                          • Opcode Fuzzy Hash: 95e035282beeb3e6be2ee1f7909325bca4a3f04c9915e3dc64e30866ae06df5c
                                                                                          • Instruction Fuzzy Hash: 4F11D071E11138AFDF219BBCCC84CADBBBAEB44B10B2444E6E10BA7115E7308E40CB90

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1320 2bee3ca-2bee3ee RegOpenKeyExA 1321 2bee528-2bee52d 1320->1321 1322 2bee3f4-2bee3fb 1320->1322 1323 2bee3fe-2bee403 1322->1323 1323->1323 1324 2bee405-2bee40f 1323->1324 1325 2bee414-2bee452 call 2beee08 call 2bef1ed RegQueryValueExA 1324->1325 1326 2bee411-2bee413 1324->1326 1331 2bee51d-2bee527 RegCloseKey 1325->1331 1332 2bee458-2bee486 call 2bef1ed RegQueryValueExA 1325->1332 1326->1325 1331->1321 1335 2bee488-2bee48a 1332->1335 1335->1331 1336 2bee490-2bee4a1 call 2bedb2e 1335->1336 1336->1331 1339 2bee4a3-2bee4a6 1336->1339 1340 2bee4a9-2bee4d3 call 2bef1ed RegQueryValueExA 1339->1340 1343 2bee4e8-2bee4ea 1340->1343 1344 2bee4d5-2bee4da 1340->1344 1343->1331 1346 2bee4ec-2bee516 call 2be2544 call 2bee332 1343->1346 1344->1343 1345 2bee4dc-2bee4e6 1344->1345 1345->1340 1345->1343 1346->1331
                                                                                          APIs
                                                                                          • RegOpenKeyExA.KERNELBASE(80000001,02BEE5F2,00000000,00020119,02BEE5F2,02BF22F8), ref: 02BEE3E6
                                                                                          • RegQueryValueExA.ADVAPI32(02BEE5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 02BEE44E
                                                                                          • RegQueryValueExA.ADVAPI32(02BEE5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 02BEE482
                                                                                          • RegQueryValueExA.ADVAPI32(02BEE5F2,?,00000000,?,80000001,?), ref: 02BEE4CF
                                                                                          • RegCloseKey.ADVAPI32(02BEE5F2,?,?,?,?,000000C8,000000E4), ref: 02BEE520
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: QueryValue$CloseOpen
                                                                                          • String ID:
                                                                                          • API String ID: 1586453840-0
                                                                                          • Opcode ID: 8d0b80d9bcecb1a24e85f10244847be08a695c67e9db3fa39f3d408e07fd8480
                                                                                          • Instruction ID: cc48923effb074397ddac66b925ebe0bba4884a74d0ad6b40b536862f7bfa4cb
                                                                                          • Opcode Fuzzy Hash: 8d0b80d9bcecb1a24e85f10244847be08a695c67e9db3fa39f3d408e07fd8480
                                                                                          • Instruction Fuzzy Hash: F241E6B2D0021DAFDF11AFE4DC80DEEBBBAEF08354F1444A6EA11A6150E3319A559B60

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1351 2bef26d-2bef303 setsockopt * 5
                                                                                          APIs
                                                                                          • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 02BEF2A0
                                                                                          • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 02BEF2C0
                                                                                          • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 02BEF2DD
                                                                                          • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 02BEF2EC
                                                                                          • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 02BEF2FD
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: setsockopt
                                                                                          • String ID:
                                                                                          • API String ID: 3981526788-0
                                                                                          • Opcode ID: 73d0860fa72a48f55585983c49f85c34bbddcc32607e4b23b0b3d3c71da240d4
                                                                                          • Instruction ID: 3fc8246bd77a51237d3dcd7df2d43b86619e5568f63868ee02a51fcf8803fb7e
                                                                                          • Opcode Fuzzy Hash: 73d0860fa72a48f55585983c49f85c34bbddcc32607e4b23b0b3d3c71da240d4
                                                                                          • Instruction Fuzzy Hash: A111FBB1A40248BAEB11DE94CD41F9E7FBCEB44751F004066BB04EA1D0E6B19A44CB94

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1352 2be1bdf-2be1c04 call 2be1ac3 1354 2be1c09-2be1c0b 1352->1354 1355 2be1c0d-2be1c1d GetComputerNameA 1354->1355 1356 2be1c5a-2be1c5e 1354->1356 1357 2be1c1f-2be1c24 1355->1357 1358 2be1c45-2be1c57 GetVolumeInformationA 1355->1358 1357->1358 1359 2be1c26-2be1c3b 1357->1359 1358->1356 1359->1359 1360 2be1c3d-2be1c3f 1359->1360 1360->1358 1361 2be1c41-2be1c43 1360->1361 1361->1356
                                                                                          APIs
                                                                                            • Part of subcall function 02BE1AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02BE1AD4
                                                                                            • Part of subcall function 02BE1AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02BE1AE9
                                                                                            • Part of subcall function 02BE1AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02BE1B20
                                                                                          • GetComputerNameA.KERNEL32(?,0000000F), ref: 02BE1C15
                                                                                          • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 02BE1C51
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                          • String ID: hi_id$localcfg
                                                                                          • API String ID: 2794401326-2393279970
                                                                                          • Opcode ID: 927419cc575d4c17ee4c220d54c5d3ee6e9f54fbaf49a1623f051dd991c19502
                                                                                          • Instruction ID: e4720d4d7d26ffddf2115a5cf672bf35b7057dcfd76c1262e06ce0d66ed78779
                                                                                          • Opcode Fuzzy Hash: 927419cc575d4c17ee4c220d54c5d3ee6e9f54fbaf49a1623f051dd991c19502
                                                                                          • Instruction Fuzzy Hash: 8B0184B291411CBBEF50DAFCC8C49EFBABCE744645F2008B5D716E7200D3309D449660
                                                                                          APIs
                                                                                            • Part of subcall function 02BE1AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02BE1AD4
                                                                                            • Part of subcall function 02BE1AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02BE1AE9
                                                                                            • Part of subcall function 02BE1AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02BE1B20
                                                                                          • GetComputerNameA.KERNEL32(?,0000000F), ref: 02BE1BA3
                                                                                          • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,02BE1EFD,00000000,00000000,00000000,00000000), ref: 02BE1BB8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 2794401326-1857712256
                                                                                          • Opcode ID: 38c13392f0ed7cf9dafda85ade41566f7f643adc720e6c074431890e82b097a5
                                                                                          • Instruction ID: cf998b3a4183cddcba38c876539c30ec9f1ba6734fbba020fb9b157af5c8b76b
                                                                                          • Opcode Fuzzy Hash: 38c13392f0ed7cf9dafda85ade41566f7f643adc720e6c074431890e82b097a5
                                                                                          • Instruction Fuzzy Hash: 67014FB6D0410CBFEB019BF9C8819EFFABDEB48654F250561A716E7151D6705E044AA0
                                                                                          APIs
                                                                                          • inet_addr.WS2_32(00000001), ref: 02BE2693
                                                                                          • gethostbyname.WS2_32(00000001), ref: 02BE269F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: gethostbynameinet_addr
                                                                                          • String ID: time_cfg
                                                                                          • API String ID: 1594361348-2401304539
                                                                                          • Opcode ID: bef04d2781275ac343a206d0abf3fbe51112b9b0a204be907540e7d8645146a5
                                                                                          • Instruction ID: babbd7780c5d424da6bacc60c90bb2713baf83c9307acb56fc47f986ac7b7914
                                                                                          • Opcode Fuzzy Hash: bef04d2781275ac343a206d0abf3fbe51112b9b0a204be907540e7d8645146a5
                                                                                          • Instruction Fuzzy Hash: 86E0C2346040118FCF509B28F844BD577E8EF06370F014AC0F881C31A5C730DC808790
                                                                                          APIs
                                                                                            • Part of subcall function 02BEDD05: GetTickCount.KERNEL32 ref: 02BEDD0F
                                                                                            • Part of subcall function 02BEDD05: InterlockedExchange.KERNEL32(02BF36B4,00000001), ref: 02BEDD44
                                                                                            • Part of subcall function 02BEDD05: GetCurrentThreadId.KERNEL32 ref: 02BEDD53
                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,76230F10,?,00000000,?,02BEA445), ref: 02BEE558
                                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,76230F10,?,00000000,?,02BEA445), ref: 02BEE583
                                                                                          • CloseHandle.KERNEL32(00000000,?,76230F10,?,00000000,?,02BEA445), ref: 02BEE5B2
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                          • String ID:
                                                                                          • API String ID: 3683885500-0
                                                                                          • Opcode ID: c06e05950fe0d85d2df16b1364dca8c5617aa41d833bcf19e475a85a1585b774
                                                                                          • Instruction ID: 6f3984e2026cc605fd09c1b4f8d0bba75761b2f6d777d27186eef2d00aed3b85
                                                                                          • Opcode Fuzzy Hash: c06e05950fe0d85d2df16b1364dca8c5617aa41d833bcf19e475a85a1585b774
                                                                                          • Instruction Fuzzy Hash: D32107B2A802017AFA617A359C06F6B3A8EDB55764F0008D4BF0BB11D3EB55D5108AB1
                                                                                          APIs
                                                                                          • Sleep.KERNELBASE(000003E8), ref: 02BE88A5
                                                                                            • Part of subcall function 02BEF04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,02BEE342,00000000,75B4EA50,80000001,00000000,02BEE513,?,00000000,00000000,?,000000E4), ref: 02BEF089
                                                                                            • Part of subcall function 02BEF04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,02BEE342,00000000,75B4EA50,80000001,00000000,02BEE513,?,00000000,00000000,?,000000E4,000000C8), ref: 02BEF093
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Time$FileSystem$Sleep
                                                                                          • String ID: localcfg$rresolv
                                                                                          • API String ID: 1561729337-486471987
                                                                                          • Opcode ID: 91b9454b6166c3b2b0fcece4d55669e360ecf9af7629258cc4c8bca7c0f42266
                                                                                          • Instruction ID: 0c03dbf7c19cd08be1ab1fe501d3f0977c273b3371c548f60f852eb30f47b706
                                                                                          • Opcode Fuzzy Hash: 91b9454b6166c3b2b0fcece4d55669e360ecf9af7629258cc4c8bca7c0f42266
                                                                                          • Instruction Fuzzy Hash: 63213C319983006AFB54BBB4AC42F7A3BDADB04760F5508C9FE16870D1EF91954489B1
                                                                                          APIs
                                                                                          • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,02BF22F8,02BE42B6,00000000,00000001,02BF22F8,00000000,?,02BE98FD), ref: 02BE4021
                                                                                          • GetLastError.KERNEL32(?,02BE98FD,00000001,00000100,02BF22F8,02BEA3C7), ref: 02BE402C
                                                                                          • Sleep.KERNEL32(000001F4,?,02BE98FD,00000001,00000100,02BF22F8,02BEA3C7), ref: 02BE4046
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateErrorFileLastSleep
                                                                                          • String ID:
                                                                                          • API String ID: 408151869-0
                                                                                          • Opcode ID: 568f19700f0a058cb5615661161d900c41a71ff251ce0adaada5cd7b63d2c0bc
                                                                                          • Instruction ID: 17f3024e84c73139f99db5a0c1f8c7dd5acb1e7650564027ba19c37287e33dff
                                                                                          • Opcode Fuzzy Hash: 568f19700f0a058cb5615661161d900c41a71ff251ce0adaada5cd7b63d2c0bc
                                                                                          • Instruction Fuzzy Hash: E2F0A0326802056BDF711A78AC49B2A32B1EB81738F254FB4F3B7E20E2C73044819B14
                                                                                          APIs
                                                                                          • GetEnvironmentVariableA.KERNEL32(02BEDC19,?,00000104), ref: 02BEDB7F
                                                                                          • lstrcpyA.KERNEL32(?,02BF28F8), ref: 02BEDBA4
                                                                                          • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000080,00000000), ref: 02BEDBC2
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateEnvironmentFileVariablelstrcpy
                                                                                          • String ID:
                                                                                          • API String ID: 2536392590-0
                                                                                          • Opcode ID: d80bb16ca1803c82bbfc896c5072192313fd988404e59a4f7a7612e8157dcdf1
                                                                                          • Instruction ID: b3ee7916bc0cb5c4d4d233e59c171198cb916dd03e2636df35d6942bc073ce62
                                                                                          • Opcode Fuzzy Hash: d80bb16ca1803c82bbfc896c5072192313fd988404e59a4f7a7612e8157dcdf1
                                                                                          • Instruction Fuzzy Hash: 35F09070540209BBEF109F74DC49FD93B69AB10348F504994BB51A50D0D7F2D555CB10
                                                                                          APIs
                                                                                          • GetSystemTimeAsFileTime.KERNEL32(?), ref: 02BEEC5E
                                                                                          • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 02BEEC72
                                                                                          • GetTickCount.KERNEL32 ref: 02BEEC78
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Time$CountFileInformationSystemTickVolume
                                                                                          • String ID:
                                                                                          • API String ID: 1209300637-0
                                                                                          • Opcode ID: 59f811d443e55932ac4931ce5f6edfbaca00af1fcb97d6c952bf5ea4bb532d27
                                                                                          • Instruction ID: d6ce464280e8c5fb49c518993e593a09842facec48a70387e58a9afb15c7f6b0
                                                                                          • Opcode Fuzzy Hash: 59f811d443e55932ac4931ce5f6edfbaca00af1fcb97d6c952bf5ea4bb532d27
                                                                                          • Instruction Fuzzy Hash: 19E09AF5C50108BFE741ABB0DC4AE6B77FCEB08355F500A50BA11D6195DA709A148B64
                                                                                          APIs
                                                                                          • gethostname.WS2_32(?,00000080), ref: 02BE30D8
                                                                                          • gethostbyname.WS2_32(?), ref: 02BE30E2
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: gethostbynamegethostname
                                                                                          • String ID:
                                                                                          • API String ID: 3961807697-0
                                                                                          • Opcode ID: b7e521f104932efd49793abc2504f00185a3cd6dee623fdda7ccfbac3b3b3d18
                                                                                          • Instruction ID: 55e2f60965ce7963e88b39b6f1c15a3eb863f1c425457a57c37d49083b1fa829
                                                                                          • Opcode Fuzzy Hash: b7e521f104932efd49793abc2504f00185a3cd6dee623fdda7ccfbac3b3b3d18
                                                                                          • Instruction Fuzzy Hash: 32E09B71D001199BCF40EBA8EC85F9A77ECFF08348F180461F946E3255EB34E50487A0
                                                                                          APIs
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000,7FFF0001,80000001,?,02BEDB55,7FFF0001), ref: 02BEEC13
                                                                                          • RtlReAllocateHeap.NTDLL(00000000,?,02BEDB55,7FFF0001), ref: 02BEEC1A
                                                                                            • Part of subcall function 02BEEBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,02BEEBFE,7FFF0001,?,02BEDB55,7FFF0001), ref: 02BEEBD3
                                                                                            • Part of subcall function 02BEEBCC: RtlAllocateHeap.NTDLL(00000000,?,02BEDB55,7FFF0001), ref: 02BEEBDA
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$AllocateProcess
                                                                                          • String ID:
                                                                                          • API String ID: 1357844191-0
                                                                                          • Opcode ID: e2abe78bff7a94105ad62740521f14fbc0e47c6a96956db00411b005ed3f114e
                                                                                          • Instruction ID: 49a07ac2f80dac4ea706e83a285f593585ce20a4e8789dc3afae3406b7638ebd
                                                                                          • Opcode Fuzzy Hash: e2abe78bff7a94105ad62740521f14fbc0e47c6a96956db00411b005ed3f114e
                                                                                          • Instruction Fuzzy Hash: 6EE048325442187BDF413FA4FC48F993B9ADF047B1F108555FA0E49160CB31D6A0DB94
                                                                                          APIs
                                                                                            • Part of subcall function 02BEEBA0: GetProcessHeap.KERNEL32(00000000,00000000,02BEEC0A,00000000,80000001,?,02BEDB55,7FFF0001), ref: 02BEEBAD
                                                                                            • Part of subcall function 02BEEBA0: HeapSize.KERNEL32(00000000,?,02BEDB55,7FFF0001), ref: 02BEEBB4
                                                                                          • GetProcessHeap.KERNEL32(00000000,02BEEA27,00000000,02BEEA27,00000000), ref: 02BEEC41
                                                                                          • RtlFreeHeap.NTDLL(00000000), ref: 02BEEC48
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$Process$FreeSize
                                                                                          • String ID:
                                                                                          • API String ID: 1305341483-0
                                                                                          • Opcode ID: 861125693c52f9490a8b357f720955291b0e97da663809198cfff30d1589aa6b
                                                                                          • Instruction ID: 72bf886eab1d8cda5ca44ee0e3d70fa943765dc5d09348dc137994dd8e0161ed
                                                                                          • Opcode Fuzzy Hash: 861125693c52f9490a8b357f720955291b0e97da663809198cfff30d1589aa6b
                                                                                          • Instruction Fuzzy Hash: 19C01272C462306BC9913760BC0CF9B6B58DF45A61F090C49F506671598760998046E1
                                                                                          APIs
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000,80000001,02BEEBFE,7FFF0001,?,02BEDB55,7FFF0001), ref: 02BEEBD3
                                                                                          • RtlAllocateHeap.NTDLL(00000000,?,02BEDB55,7FFF0001), ref: 02BEEBDA
                                                                                            • Part of subcall function 02BEEB74: GetProcessHeap.KERNEL32(00000000,00000000,02BEEC28,00000000,?,02BEDB55,7FFF0001), ref: 02BEEB81
                                                                                            • Part of subcall function 02BEEB74: HeapSize.KERNEL32(00000000,?,02BEDB55,7FFF0001), ref: 02BEEB88
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$Process$AllocateSize
                                                                                          • String ID:
                                                                                          • API String ID: 2559512979-0
                                                                                          • Opcode ID: 209a95e352b3cee0f781cdf297cbd545054298d7a2b303efcc9b7128e50d5664
                                                                                          • Instruction ID: b62c9db1a9736902a0deab9bcb952a762e0dcc43bdc19818da5a7e1994bcd4b1
                                                                                          • Opcode Fuzzy Hash: 209a95e352b3cee0f781cdf297cbd545054298d7a2b303efcc9b7128e50d5664
                                                                                          • Instruction Fuzzy Hash: 63C0807254422067C64137B47C0CF9A3E94DF047E2F040D44F705C7164C73049908791
                                                                                          APIs
                                                                                          • recv.WS2_32(000000C8,?,00000000,02BECA44), ref: 02BEF476
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: recv
                                                                                          • String ID:
                                                                                          • API String ID: 1507349165-0
                                                                                          • Opcode ID: 540dd4ea94207476b2f9fad967b531fdb33c8f7287e85a7e94bb1806e7e8c470
                                                                                          • Instruction ID: b93e5b0183b110cb79289618208d1f9873bfa21434a80fe28ddc22f72a8e0ce9
                                                                                          • Opcode Fuzzy Hash: 540dd4ea94207476b2f9fad967b531fdb33c8f7287e85a7e94bb1806e7e8c470
                                                                                          • Instruction Fuzzy Hash: 3EF01C7220155AAB9F119E9AEC84CBB3BAEFF892507080662FA15D7510D731E8218BB0
                                                                                          APIs
                                                                                          • closesocket.WS2_32(00000000), ref: 02BE1992
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: closesocket
                                                                                          • String ID:
                                                                                          • API String ID: 2781271927-0
                                                                                          • Opcode ID: 4c5e0fdb0ace6add92becc9c295f7e4d6d00e2338a610e2fac8f25008db81f31
                                                                                          • Instruction ID: 1aa96ede0b85708cf7dd7d635c8bc72fb846bfcd2f5715efb9f63ee2c71eda45
                                                                                          • Opcode Fuzzy Hash: 4c5e0fdb0ace6add92becc9c295f7e4d6d00e2338a610e2fac8f25008db81f31
                                                                                          • Instruction Fuzzy Hash: 13D0222A1482312A5600375CB80047FABACDF042A2710881BFD89C0010C734CC8287A1
                                                                                          APIs
                                                                                          • lstrcmpiA.KERNEL32(80000011,00000000), ref: 02BEDDB5
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcmpi
                                                                                          • String ID:
                                                                                          • API String ID: 1586166983-0
                                                                                          • Opcode ID: de0b6e33c8a3fc1fade0c4c2eef29bf06bfbaba43b15c913ce3f11199c7ebc4e
                                                                                          • Instruction ID: e44d24bebeaf588eeb4a9573b2f5e2fbdb9e9223582b8fb4853cc633c78d0086
                                                                                          • Opcode Fuzzy Hash: de0b6e33c8a3fc1fade0c4c2eef29bf06bfbaba43b15c913ce3f11199c7ebc4e
                                                                                          • Instruction Fuzzy Hash: 43F08C32200603CBCF20CE34988465AB3ECEB86329F648DAEE25AD3150D7B4D855CB11
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,02BE9816,EntryPoint), ref: 02BE638F
                                                                                          • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,02BE9816,EntryPoint), ref: 02BE63A9
                                                                                          • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 02BE63CA
                                                                                          • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 02BE63EB
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                          • String ID:
                                                                                          • API String ID: 1965334864-0
                                                                                          • Opcode ID: bb6d436277db3d5e3702dfe557f8d361f9de974db9452c3ffd30e144fc64bc11
                                                                                          • Instruction ID: c14643e9b73af759a7d9dadce7892d7806f3acdda9606160fcb54e91da45e4c8
                                                                                          • Opcode Fuzzy Hash: bb6d436277db3d5e3702dfe557f8d361f9de974db9452c3ffd30e144fc64bc11
                                                                                          • Instruction Fuzzy Hash: CD1191B1A00219BFDF519F69DC49F9B3BACEB047A4F004464FA06E7290D770DD108AA0
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(ntdll.dll,00000000,02BE1839,02BE9646), ref: 02BE1012
                                                                                          • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 02BE10C2
                                                                                          • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 02BE10E1
                                                                                          • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 02BE1101
                                                                                          • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 02BE1121
                                                                                          • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 02BE1140
                                                                                          • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 02BE1160
                                                                                          • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 02BE1180
                                                                                          • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 02BE119F
                                                                                          • GetProcAddress.KERNEL32(00000000,NtClose), ref: 02BE11BF
                                                                                          • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 02BE11DF
                                                                                          • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 02BE11FE
                                                                                          • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 02BE121A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressProc$LibraryLoad
                                                                                          • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                          • API String ID: 2238633743-3228201535
                                                                                          • Opcode ID: 9fdb013a1ce5457f5f6c0375ffca367dddbed5448f0fb76061c0a3da09f05bd3
                                                                                          • Instruction ID: d1f32eaf12b84080393b4eee2119a51030188404344db887be0816a50d87df8a
                                                                                          • Opcode Fuzzy Hash: 9fdb013a1ce5457f5f6c0375ffca367dddbed5448f0fb76061c0a3da09f05bd3
                                                                                          • Instruction Fuzzy Hash: B451C9719A2681D6EB909A6CEC40B5133E9E7483A4F248BD6AF2BD31E0D770C8D1CF51
                                                                                          APIs
                                                                                          • GetLocalTime.KERNEL32(?), ref: 02BEB2B3
                                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 02BEB2C2
                                                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 02BEB2D0
                                                                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 02BEB2E1
                                                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 02BEB31A
                                                                                          • GetTimeZoneInformation.KERNEL32(?), ref: 02BEB329
                                                                                          • wsprintfA.USER32 ref: 02BEB3B7
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                          • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                          • API String ID: 766114626-2976066047
                                                                                          • Opcode ID: 0372c48004e48a993c472d693b2e1ab5179494890cb0dc8d7ec98538bfac1a84
                                                                                          • Instruction ID: a7f1cf45e1ae474210fa2eb70552b523ca6b26017dbd95de69f931eda5d421b4
                                                                                          • Opcode Fuzzy Hash: 0372c48004e48a993c472d693b2e1ab5179494890cb0dc8d7ec98538bfac1a84
                                                                                          • Instruction Fuzzy Hash: FA510DB2E0021DAACF94EFD5D9859EFBBB9FF48304F104899E705A6165D3344A8DCB50
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                          • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                          • API String ID: 2400214276-165278494
                                                                                          • Opcode ID: cb59f855cbf6e5194a0d31826aba51c40fe31522b2f8f58eeb98f081aeb36faf
                                                                                          • Instruction ID: e48db61b56527f4b0b25097ec4916a3406de5d0bf567cb7cb19f6fa364c6eb2e
                                                                                          • Opcode Fuzzy Hash: cb59f855cbf6e5194a0d31826aba51c40fe31522b2f8f58eeb98f081aeb36faf
                                                                                          • Instruction Fuzzy Hash: 55614E71950208AFEF60AFB4DC45FEA77E9FF08310F1444A9FA6AD2122DB7199548F50
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wsprintf$send$lstrlenrecv
                                                                                          • String ID: .$ $AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                          • API String ID: 3650048968-4264063882
                                                                                          • Opcode ID: ac2531aea018acecfaf3aa5b916b6c66d76803989231a1cfe89c25ca79c58395
                                                                                          • Instruction ID: d7eb86d5fa0493e13a25f27c660dae88c631e8b4110f85aea321ed49b9e2c324
                                                                                          • Opcode Fuzzy Hash: ac2531aea018acecfaf3aa5b916b6c66d76803989231a1cfe89c25ca79c58395
                                                                                          • Instruction Fuzzy Hash: 3AA15D71944315BBEF60AA64DC85FBE776EEB00308F1408E6FA13A70A1E771A958CB51
                                                                                          APIs
                                                                                          • ShellExecuteExW.SHELL32(?), ref: 02BE139A
                                                                                          • lstrlenW.KERNEL32(-00000003), ref: 02BE1571
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExecuteShelllstrlen
                                                                                          • String ID: $%systemroot%\system32\cmd.exe$<$@$D$uac$useless$wusa.exe
                                                                                          • API String ID: 1628651668-1839596206
                                                                                          • Opcode ID: e0a71ecfc9166ac0a42bca49446b9ffccb45d4c3d6e66204f7d93fb900a34e72
                                                                                          • Instruction ID: 905ee02406059c3aa9328e9761823dbdc3dd2eaa7c8ace5c31c1f6ce23afbf5a
                                                                                          • Opcode Fuzzy Hash: e0a71ecfc9166ac0a42bca49446b9ffccb45d4c3d6e66204f7d93fb900a34e72
                                                                                          • Instruction Fuzzy Hash: B1F19CB15183419FDB20DF68C888BAAB7E5FB88744F108D9DFA9B87250D770D844CB52
                                                                                          APIs
                                                                                          • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7622F380), ref: 02BE2A83
                                                                                          • HeapAlloc.KERNEL32(00000000,?,7622F380), ref: 02BE2A86
                                                                                          • socket.WS2_32(00000002,00000002,00000011), ref: 02BE2AA0
                                                                                          • htons.WS2_32(00000000), ref: 02BE2ADB
                                                                                          • select.WS2_32 ref: 02BE2B28
                                                                                          • recv.WS2_32(?,00000000,00001000,00000000), ref: 02BE2B4A
                                                                                          • htons.WS2_32(?), ref: 02BE2B71
                                                                                          • htons.WS2_32(?), ref: 02BE2B8C
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02BE2BFB
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                          • String ID:
                                                                                          • API String ID: 1639031587-0
                                                                                          • Opcode ID: 951c23b432ad0590d41234f5ff199331b642eecb2a9ca46077fe684888ada9f9
                                                                                          • Instruction ID: a1c26ee682f61ce33de5023f8dfcc276089bc11a9155f6d9ee4ac6ed2d674ce7
                                                                                          • Opcode Fuzzy Hash: 951c23b432ad0590d41234f5ff199331b642eecb2a9ca46077fe684888ada9f9
                                                                                          • Instruction Fuzzy Hash: E161E5B19043059FDB20AF64DC09B6BBBECFB48795F000D49FD8A97251D7B4D8908BA1
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,76230F10,?,76230F10,00000000), ref: 02BE70C2
                                                                                          • RegEnumValueA.ADVAPI32(76230F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,76230F10,00000000), ref: 02BE719E
                                                                                          • RegCloseKey.ADVAPI32(76230F10,?,76230F10,00000000), ref: 02BE71B2
                                                                                          • RegCloseKey.ADVAPI32(76230F10), ref: 02BE7208
                                                                                          • RegCloseKey.ADVAPI32(76230F10), ref: 02BE7291
                                                                                          • ___ascii_stricmp.LIBCMT ref: 02BE72C2
                                                                                          • RegCloseKey.ADVAPI32(76230F10), ref: 02BE72D0
                                                                                          • RegCloseKey.ADVAPI32(76230F10), ref: 02BE7314
                                                                                          • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 02BE738D
                                                                                          • RegCloseKey.ADVAPI32(76230F10), ref: 02BE73D8
                                                                                            • Part of subcall function 02BEF1A5: lstrlenA.KERNEL32(000000C8,000000E4,02BF22F8,000000C8,02BE7150,?), ref: 02BEF1AD
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                          • String ID: $"
                                                                                          • API String ID: 4293430545-3817095088
                                                                                          • Opcode ID: a250d622d13a73f3020ed733830f688f51ec1ca27be38d05575ea81f09a5217c
                                                                                          • Instruction ID: 40d8dfa559efe3ac5ff975e6b98962bec059351f000c9f4eb721b6ca21fc8f3b
                                                                                          • Opcode Fuzzy Hash: a250d622d13a73f3020ed733830f688f51ec1ca27be38d05575ea81f09a5217c
                                                                                          • Instruction Fuzzy Hash: C1B18F7284420ABEEF55AFA4DC44FEEB7B9EF04310F1005A6F502E2090EF759A84DB65
                                                                                          APIs
                                                                                          • GetLocalTime.KERNEL32(?), ref: 02BEAD98
                                                                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 02BEADA6
                                                                                            • Part of subcall function 02BEAD08: gethostname.WS2_32(?,00000080), ref: 02BEAD1C
                                                                                            • Part of subcall function 02BEAD08: lstrlenA.KERNEL32(?), ref: 02BEAD60
                                                                                            • Part of subcall function 02BEAD08: lstrlenA.KERNEL32(?), ref: 02BEAD69
                                                                                            • Part of subcall function 02BEAD08: lstrcpyA.KERNEL32(?,LocalHost), ref: 02BEAD7F
                                                                                            • Part of subcall function 02BE30B5: gethostname.WS2_32(?,00000080), ref: 02BE30D8
                                                                                            • Part of subcall function 02BE30B5: gethostbyname.WS2_32(?), ref: 02BE30E2
                                                                                          • wsprintfA.USER32 ref: 02BEAEA5
                                                                                            • Part of subcall function 02BEA7A3: inet_ntoa.WS2_32(00000000), ref: 02BEA7A9
                                                                                          • wsprintfA.USER32 ref: 02BEAE4F
                                                                                          • wsprintfA.USER32 ref: 02BEAE5E
                                                                                            • Part of subcall function 02BEEF7C: lstrlenA.KERNEL32(?,?,00000000,?,?), ref: 02BEEF92
                                                                                            • Part of subcall function 02BEEF7C: lstrlenA.KERNEL32(?), ref: 02BEEF99
                                                                                            • Part of subcall function 02BEEF7C: lstrlenA.KERNEL32(00000000), ref: 02BEEFA0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                          • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                          • API String ID: 3631595830-1816598006
                                                                                          • Opcode ID: f9e001fe785ffda228728005cd7eabf62686a2ac27a2c5464699b4715717eb39
                                                                                          • Instruction ID: 87cb88a7ad78377efa1004c1b8c0604c19dd2cbf0e91a12865b537ebfc3be254
                                                                                          • Opcode Fuzzy Hash: f9e001fe785ffda228728005cd7eabf62686a2ac27a2c5464699b4715717eb39
                                                                                          • Instruction Fuzzy Hash: CE41F3B290024C6BEF65EFA0DC45EEE37ADFF08350F144896FA1692162EB71D5588F50
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(iphlpapi.dll,762323A0,?,000DBBA0,?,00000000,02BE2F0F,?,02BE20FF,02BF2000), ref: 02BE2E01
                                                                                          • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,02BE2F0F,?,02BE20FF,02BF2000), ref: 02BE2E11
                                                                                          • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 02BE2E2E
                                                                                          • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,02BE2F0F,?,02BE20FF,02BF2000), ref: 02BE2E4C
                                                                                          • HeapAlloc.KERNEL32(00000000,?,00000000,02BE2F0F,?,02BE20FF,02BF2000), ref: 02BE2E4F
                                                                                          • htons.WS2_32(00000035), ref: 02BE2E88
                                                                                          • inet_addr.WS2_32(?), ref: 02BE2E93
                                                                                          • gethostbyname.WS2_32(?), ref: 02BE2EA6
                                                                                          • GetProcessHeap.KERNEL32(00000000,?,?,00000000,02BE2F0F,?,02BE20FF,02BF2000), ref: 02BE2EE3
                                                                                          • HeapFree.KERNEL32(00000000,?,00000000,02BE2F0F,?,02BE20FF,02BF2000), ref: 02BE2EE6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                          • String ID: GetNetworkParams$iphlpapi.dll
                                                                                          • API String ID: 929413710-2099955842
                                                                                          • Opcode ID: 345d77624bee2a0f9ecd240576db364bd979be220804acedd8e0fe174626449a
                                                                                          • Instruction ID: d2568ec5a94563b2000ff7689f1829559761f1cd024f565608ceb8eb83f1239a
                                                                                          • Opcode Fuzzy Hash: 345d77624bee2a0f9ecd240576db364bd979be220804acedd8e0fe174626449a
                                                                                          • Instruction Fuzzy Hash: 2D31E431D0021AABDF10BBB89C48B6E777CEF04764F140995FE1AE3291D730C5519BA0
                                                                                          APIs
                                                                                          • GetVersionExA.KERNEL32(?,?,02BE9DD7,?,00000022,?,?,00000000,00000001), ref: 02BE9340
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,02BE9DD7,?,00000022,?,?,00000000,00000001), ref: 02BE936E
                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,02BE9DD7,?,00000022,?,?,00000000,00000001), ref: 02BE9375
                                                                                          • wsprintfA.USER32 ref: 02BE93CE
                                                                                          • wsprintfA.USER32 ref: 02BE940C
                                                                                          • wsprintfA.USER32 ref: 02BE948D
                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 02BE94F1
                                                                                          • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 02BE9526
                                                                                          • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 02BE9571
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                          • String ID: runas
                                                                                          • API String ID: 3696105349-4000483414
                                                                                          • Opcode ID: f6503f974ab9e98797ffb7f66418192659b23c52d8a7a7aea19118cd7d3ba726
                                                                                          • Instruction ID: b37ca60d77d161131ce7202d940c7895a951a4fda15f8f484fa89423c64950e3
                                                                                          • Opcode Fuzzy Hash: f6503f974ab9e98797ffb7f66418192659b23c52d8a7a7aea19118cd7d3ba726
                                                                                          • Instruction Fuzzy Hash: CDA180B1940648AFEF21DFA0CC45FDE3BADEB04344F104496FA0692152E775D598CFA0
                                                                                          APIs
                                                                                          • wsprintfA.USER32 ref: 02BEB467
                                                                                            • Part of subcall function 02BEEF7C: lstrlenA.KERNEL32(?,?,00000000,?,?), ref: 02BEEF92
                                                                                            • Part of subcall function 02BEEF7C: lstrlenA.KERNEL32(?), ref: 02BEEF99
                                                                                            • Part of subcall function 02BEEF7C: lstrlenA.KERNEL32(00000000), ref: 02BEEFA0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$wsprintf
                                                                                          • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                          • API String ID: 1220175532-2340906255
                                                                                          • Opcode ID: ea6cba80e17d0f09f5516e96d1ddb7dc791ce88d6bd8963deb05684bc1a790de
                                                                                          • Instruction ID: 09920a805665431846930577dd84d9b9bf0d6f6616d224cdcf7b8ca22f5de8cb
                                                                                          • Opcode Fuzzy Hash: ea6cba80e17d0f09f5516e96d1ddb7dc791ce88d6bd8963deb05684bc1a790de
                                                                                          • Instruction Fuzzy Hash: 99417CB254011C7EFF00BAA4CCC1CBF7B6EEF09658F140595FA06B2021DB30EA188BA1
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 02BE2078
                                                                                          • GetTickCount.KERNEL32 ref: 02BE20D4
                                                                                          • GetTickCount.KERNEL32 ref: 02BE20DB
                                                                                          • GetTickCount.KERNEL32 ref: 02BE212B
                                                                                          • GetTickCount.KERNEL32 ref: 02BE2132
                                                                                          • GetTickCount.KERNEL32 ref: 02BE2142
                                                                                            • Part of subcall function 02BEF04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,02BEE342,00000000,75B4EA50,80000001,00000000,02BEE513,?,00000000,00000000,?,000000E4), ref: 02BEF089
                                                                                            • Part of subcall function 02BEF04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,02BEE342,00000000,75B4EA50,80000001,00000000,02BEE513,?,00000000,00000000,?,000000E4,000000C8), ref: 02BEF093
                                                                                            • Part of subcall function 02BEE854: lstrcpyA.KERNEL32(00000001,?,?,02BED8DF,00000001,localcfg,except_info,00100000,02BF0264), ref: 02BEE88B
                                                                                            • Part of subcall function 02BEE854: lstrlenA.KERNEL32(00000001,?,02BED8DF,00000001,localcfg,except_info,00100000,02BF0264), ref: 02BEE899
                                                                                            • Part of subcall function 02BE1C5F: wsprintfA.USER32 ref: 02BE1CE1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                          • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                          • API String ID: 3976553417-1522128867
                                                                                          • Opcode ID: 048c3acca177129bf2d20a201928d843250860971a817fced1572a2ccc52045d
                                                                                          • Instruction ID: 4ae81bf61921b4b7b37e27eb8478a559c3d9f6e437fb44296c66b9664194e1b8
                                                                                          • Opcode Fuzzy Hash: 048c3acca177129bf2d20a201928d843250860971a817fced1572a2ccc52045d
                                                                                          • Instruction Fuzzy Hash: 39512271E843064FEB68EF34ED45B263BD9EB00354F100899EF83C71A6DBB49598CA12
                                                                                          APIs
                                                                                            • Part of subcall function 02BEA4C7: GetTickCount.KERNEL32 ref: 02BEA4D1
                                                                                            • Part of subcall function 02BEA4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 02BEA4FA
                                                                                          • GetTickCount.KERNEL32 ref: 02BEC31F
                                                                                          • GetTickCount.KERNEL32 ref: 02BEC32B
                                                                                          • GetTickCount.KERNEL32 ref: 02BEC363
                                                                                          • GetTickCount.KERNEL32 ref: 02BEC378
                                                                                          • GetTickCount.KERNEL32 ref: 02BEC44D
                                                                                          • InterlockedIncrement.KERNEL32(02BEC4E4), ref: 02BEC4AE
                                                                                          • CreateThread.KERNEL32(00000000,00000000,02BEB535,00000000,?,02BEC4E0), ref: 02BEC4C1
                                                                                          • CloseHandle.KERNEL32(00000000,?,02BEC4E0,02BF3588,02BE8810), ref: 02BEC4CC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 1553760989-1857712256
                                                                                          • Opcode ID: b8715074b2e8075b8a800af4805bf6e7ec32ea5285f3e60618912565c41dc2bd
                                                                                          • Instruction ID: fdc8a9352eb0a0e8186fd5900198d1356c667c5b3e303447be7f306a9abc76d7
                                                                                          • Opcode Fuzzy Hash: b8715074b2e8075b8a800af4805bf6e7ec32ea5285f3e60618912565c41dc2bd
                                                                                          • Instruction Fuzzy Hash: 2D5166B1A00B418FDB649F69C6C462ABBE9FF48304B509D6EE18BC7A90D774E840CB14
                                                                                          APIs
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 02BEBE4F
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 02BEBE5B
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 02BEBE67
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 02BEBF6A
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 02BEBF7F
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 02BEBF94
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcmpi
                                                                                          • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                          • API String ID: 1586166983-1625972887
                                                                                          • Opcode ID: 781a9cc5a0ab7d6e3f9434848a23c2c01f486e07dcad89ede4d80871ba601b63
                                                                                          • Instruction ID: b19b544f47ee9ecc474cbdb47475ce8559b8e8b9f849dcd273b0f090da8d8387
                                                                                          • Opcode Fuzzy Hash: 781a9cc5a0ab7d6e3f9434848a23c2c01f486e07dcad89ede4d80871ba601b63
                                                                                          • Instruction Fuzzy Hash: 4D518F71A0061AAFDF11AB64C980B6EBBA9FF0435CF0444E9E943AB225D730E945CFD1
                                                                                          APIs
                                                                                          • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,76228A60,?,?,?,?,02BE9A60,?,?,02BE9E9D), ref: 02BE6A7D
                                                                                          • GetDiskFreeSpaceA.KERNEL32(02BE9E9D,02BE9A60,?,?,?,02BF22F8,?,?,?,02BE9A60,?,?,02BE9E9D), ref: 02BE6ABB
                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,02BE9A60,?,?,02BE9E9D), ref: 02BE6B40
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02BE9A60,?,?,02BE9E9D), ref: 02BE6B4E
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02BE9A60,?,?,02BE9E9D), ref: 02BE6B5F
                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,02BE9A60,?,?,02BE9E9D), ref: 02BE6B6F
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02BE9A60,?,?,02BE9E9D), ref: 02BE6B7D
                                                                                          • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,02BE9A60,?,?,02BE9E9D), ref: 02BE6B80
                                                                                          • GetLastError.KERNEL32(?,?,?,02BE9A60,?,?,02BE9E9D,?,?,?,?,?,02BE9E9D,?,00000022,?), ref: 02BE6B96
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                          • String ID:
                                                                                          • API String ID: 3188212458-0
                                                                                          • Opcode ID: ec546d057d8708fab633a8dbd7292f69f076150afece248f3a1046009022d2e5
                                                                                          • Instruction ID: 5fb1d6ea5ffbd269aa08012c82ff3000c4073f12feff8fab2f4f54455b83b138
                                                                                          • Opcode Fuzzy Hash: ec546d057d8708fab633a8dbd7292f69f076150afece248f3a1046009022d2e5
                                                                                          • Instruction Fuzzy Hash: 0C31CEB2D0010DAFDF01AFB48C85BDE7B7DEF68354F1488A6E652A3241D73096A48F61
                                                                                          APIs
                                                                                          • GetUserNameA.ADVAPI32(?,02BED7C3), ref: 02BE6F7A
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,02BED7C3), ref: 02BE6FC1
                                                                                          • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 02BE6FE8
                                                                                          • LocalFree.KERNEL32(00000120), ref: 02BE701F
                                                                                          • wsprintfA.USER32 ref: 02BE7036
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                          • String ID: /%d$|
                                                                                          • API String ID: 676856371-4124749705
                                                                                          • Opcode ID: b33a0ec9d841ab56e347518fb0398194bd32e41d4ba8df395c24767eb49ce3b6
                                                                                          • Instruction ID: 793bbe5f6516bcc261ab7288ec4cc7173f43f9811cd82bc68d177293f9d0442d
                                                                                          • Opcode Fuzzy Hash: b33a0ec9d841ab56e347518fb0398194bd32e41d4ba8df395c24767eb49ce3b6
                                                                                          • Instruction Fuzzy Hash: 90311A72900209BBDF01DFA8D848ADA7BBCEF04354F0485A6F91ADB115EB35E6188B94
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,02BF22F8,000000E4,02BE6DDC,000000C8), ref: 02BE6CE7
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 02BE6CEE
                                                                                          • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02BE6D14
                                                                                          • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02BE6D2B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                          • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                          • API String ID: 1082366364-3395550214
                                                                                          • Opcode ID: c5204e3d031a39aca52919b426acc8c3ce571b83fd502b039213dd18c25f6f1a
                                                                                          • Instruction ID: a256ddaf9c8b7555da0574b8b1c388e9197a17172cbd92b8f871030aee31a6e4
                                                                                          • Opcode Fuzzy Hash: c5204e3d031a39aca52919b426acc8c3ce571b83fd502b039213dd18c25f6f1a
                                                                                          • Instruction Fuzzy Hash: E9215E61A8024479FFA5A7364C8CF7B3F4DCF16754F1C88C4FE06A7096DB94858982B5
                                                                                          APIs
                                                                                          • CreateProcessA.KERNEL32(00000000,02BE9947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,02BF22F8), ref: 02BE97B1
                                                                                          • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,02BF22F8), ref: 02BE97EB
                                                                                          • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,02BF22F8), ref: 02BE97F9
                                                                                          • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,02BF22F8), ref: 02BE9831
                                                                                          • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,02BF22F8), ref: 02BE984E
                                                                                          • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,02BF22F8), ref: 02BE985B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                          • String ID: D
                                                                                          • API String ID: 2981417381-2746444292
                                                                                          • Opcode ID: 89abbf9ae54820295a0e55627d01d5407886a24da57efe260ed329ac2d10e104
                                                                                          • Instruction ID: 9b14e7c2df9199be02014991b4eacc2954a32f3e600af8ffb494fa9e1f0fe2ae
                                                                                          • Opcode Fuzzy Hash: 89abbf9ae54820295a0e55627d01d5407886a24da57efe260ed329ac2d10e104
                                                                                          • Instruction Fuzzy Hash: 39212C71D41119ABDF51AFA1DC49FEF7B7CEF09694F0008A0BA1AE2054EB309658CAA0
                                                                                          APIs
                                                                                            • Part of subcall function 02BEDD05: GetTickCount.KERNEL32 ref: 02BEDD0F
                                                                                            • Part of subcall function 02BEDD05: InterlockedExchange.KERNEL32(02BF36B4,00000001), ref: 02BEDD44
                                                                                            • Part of subcall function 02BEDD05: GetCurrentThreadId.KERNEL32 ref: 02BEDD53
                                                                                            • Part of subcall function 02BEDD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 02BEDDB5
                                                                                          • lstrcpynA.KERNEL32(?,02BE1E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,02BEEAAA,?,?), ref: 02BEE8DE
                                                                                          • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,02BEEAAA,?,?,00000001,?,02BE1E84,?), ref: 02BEE935
                                                                                          • lstrlenA.KERNEL32(00000001,?,?,?,?,?,02BEEAAA,?,?,00000001,?,02BE1E84,?,0000000A), ref: 02BEE93D
                                                                                          • lstrlenA.KERNEL32(00000000,?,?,?,?,?,02BEEAAA,?,?,00000001,?,02BE1E84,?), ref: 02BEE94F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                          • String ID: flags_upd$localcfg
                                                                                          • API String ID: 204374128-3505511081
                                                                                          • Opcode ID: 5a7cfde9d7ee00f68cca9b9dc8af33d7293ba43fbbcbf89587a412835dbf7941
                                                                                          • Instruction ID: 37ec9ea47bf091ff674fb9c55368475c428bcecc0aad3bb12d69be9ef9bcec60
                                                                                          • Opcode Fuzzy Hash: 5a7cfde9d7ee00f68cca9b9dc8af33d7293ba43fbbcbf89587a412835dbf7941
                                                                                          • Instruction Fuzzy Hash: CE51FF72D0020AAFCF11EFA8C984DAEB7F9FF48314F144569E516A7210D775EA158F90
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Code
                                                                                          • String ID:
                                                                                          • API String ID: 3609698214-0
                                                                                          • Opcode ID: 0bb842c657d592dd9584e18e336f55f495fecd55a672e72c4d13a3ceb33fc7f2
                                                                                          • Instruction ID: a000e31d592156a5dca3ea4399e99f3a1384267d4f4b22890ed979f89fe5bb5e
                                                                                          • Opcode Fuzzy Hash: 0bb842c657d592dd9584e18e336f55f495fecd55a672e72c4d13a3ceb33fc7f2
                                                                                          • Instruction Fuzzy Hash: 3A21AC72904109FFDF51ABB0ED88EAF7BACDB147A4B104891F603E2191EB30DA00DA74
                                                                                          APIs
                                                                                          • GetTempPathA.KERNEL32(00000400,?,00000000,02BF22F8), ref: 02BE907B
                                                                                          • wsprintfA.USER32 ref: 02BE90E9
                                                                                          • CreateFileA.KERNEL32(02BF22F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02BE910E
                                                                                          • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 02BE9122
                                                                                          • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 02BE912D
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 02BE9134
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                          • String ID:
                                                                                          • API String ID: 2439722600-0
                                                                                          • Opcode ID: 3e3d56c152ad8a4699a6c2871ed307ba5f7d1fdea886c4458c7715536c4c1ff0
                                                                                          • Instruction ID: f9b014cd6cf2d07548fe200881c0e24bbd943025fde2ba93635ef93f0be87526
                                                                                          • Opcode Fuzzy Hash: 3e3d56c152ad8a4699a6c2871ed307ba5f7d1fdea886c4458c7715536c4c1ff0
                                                                                          • Instruction Fuzzy Hash: B911D6B2A405147BFB657732DC09FAF366EDBC4B10F0088A5BB0BE2155EB708A518B60
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 02BEDD0F
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 02BEDD20
                                                                                          • GetTickCount.KERNEL32 ref: 02BEDD2E
                                                                                          • Sleep.KERNEL32(00000000,?,76230F10,?,00000000,02BEE538,?,76230F10,?,00000000,?,02BEA445), ref: 02BEDD3B
                                                                                          • InterlockedExchange.KERNEL32(02BF36B4,00000001), ref: 02BEDD44
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 02BEDD53
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 3819781495-0
                                                                                          • Opcode ID: 368f9a0de6b8cb32a49d15160568776f2546c3fab4031c398176cef83e9e56fb
                                                                                          • Instruction ID: a8974aacecfb30adb4b389f6a017f3bfa06b3cb421ddd9f7a751188f36075116
                                                                                          • Opcode Fuzzy Hash: 368f9a0de6b8cb32a49d15160568776f2546c3fab4031c398176cef83e9e56fb
                                                                                          • Instruction Fuzzy Hash: 92F0E972988109FFCBC06BB5E884B2D77E9E745391F004C95E30AC3256C7645065CF21
                                                                                          APIs
                                                                                          • gethostname.WS2_32(?,00000080), ref: 02BEAD1C
                                                                                          • lstrlenA.KERNEL32(?), ref: 02BEAD60
                                                                                          • lstrlenA.KERNEL32(?), ref: 02BEAD69
                                                                                          • lstrcpyA.KERNEL32(?,LocalHost), ref: 02BEAD7F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$gethostnamelstrcpy
                                                                                          • String ID: LocalHost
                                                                                          • API String ID: 3695455745-3154191806
                                                                                          • Opcode ID: 59360af16e025066ffa6607fc3e091da0d268e3fe48d1e48203131a102543148
                                                                                          • Instruction ID: a5215b6e0b4440730ab3e96f59d08136d52a41429b1bcc23d2891bf769c601c8
                                                                                          • Opcode Fuzzy Hash: 59360af16e025066ffa6607fc3e091da0d268e3fe48d1e48203131a102543148
                                                                                          • Instruction Fuzzy Hash: 0E01F5208841895EDF31563CD844BBD7F6EEB8674BF5084D5E4C29B126EF2490878762
                                                                                          APIs
                                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,02BE98FD,00000001,00000100,02BF22F8,02BEA3C7), ref: 02BE4290
                                                                                          • CloseHandle.KERNEL32(02BEA3C7), ref: 02BE43AB
                                                                                          • CloseHandle.KERNEL32(00000001), ref: 02BE43AE
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseHandle$CreateEvent
                                                                                          • String ID:
                                                                                          • API String ID: 1371578007-0
                                                                                          • Opcode ID: 449e09dd41cb4a1c9d2d5ae970ade694bc45a7c442f7b794f43d595a101963cf
                                                                                          • Instruction ID: 1ead499cce2bef23ec011b09f4a639c5403feaa205cbafe929eb948f1f8658f0
                                                                                          • Opcode Fuzzy Hash: 449e09dd41cb4a1c9d2d5ae970ade694bc45a7c442f7b794f43d595a101963cf
                                                                                          • Instruction Fuzzy Hash: B6419CB1C00209BBDF10ABB1DD85FAFBFB9EF40364F1045A5F606A6181D7349650CBA0
                                                                                          APIs
                                                                                          • IsBadReadPtr.KERNEL32(?,00000014), ref: 02BE609C
                                                                                          • LoadLibraryA.KERNEL32(?,?,02BE64CF,00000000), ref: 02BE60C3
                                                                                          • GetProcAddress.KERNEL32(?,00000014), ref: 02BE614A
                                                                                          • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 02BE619E
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Read$AddressLibraryLoadProc
                                                                                          • String ID:
                                                                                          • API String ID: 2438460464-0
                                                                                          • Opcode ID: bfd9bd32489e6fa3776729d548b6846044c107f70681b417d027badcb11364a2
                                                                                          • Instruction ID: 2431f36d28aba79bf6e75195c8616148bb33781ffa2dea9916e65dd3b80efac9
                                                                                          • Opcode Fuzzy Hash: bfd9bd32489e6fa3776729d548b6846044c107f70681b417d027badcb11364a2
                                                                                          • Instruction Fuzzy Hash: 76417F71E0020AEFDF15CF68C884B69B7B9FF24358F1485A9E916D7292D730E990CB91
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ba7e456ed0058b5244d20e27881d2053e64a6cf3f6b0d264b265ebfb9104d3a7
                                                                                          • Instruction ID: a612ef070bc97cbd7a5080a0166e9170f82c7ff67a3154435dfe3297516a7ff5
                                                                                          • Opcode Fuzzy Hash: ba7e456ed0058b5244d20e27881d2053e64a6cf3f6b0d264b265ebfb9104d3a7
                                                                                          • Instruction Fuzzy Hash: 8A31C071A40208ABDF109FA4CC81BBEB7F8FF48701F105896E916E7241E374D641CB60
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 02BE272E
                                                                                          • htons.WS2_32(00000001), ref: 02BE2752
                                                                                          • htons.WS2_32(0000000F), ref: 02BE27D5
                                                                                          • htons.WS2_32(00000001), ref: 02BE27E3
                                                                                          • sendto.WS2_32(?,02BF2BF8,00000009,00000000,00000010,00000010), ref: 02BE2802
                                                                                            • Part of subcall function 02BEEBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,02BEEBFE,7FFF0001,?,02BEDB55,7FFF0001), ref: 02BEEBD3
                                                                                            • Part of subcall function 02BEEBCC: RtlAllocateHeap.NTDLL(00000000,?,02BEDB55,7FFF0001), ref: 02BEEBDA
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                          • String ID:
                                                                                          • API String ID: 1128258776-0
                                                                                          • Opcode ID: a581cab84845baebd460fa5ad55d4dce029e934191cfeeee37c631adc741ed09
                                                                                          • Instruction ID: 41c1f97fcd604afb4ac098eedf7ebaf1e7beb6f90d90c1f15e9b523203fe07ec
                                                                                          • Opcode Fuzzy Hash: a581cab84845baebd460fa5ad55d4dce029e934191cfeeee37c631adc741ed09
                                                                                          • Instruction Fuzzy Hash: C3316B34A803869FDB109FB4D881A617764EF1D358F1988ADEE56CB313D732D892EB10
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,02BF22F8), ref: 02BE915F
                                                                                          • GetModuleFileNameA.KERNEL32(00000000), ref: 02BE9166
                                                                                          • CharToOemA.USER32(?,?), ref: 02BE9174
                                                                                          • wsprintfA.USER32 ref: 02BE91A9
                                                                                            • Part of subcall function 02BE9064: GetTempPathA.KERNEL32(00000400,?,00000000,02BF22F8), ref: 02BE907B
                                                                                            • Part of subcall function 02BE9064: wsprintfA.USER32 ref: 02BE90E9
                                                                                            • Part of subcall function 02BE9064: CreateFileA.KERNEL32(02BF22F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02BE910E
                                                                                            • Part of subcall function 02BE9064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 02BE9122
                                                                                            • Part of subcall function 02BE9064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 02BE912D
                                                                                            • Part of subcall function 02BE9064: CloseHandle.KERNEL32(00000000), ref: 02BE9134
                                                                                          • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 02BE91E1
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                          • String ID:
                                                                                          • API String ID: 3857584221-0
                                                                                          • Opcode ID: 1ebfc0e5ac1b3311cad60a83eb9556bf28c68d7657e84cc50e5678c182b7c09a
                                                                                          • Instruction ID: 6a879d15d694d267945e3f5aaf473bc2cd46e234241d9894325c0bc5d99796d2
                                                                                          • Opcode Fuzzy Hash: 1ebfc0e5ac1b3311cad60a83eb9556bf28c68d7657e84cc50e5678c182b7c09a
                                                                                          • Instruction Fuzzy Hash: 9E0180F69401187BDB60A7618D49FEF777CDB95701F000491BB4AE2051DB7097888F70
                                                                                          APIs
                                                                                          • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,02BE2491,?,?,?,02BEE844,-00000030,?,?,?,00000001), ref: 02BE2429
                                                                                          • lstrlenA.KERNEL32(?,?,02BE2491,?,?,?,02BEE844,-00000030,?,?,?,00000001,02BE1E3D,00000001,localcfg,lid_file_upd), ref: 02BE243E
                                                                                          • lstrcmpiA.KERNEL32(?,?), ref: 02BE2452
                                                                                          • lstrlenA.KERNEL32(?,?,02BE2491,?,?,?,02BEE844,-00000030,?,?,?,00000001,02BE1E3D,00000001,localcfg,lid_file_upd), ref: 02BE2467
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$lstrcmpi
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 1808961391-1857712256
                                                                                          • Opcode ID: 17fbe8a71db0a17798accc6419785039172c8e40e131e712469add7dfb406314
                                                                                          • Instruction ID: 0b0e63198ced00f70d466603b53ee4b3934f3850c3547a214b0c07832ad19bc4
                                                                                          • Opcode Fuzzy Hash: 17fbe8a71db0a17798accc6419785039172c8e40e131e712469add7dfb406314
                                                                                          • Instruction Fuzzy Hash: 0E01DA31A0021CAFCF11EF69DC849DEBBB9EF44394B05C565EE5A97211E730EA509B90
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wsprintf
                                                                                          • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                          • API String ID: 2111968516-120809033
                                                                                          • Opcode ID: 074a0a4e78e65253dfd5344092f4bde5059d393d38682b099ebc2484c4dfec02
                                                                                          • Instruction ID: 8336531c9dba8f371b1efb2327437ac3ee60e391cd87a32ab52117e213f40db9
                                                                                          • Opcode Fuzzy Hash: 074a0a4e78e65253dfd5344092f4bde5059d393d38682b099ebc2484c4dfec02
                                                                                          • Instruction Fuzzy Hash: 02418A729042989FDF21DF788C44AEE3BE99F49310F244096F9A5D3152D734EA04CBA0
                                                                                          APIs
                                                                                            • Part of subcall function 02BEDD05: GetTickCount.KERNEL32 ref: 02BEDD0F
                                                                                            • Part of subcall function 02BEDD05: InterlockedExchange.KERNEL32(02BF36B4,00000001), ref: 02BEDD44
                                                                                            • Part of subcall function 02BEDD05: GetCurrentThreadId.KERNEL32 ref: 02BEDD53
                                                                                          • lstrcmpA.KERNEL32(76230F18,00000000,?,76230F10,00000000,?,02BE5EC1), ref: 02BEE693
                                                                                          • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,76230F10,00000000,?,02BE5EC1), ref: 02BEE6E9
                                                                                          • lstrcmpA.KERNEL32(89ABCDEF,00000008,?,76230F10,00000000,?,02BE5EC1), ref: 02BEE722
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                          • String ID: 89ABCDEF
                                                                                          • API String ID: 3343386518-71641322
                                                                                          • Opcode ID: 02f696f721875a2fd3cb18ef1be9d32ba03c69a8e61a9b6fed9225079e9e03d2
                                                                                          • Instruction ID: 81bc3d2da0aa317836a37ebbba76617dcb200b65a4f333a1235a3e7db657fd4d
                                                                                          • Opcode Fuzzy Hash: 02f696f721875a2fd3cb18ef1be9d32ba03c69a8e61a9b6fed9225079e9e03d2
                                                                                          • Instruction Fuzzy Hash: 2C31BE72A00B06DFCF318F64D884B6677E5EF05374F1088AAEA578B552E770E884CB91
                                                                                          APIs
                                                                                          • RegCreateKeyExA.ADVAPI32(80000001,02BEE2A3,00000000,00000000,00000000,00020106,00000000,02BEE2A3,00000000,000000E4), ref: 02BEE0B2
                                                                                          • RegSetValueExA.ADVAPI32(02BEE2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,02BF22F8), ref: 02BEE127
                                                                                          • RegDeleteValueA.ADVAPI32(02BEE2A3,?,?,?,?,?,000000C8,02BF22F8), ref: 02BEE158
                                                                                          • RegCloseKey.ADVAPI32(02BEE2A3,?,?,?,?,000000C8,02BF22F8,?,?,?,?,?,?,?,?,02BEE2A3), ref: 02BEE161
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Value$CloseCreateDelete
                                                                                          • String ID:
                                                                                          • API String ID: 2667537340-0
                                                                                          • Opcode ID: 9a0e786a244598f3991b5e42f3a73fe1d8ed0715ae7f8dd44a044d9f4697a8c5
                                                                                          • Instruction ID: de4dba7f45aa614c5021f3842d6870059531c8d32991f66c7974bc4a449b6228
                                                                                          • Opcode Fuzzy Hash: 9a0e786a244598f3991b5e42f3a73fe1d8ed0715ae7f8dd44a044d9f4697a8c5
                                                                                          • Instruction Fuzzy Hash: 9C215E71E0021DBBDF209EA4DC89EDE7F79EF097A0F0040A1FA05A6151E771CA94DB91
                                                                                          APIs
                                                                                          • ReadFile.KERNEL32(00000000,00000000,02BEA3C7,00000000,00000000,000007D0,00000001), ref: 02BE3FB8
                                                                                          • GetLastError.KERNEL32 ref: 02BE3FC2
                                                                                          • WaitForSingleObject.KERNEL32(00000004,?), ref: 02BE3FD3
                                                                                          • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 02BE3FE6
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                          • String ID:
                                                                                          • API String ID: 888215731-0
                                                                                          • Opcode ID: 081149fd61541e72b4ad900940f1e358263878ace2e1c02cd7886043576d2927
                                                                                          • Instruction ID: e3c1d4c689f6d86ad01c65f2634a924a46433e393c580e6502d1931b6d0286db
                                                                                          • Opcode Fuzzy Hash: 081149fd61541e72b4ad900940f1e358263878ace2e1c02cd7886043576d2927
                                                                                          • Instruction Fuzzy Hash: 7501E97291010AABDF11DFA4DD45BEE7BBCEB04355F004491FA02E3050D771DA649BB2
                                                                                          APIs
                                                                                          • WriteFile.KERNEL32(00000000,00000000,02BEA3C7,00000000,00000000,000007D0,00000001), ref: 02BE3F44
                                                                                          • GetLastError.KERNEL32 ref: 02BE3F4E
                                                                                          • WaitForSingleObject.KERNEL32(00000004,?), ref: 02BE3F5F
                                                                                          • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 02BE3F72
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3373104450-0
                                                                                          • Opcode ID: eec4355aad41c18d845e0f830a9e7549a325c6edb8c8bbab7f81358da11e6383
                                                                                          • Instruction ID: 2262e106d1b85ec3a9bd31eba67855980cd6f03d57cda890b56422abeeafae7f
                                                                                          • Opcode Fuzzy Hash: eec4355aad41c18d845e0f830a9e7549a325c6edb8c8bbab7f81358da11e6383
                                                                                          • Instruction Fuzzy Hash: F601D772911109ABDF01DFA0ED44BEE7BBCEB04355F1044A6FA02E3050D730DA248BA2
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 02BE4E9E
                                                                                          • GetTickCount.KERNEL32 ref: 02BE4EAD
                                                                                          • Sleep.KERNEL32(0000000A,?,00000001), ref: 02BE4EBA
                                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 02BE4EC3
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 2207858713-0
                                                                                          • Opcode ID: 6ac7905295b006da6a46579e378070ae4b1a9ad5b891d94b08a4147da482dcbb
                                                                                          • Instruction ID: 370620d5580c13bb8db681dd87965f6637968489b3b1307cd8154712908b3f61
                                                                                          • Opcode Fuzzy Hash: 6ac7905295b006da6a46579e378070ae4b1a9ad5b891d94b08a4147da482dcbb
                                                                                          • Instruction Fuzzy Hash: AEE0263264020867DB0032B9AC80F6772599B453A0F010D71E70AC3145C75AD41241B1
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 02BEA4D1
                                                                                          • GetTickCount.KERNEL32 ref: 02BEA4E4
                                                                                          • Sleep.KERNEL32(00000000,?,02BEC2E9,02BEC4E0,00000000,localcfg,?,02BEC4E0,02BF3588,02BE8810), ref: 02BEA4F1
                                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 02BEA4FA
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 2207858713-0
                                                                                          • Opcode ID: ac323cfde70fb5957374b6212aff05b6fe601c57cd4e084c101fdf91dfbeb6d3
                                                                                          • Instruction ID: 7a2cd06925cc3908e17f7956a5976b2d7425676736225a52dc0ae44970b3439c
                                                                                          • Opcode Fuzzy Hash: ac323cfde70fb5957374b6212aff05b6fe601c57cd4e084c101fdf91dfbeb6d3
                                                                                          • Instruction Fuzzy Hash: E5E0263324020867CB0037B5AC84F6A739DEB497A1F0608A1FB06E3242C716A55182B6
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 02BE4BDD
                                                                                          • GetTickCount.KERNEL32 ref: 02BE4BEC
                                                                                          • Sleep.KERNEL32(00000000,?,?,?,0321E09C,02BE50F2), ref: 02BE4BF9
                                                                                          • InterlockedExchange.KERNEL32(0321E090,00000001), ref: 02BE4C02
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 2207858713-0
                                                                                          • Opcode ID: 6e512d4cf0c59d593dcbd6e519912f214e35d702d170d45d8e65adbccaf03b62
                                                                                          • Instruction ID: 27d027c374a6654efbf73219a2b47a3e98c32068bafd5d1f68a0e6c1a3f1c902
                                                                                          • Opcode Fuzzy Hash: 6e512d4cf0c59d593dcbd6e519912f214e35d702d170d45d8e65adbccaf03b62
                                                                                          • Instruction Fuzzy Hash: E6E07D3768020C27CB0036B59C80F56736CDB453A1F020CB2F70AC3241C792E41042B1
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 02BE3103
                                                                                          • GetTickCount.KERNEL32 ref: 02BE310F
                                                                                          • Sleep.KERNEL32(00000000), ref: 02BE311C
                                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 02BE3128
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 2207858713-0
                                                                                          • Opcode ID: 5aa8bf4722ff308e44b418062ec4c2641074a1cd8d23f9dfca715f2747df56c0
                                                                                          • Instruction ID: 71803ea5e49bbfef32e6d1901317e1b59ba807b0a823a16345636d1efce769b9
                                                                                          • Opcode Fuzzy Hash: 5aa8bf4722ff308e44b418062ec4c2641074a1cd8d23f9dfca715f2747df56c0
                                                                                          • Instruction Fuzzy Hash: 9AE0C231640219ABDF403B75AD85B6AAA9ADF847A1F010CB9F302D35A5C75088509A73
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 536389180-1857712256
                                                                                          • Opcode ID: 32dd3f13e90278597b03d95df4d4ebd66aa10233e97a6559ec5551d84a3958bd
                                                                                          • Instruction ID: a818efa71195922fbe62b67c6d01ad16fd6e28509e873c6553ea5ecc45e7ba53
                                                                                          • Opcode Fuzzy Hash: 32dd3f13e90278597b03d95df4d4ebd66aa10233e97a6559ec5551d84a3958bd
                                                                                          • Instruction Fuzzy Hash: BE21D232A10915AFCF50DF78D88065EBBBAEF21354B2589DDD402DB221CB31E940CB50
                                                                                          APIs
                                                                                          Strings
                                                                                          • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 02BEC057
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTickwsprintf
                                                                                          • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                          • API String ID: 2424974917-1012700906
                                                                                          • Opcode ID: 0d51a6c3803de936dcd1d908832a83ef46dc0395a90f303245483b8a1e88f771
                                                                                          • Instruction ID: 16fdcfbdfc1dd1ac249a6e4d0d24009a25a19bd27960300542d824f9bb0a96ec
                                                                                          • Opcode Fuzzy Hash: 0d51a6c3803de936dcd1d908832a83ef46dc0395a90f303245483b8a1e88f771
                                                                                          • Instruction Fuzzy Hash: 27118672500100EFDB429AA9CD44E567FA6FB88358B34859CF6188A136D633D863EB50
                                                                                          APIs
                                                                                          • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 02BE26C3
                                                                                          • inet_ntoa.WS2_32(?), ref: 02BE26E4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: gethostbyaddrinet_ntoa
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 2112563974-1857712256
                                                                                          • Opcode ID: 4bd2fbeec08327d5dab13fbd7ac3a54da5beb0f50f5db8c445afd25d1f404cd6
                                                                                          • Instruction ID: c15334aa9b2d1251a339c8c7c1581df637de2bcd6f64538cac414b5f865de523
                                                                                          • Opcode Fuzzy Hash: 4bd2fbeec08327d5dab13fbd7ac3a54da5beb0f50f5db8c445afd25d1f404cd6
                                                                                          • Instruction Fuzzy Hash: 45F037725482097FEF006FA4EC05AAA379DDF05660F148866FE0ADA090DB71E950D798
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(ntdll.dll,02BEEB54,_alldiv,02BEF0B7,80000001,00000000,00989680,00000000,?,?,?,02BEE342,00000000,75B4EA50,80000001,00000000), ref: 02BEEAF2
                                                                                          • GetProcAddress.KERNEL32(77310000,00000000), ref: 02BEEB07
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressLibraryLoadProc
                                                                                          • String ID: ntdll.dll
                                                                                          • API String ID: 2574300362-2227199552
                                                                                          • Opcode ID: f63ce96398684330c9126a15147b6fc2262bc9d7657aea9b878df184b9b70bee
                                                                                          • Instruction ID: a21adbe3a04055fc99661121e505a598a2d4084ee57a21718850b3df517b91e6
                                                                                          • Opcode Fuzzy Hash: f63ce96398684330c9126a15147b6fc2262bc9d7657aea9b878df184b9b70bee
                                                                                          • Instruction Fuzzy Hash: 0ED0C934A84342EB9F925F79998AE0576E8EB50791B404C95F60BD3611E731E468DA00
                                                                                          APIs
                                                                                            • Part of subcall function 02BE2D21: GetModuleHandleA.KERNEL32(00000000,762323A0,?,00000000,02BE2F01,?,02BE20FF,02BF2000), ref: 02BE2D3A
                                                                                            • Part of subcall function 02BE2D21: LoadLibraryA.KERNEL32(?), ref: 02BE2D4A
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02BE2F73
                                                                                          • HeapFree.KERNEL32(00000000), ref: 02BE2F7A
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.3361760003.0000000002BE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_2be0000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                          • String ID:
                                                                                          • API String ID: 1017166417-0
                                                                                          • Opcode ID: ccfde512e0ab533f3deea976615e050ef00798274d3b3a789ced7913a66c381f
                                                                                          • Instruction ID: d120cd9a991b184f422bbe55f6ec5c8fa07b2d6125fbae1f8c129a07e9aefced
                                                                                          • Opcode Fuzzy Hash: ccfde512e0ab533f3deea976615e050ef00798274d3b3a789ced7913a66c381f
                                                                                          • Instruction Fuzzy Hash: 25519E7190020AAFDF05AF64D888AFAB7B9FF05304F1445A9ED97D7211E732DA19CB90